Below is a list of controls that your application should have in order to have a decent degree of security. The links below each section are to the Open Web Application Security Project (OWASP). OWASP is an open source project that is dedicated and very well established. It contains documentation and source code for hundreds of projects dedicated to securing web applications. We strongly encourage that you follow all recommendations at least in the OWASP Top Ten
Making sure that authorization checks are done on every function and that the various roles throughout the application are enforced correctly. Also making sure that users only have access to the functionality and data that they require.
Making sure that user credentials are transmitted securely and that failed and successful login attempts are handled correctly. Making sure that password complexity and functionality with regard to credential management, modification, and disclosure is done properly.
Ensuring the proper storage of credentials is done and that all passwords are hashed as well as salted correctly. Making sure that the password self service mechanism of the application is implemented securely.
Session management is very important especially if the application is being used on a shared machine such as a library or airport. All session tokens need to be cryptographically secure and sessions need proper timeout durations. The application should also provide functionality to explicitly revoke a user's session (i.e. an always visible logout function) as well as making sure that session tokens are never re-used.
Verbose error messages can provide attackers with significant details about an applications infrastructure. These details can then be used to tailor an effective attack against any software product. Proper error handling and logging ensures that no Personally Identifiable Information (PII) is logged and that brute force and failed attempts re logged properly for security auditing purposes.
In order to protect users, all data transportation should be encrypted. This not only includes data transportation between the customer's computer and your application's server, but also all communication between your application and other back end services.
All PII should not be stored on an internet facing server. Customer data should always be stored in a separate location that does not allow for PII leakage in the event of the application server being compromised. All data that is at rest should also be encrypted and old data that is no longer necessary or important to your business should be regularly purged.
Good cryptography is one of the most important factors of security. This step ensures that your software is using encryption algorithms of proper strength. It also makes sure that your software is properly storing encryption and decryption keys that are extremely important to your data storage policy.
Caching is information that is stored on the client's computer when they use your application. This testing ensures that sensitive data is not stored on the client in the event that the user is using a public computer such as a library machine or a tablet at an airport. An attacker could use improperly cached information such as a Session ID to gain access to a user's account once they've left a public workstation.
This test is to make sure that the application is not blindly trusting any user input. Data validation includes white-listing, use of secure queries when talking to the database, file upload/download restrictions, and ensuring no improper redirects are occurring.