Application Development Guidelines

Software applications should be designed and developed against the common vulnerabilities in the latest Open Web Application Security Project (OWASP) and CWE/SANS vulnerabilities list, such as :

  • Access control mechanism shall be applied to locations containing sensitive information or functionality to ensure unauthorized users cannot access such locations.
  • All sensitive information transmitted over public network shall be encrypted.
  • User input data shall be verified to ensure that the data is strongly typed, of the correct syntax, within length boundaries, contains only permitted characters, or and that numbers are correctly signed and within range boundaries.
  • Any critical security flaws identified during security tests and web application security vulnerability assessment shall be corrected.
  • Any unused services, functions or procedures in the servers shall be removed to reduce the attack surface.
  • All the test data and test accounts shall be removed before deploying the web application / website into production environment.

OWASP Top 10

For new web application, make sure your programmers understand the OWASP Top 10, a list of the 10 most critical web application security flaws. OWASP stand for Open Web Application Security Project, an open community dedicated to helping organizations build and maintain secure applications.

Encryption Standard for Network Transport

Data encryption between applications and servers in scenarios where that data is being sent across an insecure network should use TLS protocol. SSL v2 should be disabled on the server, whereas SSLv3 should be disabled too unless the application must support very old web browsers like IE6 on WinXP.

Common Vulnerabilities

  • Information of the common vulnerabilities found by KPMG in the recent audit exercise is summarized in this document.  Please make sure they are mitigated in your applications.  (Note that only HKUST staff is allowed to login and download the document.)
  • Cross-Site Request Forgery (CSRF) - To avoid risks of users being tricked into completing actions unknowingly, application programs should use anti-CSRF protections such as (CSRF protection provided by programming frameworks, CSRF tokens, SameSite cookie attribute restriction, etc) (Reference:

Web Application Security

Details on web application development security, please refer to :

PHP Developer Guide

Training materials and security services

ITSC has held a web application security training course for campus developers. You can download the training materials from the Past Training Resources page. ITSC also provides Website Registration and Web Application Health-Check Service to help you protect your web application.

Related Links