June 11, 2008
Information-technology Promotion Agency, Japan (IPA), headed by chairman Koji Nishigaki, has released the 3rd edition of How to Secure Your Web Site, which aims to support web site developers and administrators to implement appropriate security into their web site, on June 11, 2008.
How to Secure Your Web Site is a guideline for web site developers and administrators to implement appropriate security into their web site. It has been developed based on the vulnerability-related information reported to IPA and covers the most-reported and high-impact vulnerabilities. With these, the guideline has managed to cover about 90 percent of the issues reported to IPA.
Chapter 1 “Web Application Security Implementation” addresses 9 vulnerabilities, including SQL injection, OS command injection and cross-site scripting, and discusses threats they poses and what kinds of web sites might be most susceptible to them. In addition, fundamental solutions that aim to eliminate the vulnerability itself, mainly from programming perspective, and mitigation measures that aim to reduce the damage of attacks exploiting the vulnerabilities, mainly from operational perspective, are also addressed.
Chapter 2 “Approaches to Improve Web Site Security” addresses 5 topics, including web server security and anti-phishing measures, and discusses how to improve web site security mainly from operational perspective.
Chapter 3 gives the case studies in SQL injection and cross-site scripting and shows what may happen to a victimized web site, actual source code examples, what are wrong with them and how to fix the problem.
In the appendix, a checklist is provided that could be used to assess the security of a web site.
How to Secure Your Web Site Japanese Edition has been downloaded more than 750,000 times since its publication of the 1st edition in January 2006. IPA hopes it will help the readers improve their web site security.
This document can be downloaded at:
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)