An excellent article by Neil O’Connor for SearchSecurity.
The full article is HERE but Neil’s Eight must fix flaws are listed below:-
1. Trusting client-side validation
2. Blacklisting for input validation
3. Improper error handling
4. Forgotten/change password functionality
5. Unencrypted communications/authentication
6. Lack of auditing and logging
7. Not reusing good security API or already tested code
8. Not following Microsoft best practice development guides
For PCI DSS the guidance for requirement 6.6 is:-
Attacks on web-facing applications are common and often successful, and are allowed by poor coding practices. This requirement for reviewing applications or installing web application firewalls is intended to greatly reduce the number of compromises on public facing web applications that result in breaches of cardholder data.
- Manual or automated vulnerability security assessment tools or methods that review and/or scan for application vulnerabilities can be used to satisfy this requirement
- Web-application firewalls filter and block non-essential traffic at the application layer. Used in conjunction with a network-based firewall, a properly configured web-application firewall prevents application-layer attacks if applications are improperly coded or configured.