Introduction

As more and more applications find their way to the World Wide Web, security concerns have increased. Web applications are by nature somewhat public and therefore vulnerable to attack. Today, it is the norm to visit Web sites where logins and passwords are required to navigate from one section of the site to another. This is much more required in a Web application where data is being manipulated between secure internal networks and the Internet. Web applications, no matter their functions, should not exchange data over the Internet unless it is encrypted or at least digitally signed. Security should be extended to the private-public network borders to provide the same authentication, access control, and accounting services local area network (LAN) based applications employ.

This chapter attempts to tackle security holistically from a code and system-wide perspective. The focus here is on methods of creating secure, or at least security-conscious, Web applications and Web infrastructures. We discuss why it is even feasible to attempt to secure our applications on such a public medium as the Internet. We tackle security from mostly a system level. The most widely used method of Web application security today is Private Key Infrastructure (PKI). Those of us unfamiliar with PKI will acquire a working knowledge of it; we also examine other methods such as Secure Sockets Layer (SSL), and Secure Multipurpose Internet Mail Extension (S/MIME), which facilitate secure communications via other protocols such as Post Office Protocol/Simple Mail Transfer Protocol (POP/ SMTP) and Hypertext Transfer...