critical web application security controls.


I need to know the security measures or controls that you need to apply to secure your web application...for example user firewall, ..etc..

can you provide me with the controls that I need to apply to secure my web application?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Web app security is so wide term that it is impossible to answer it in a short message... Just imagine what are the parts involved in the web app - server, network, data, client components etc. etc.

I would recommend to start here:
and here:
and more details dealing with Microsoft technologies are here:

Basic Security Practices for Web Applications in .NET Framework 4:
From our experience, programmers who are uneducated about security issues could be the main reason for unsecured application.

For example SQLi, the thing is, SQL injection was a solved problem *many* years ago.  It shouldn't happen nowadays at all.  It just shouldn't be possible.  But of course, that assumes you're using libraries for your SQL, and that  you're using the "sanitizing" functionality that those libraries give you. You should not be trying to sanitize SQL on your own, that's for sure. Something bad will happen... or it did.

Fixing SQL injection problems is a matter of going through EVERY SINGLE LINE in your code that talks to SQL, and making sure that it's not passing in strings from the URL.  It's just too easy for people to hack.

More education along with specific coding examples in commonly used programming languages  are the best way to have a secure application.

Also you need to have a full security audit at your servers. You need to install some firewalls if you don't already have them, and to lock down your servers, and to make sure they're running the latest software, and then check them 10 or 20 times in all sorts of ways to shut down unnecessary programs/services and get rid of vulnerabilities.

To answer your question, you have to do two things; 1) write software that proactively implements parameter checking to insure that the vulnerability is not written into the software, which takes training and standards, and 2) testing your software for the presence of these vulnerabilities.

There is no magic solution here, I'm afraid.  It's a long process that you'll need to go through  based on network, application and operating system.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.