WebAppSec/MozSecureWorld

From MozillaWiki
< WebAppSec
Revision as of 01:55, 7 June 2011 by Mcoates (talk | contribs) (Created page with "= Purpose = A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers. == Uses == * Dem...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Purpose

A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.

Uses

  • Demonstration of secure application design
  • Explanation of importance and purpose of security features
  • Learning tool for others to reference
  • Testing site to validate effectiveness of security & design recommendations
  • Evaluation tool for pen testing individuals or tools

Design

Architecture

Python on Django via Playdoh

Security Components & Controls

Authentication

  • Brute force prevention via adaptive CAPTCHA
  • Password storage via bcrypt and system nonce
  • Account creation with blacklisted password support
  • (Possible) Secure Password Reset

Access Control

  • Presentation, Business, Data Layer Access Control
  • (Possible) Two tier design for admin account separation

Input Validation

  • Rich HTML handling via bleach
  • File upload support via secure file handling guidelines

Transport Security

  • Full & correct TLS
  • HTTP Strict Transport Security

Cross Domain Controls

  • X-frame-options

Cookie Protection

  • Secure Flag
  • HTTPOnly Flag

Secure I/O

  • File Handling
  • SQL
  • (Possible) Third party service)


Roadmap

  1. Setup playdoh & github
  2. Running HelloWorld
  3. Design Planning
  4. Code basic item first (x-frame-options)
  5. Complete initial presentation layer and CSS for basic item
  6. Setup backend database
  7. Authentication