Säkerhet och integritet i webbapplikationer : En orientering över säker utveckling

Sammanfattning: The use of Web applications is a growing area. While the possibilities and functionalities are increasing, so is the complexity of them, together with the threats against them because the complexity also opens up the application to vulnerabilities. It is therefore important for developers to know how a web application can be developed with security in mind. This study’s intention has been to create an introductory documentation of what kind of techniques that exists which can produce higher security, which methods there can be within the development process and what to think about when programming secure web applications. In this paper we have investigated how theoretical manuals in the IT security department handles that area, and interviewed two developers from two different companies to see how they use security in their web applications. The study has an exploratory technical perspective and does not explain how to practically use and interconnecting different security-enhancing technologies, but is more suppose to give a first glance at what is available and sow a seed for those interested to continue reading further about the subject. The results of the study was generated through comparison of the theoretical material with the empirical material, to then conclude the most prominent points of what are different and similar between those materials. During the study some key points has been revealed for development: Responsibility for safety in the application lies, in the cases we looked at, with the developers to describe the technical possibilities and hence vulnerabilities when the client usually does not possess the same technical skills for that. The customer was, as the cases we studied, often not so proactive on safety and does not value it very high (if it was not a security-critical business such as being involved with defense technology). Because the customer in such cases didn’t put security as high priority, there existed a lack of motivation to spend extra money to combat threats that were not considered significant. In cases where extra recourses were spent on security, a measurement was developed that security should not cost more than the value of what it protects else the cost is unjustified. Finally it is noted that it is technically difficult to protect against human errors that can disarm the security, for example a simple or misplaced password.