I. INTRODUCTIONA Web application is an application that uses an Internet browser as a client. Examples include Gmail, Amazon, Facebook, LinkedIn etc. Web applications are popular due to the commonality of web browsers that allow for relatively simple deployment and updates. Essentially, a web application can run on any device that has a web browser. However, the universality of the web browser poses a threat to the security of web applications. In 2013, 33% of disclosures were due to web application vulnerabilities [1]. The most common web application security risks include cross-site scripting (XSS), SQL injection, broken authentication and session management, and security misconfiguration [2]. There are many challenges in developing a secure web application, and security is often not a top priority during development. Additionally, the ubiquity of the web browser as a client and the relative convenience of web application development may attract less experienced developers. However, there are best practices that can protect against some of the most common security threats. The following guidelines…should be followed??II. AUTHENTICATIONAuthentication commonly involves a login screen that requires a username and password to determine whether the user is who they claim to be. An authentication attack could result in repeated login attempts by guessing common passwords. One defense against this type of attack is to block the user after a certain number of failed attempts. Additionally, if an account is locked out due to failed logins, you should notify a system administrator [3]. Passwords and ideally usernames should be hard enough to guess. The application should force... half of the sheet of paper... sent to an error log. It is recommended that error messages contain an error log ID that can match the message in the logs [11].Works Cited1. https://www.whitehatsec.com/resource/stats.html1. IBM Company. "IBM X-Force Threat Intelligence Quarterly Q1 2014". Somers, New York. 2014. http://www-03.ibm.com/security/xforce/2. https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents3. http://www.sans.org/reading-room/whitepapers/securecode/security-checklist-web-application-design-13894. http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf5. https://www.owasp.org https://www.owasp.org/index.php/Authentication_Cheat_Sheet 6 http://www.sans.org/security-resources/policies/Password_Policy.pdf7 textbook stamp8 https :/ /www.owasp.org/index.php/Guide_to_Authorization9 http://www.skyhunter.com/marcs/capabilityIntro/capacl.html