I. INTRODUCTIONA web application is an application that uses an Internet browser as a client. Examples include Gmail, Amazon, Facebook, LinkedIn, etc. Web applications are popular because of the web browser community allowing for relatively simple distribution and updates. Essentially, a web application can be run on any device with a web browser. However, the universality of the web browser poses a threat to the security of web applications. In 2013, 33% of disclosures were due to web application vulnerabilities [1]. The most common web application security risks include cross-site scripting (XSS), SQL injection, broken authentication and session management, and security misconfiguration [2]. Developing a secure web application presents many challenges, and often security is not a top priority during development. Additionally, the ubiquity of the web browser as a client and the relative convenience of web application development may attract less experienced developers. However, there are best practices that can protect you against some of the most common security threats. The following guidelines ...must be followed??II. AUTHENTICATIONAuthentication usually involves a login screen asking for a username and password to determine if the user is who they say they are. An attack on authentication could involve repeated login attempts by guessing common passwords. One defense against this type of attack is to lock out the user after a given number of failed attempts. Additionally, if an account is locked due to a failed login, a notification should be sent to a system administrator [3]. Passwords and ideally usernames should be difficult enough to guess. The application should apply ...... middle of paper ...... sent to an error log. It is recommended that error messages contain an error log ID that can match the message in the logs [11].Works Cited1. https://www.whitehatsec.com/resource/stats.html1. IBM Company. “IBM X-Force Threat Intelligence Quarterly1Q 2014”. Somers, New York. 2014. http://www-03.ibm.com/security/xforce/2. https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents3. http://www.sans.org/reading-room/whitepapers/securecode/security-checklist-web-application-design-13894. http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf5. https://www.owasp.org https://www.owasp.org/index.php/Authentication_Cheat_Sheet 6 http://www.sans.org/security-resources/policies/Password_Policy.pdf7 stamp8 brand manual https: / /www.owasp.org/index.php/Guide_to_Authorization9 http://www.skyhunter.com/marcs/capabilityIntro/capacl.html