Web Application Security Frame

The Web Application Security Frame is a set of categories you can use to scope security and improve your effectiveness.  It consists of the following categories:

• Auditing and Logging
• Authentication
• Authorization
• Configuration Management
• Cryptography
• Exception Management
• Input and Data Validation
• Sensitive Data
• Session Management

We created these categories during Improving Web Application Security to represent two things:
1.  Where are the most common mistakes made
2.  Where are the most actionable improvements

How do you use these to be more effective?  You use these categories to focus and prioritize your security work.  For example, if you know the most prevalent security issues occur in the input validation, authentication and authorization categories, you can start there.

You can immediately put the Web Application Security Frame into action.  when you perform Security Design Inspections or Security Code Inspections you can use the frame to walk categories of common security issues.  To do so, see the following:

• Web Application Security Design Review
• How To Perform a Security Code Review for Managed Code 
• ASP.NET 2.0 Security Question List

For more information on the Web Application Security Frame, see Cheat Sheet: Web Application Security Frame.