If there is a vulnerability, it will be exploited. That’s why security on a project or in the company looms large especially you work with sensitive customer data. We understand this need and we take care of web applications security at every stage and do our best to expand our knowledge in this matter.
This article is a non-exhaustive list of security measures/precautions that should be considered to be implemented on each and every application you make. Even if some of the recommendations are not implemented intentionally (eg. due to limited budget, timeline, resources, etc.), it is valuable to be aware of them and communicate them to the product owner.
Table of Contents
- Why web application security is so important?
- Key questions before the web apps project start
- Web application security when planning solution architecture
- Application authentication and authorization
- Production data access and usage policies
- Framework and monitoring
- Web application firewalls during the development lifecycle
Why web application security is so important?
We can differentiate between two types of organizations
In the information security world, this saying is so famous that you don't even know who to attribute it to. It may seem pessimistic, but those who work in incident response, computer forensics or other investigations know it to be all too true.
Recognizing that a security threats (assumption breach) will occur is the basis for preparation and design assumptions to ensure that it proves difficult, time-consuming, costly and risky for someone to gain unauthorized access to networks, applications, data and other systems time-consuming, costly and risky, and that it is possible to detect and respond to such cases quickly.
This means It also means monitoring and logging what happens on your systems so that if a breach is discovered only after the fact, you can at least find out what happened. In order to detect a potential breach, changes and anomalies in the operation of the system are also often monitored.
Assuming that a security breach will occur means preparing in advance for the worst, to limit the damage, reduce the time to detect an event, and minimize corrective actions.
Key questions before the web apps project start
To effectively prepare a security checklist with the most adequate and beneficial security items to be checked, it is crucial to build a full understanding of the security "big-picture". This usually helps in setting the right security goals and constraints. The implementation application security program can bring a lot of benefits but before you should ask yourself some questions:
- What is the business domain of the application? (i.e. financial applications will require higher levels of security)
- Is the app going to be used by the general public or just internal users?
- What types of data do the application store and where is it going to be stored?
- Is any of this data sensitive?
- Do we need to follow any compliance policies, like GDPR?
- Is scraping an issue we should consider preventing?
Web application security when planning solution architecture
Based on the summary built-in in step one, it is important to take this knowledge into account when planning what needs to be implemented and how it is going to be implemented. Questions that might be helpful in this context:
Application authentication and authorization
- What kind of authentication strategy are you planning to use?
- Are you going to implement SSO?
- What about MFA?
- What authentication libraries / 3rd party services are to be used?
- Who will create new users in the system?
- How are you going to authenticate your APIs?
- Do you need APIs at all?
- What APIs are going to be used for - Server-to-Client or Sever-to-Server communication?
- How are you going to invalidate tokens if needed? How often?
- Are there permission levels / ACLs necessary to be introduced at the application level? How and Who will be in control of them?
Production data access and usage policies
- For local development - do you need to use production data at all or can you live with seeded data or fixtures?
- For staging and/or QA - do you need to use production data here? Do you need to obfuscate it? How, at which stage and what fields do you need to obfuscate?
- For production - how are you going to access data to debug some specific problems? Who will be able to do that? Do you need "impersonate user" functionality? Do you need to ask users for permission do do that?
- Who might have unintentional access to the production data stored? Which developers? Any 3rd party (eg. Hosting services / Cloud provider)?
- If and what data should be encrypted at rest?
Framework and monitoring
- What application framework are you going to use? What are the key conventions to be followed to maximise benefits of framework built-in security measures?
- What policy / procedure for continuously updating libraries / framework are you going to introduce, if any?
- Do you allow GitHub to scan your repository for vulnerabilities related to outdated dependencies?
- What do application logs contain and where this data is going to be stored, for how long and who will be able to access it?
Web application firewalls during the development lifecycle
The following list is extracted from OWASP Top 10 vulnerabilities report from 2021 and should be considered as the primary checklist for vetting own applications security-wise (especially pre-release). Each page referenced below contains further references to detailed attack prevention techniques.
Broken Access Control
Broken Access Control vulnerabilities are common in modern applications since the design and implementation of access control mechanisms rely on a highly complex ecosystem of multiple components and processes. In such a complex, changing ecosystem, security and development teams should apply several legal, organizational, and business logic to ensure the tech stack is watertight and has no room left for hackers to exploit the system.
- Deny access to functionality by default.
- Use Access control lists and role-based authentication mechanisms.
- Do not just hide functions.
- Constant interactive application security testing and Auditing of Access Controls.
In short, insufficient cryptography is cryptography that can be easily compromised and does not provide a sufficient level of security. The basic concept behind cryptography is not to create ciphers that are impossible to crack, but to create ciphers that are impossible to crack within a reasonable timeframe given the computational power currently available. In other words, it may not be impossible to crack from a conceptual standpoint, but it’d be excessively difficult and impractical to do so. So insufficient cryptography generally means cryptography that can be cracked in a reasonable amount of time with the hardware available to the attacker.
- Classify data processed, stored, or transmitted by an application, to understand what data you need to defend, and identify appropriate controls.
- Make sure to encrypt all data classified as "sensitive".
- Wherever possible, use encryption that provides forward secrecy, to ensure data encrypted in the past can’t be decrypted if session keys are exposed.
- Independently verify the effectiveness of encryption configuration and settings.
Injection flaws occur when untrusted user data are sent to the web application as part of a command or query. The attacker’s hostile data can trick the web application into executing unintended commands or accessing unauthorized data. Injection occurs when a hacker feeds malicious input into the web application that is then acted on (processed) in an unsafe manner. This is one of the oldest attacks against web applications, but it’s still the king of the vulnerabilities because it is still widespread and very damaging.
- Validating user inputs by creating an allow-list (whitelist) for valid statements and configuring inputs for user data by context.
- Use prepared statements with parameterized queries that help distinguish between code and user input and do not mistake statements for commands.
- Using stored procedures that are defined and stored in the database and called from the web application.
- Limiting special characters to disallow string concatenation.
Injection vulnerabilities can pop up in all sorts of places within the web application that allows the user to provide malicious input. Some of the most common injection attacks target the following functionality:
- Structured query language (SQL) queries
- Lightweight directory access protocol (LDAP) queries
- XML path language (XPATH) queries
- Operating system (OS) commands
Insecure Design is a new category for 2021, with a focus on application security risk related to design flaws. If we genuinely want to "move left" as an industry, we need more threat modeling, secure design patterns and principles, and reference architectures. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks.
Identifying flaws at the design phase is what we call “starting left” insecurity, which is a progression of the popular DevSecOps saying to “shift left”. As OWASP highlights, secure design is as much about culture as well as methodology. This is about changing the mindset around what stage security needs to enter the application development process and it is our fundamental belief that true DevSecOps can only be achieved if security is factored in right at the outset.
- Implement the security controls properly.
- Perform security in each step such as on the Unit stage or on the integration stage for the validation of all the flows that can exist and resistant them with the help of Threat modeling if teams are following it.
- Always implement security controls on different layers such as on the network layer or on the system layer.
- Divide the users as per their authorization on all the tiers so no one can misuse the authorizations.
A misconfiguration can occur for various reasons. Modern network infrastructures are exceedingly complex and characterized by constant change; organizations can easily overlook crucial security settings, including new network equipment that might retain default configurations. Even if you've provisioned secure configurations for your endpoints, you should still audit configurations and security controls frequently to identify the inevitable configuration drift. Systems change, new equipment is brought into the network, patches are applied—all contributing to misconfigurations.
- A repeatable hardening process makes it fast and easy to deploy another environment that is appropriately locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment.
- A minimal platform without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.
- A task to review and update the configurations appropriate to all security notes, updates, and patches as part of the patch management process.
- A segmented application architecture provides effective and secure separation between components or tenants, with segmentation, containerization, or cloud security groups.
- An automated process to verify the effectiveness of the configurations and settings in all environments.
Vulnerable and Outdated Components
The prevalence of vulnerable and outdated components — and the ease of attacks using this vector — make this an especially dangerous category. Almost all modern applications use open-source packages, and information about vulnerabilities related to these packages is widely available. Attackers who figure out what vulnerable packages you're using can use exploits that are already available. That means you have a type of attack that is widespread and straightforward.
- Remove unused dependencies, unnecessary features, components, files, and documentation.
- Continuously inventory the versions of both client-side and server-side components
- Only obtain components from official sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component
- Monitor for libraries and components that are unmaintained or do not create security patches for older versions.
Identification and Authentication Failures
Identification and authentication failures can occur when functions related to a user's identity, authentication, or session management are not implemented correctly or not adequately protected by an application. Attackers may be able to exploit identification and authentication failures by compromising passwords, keys, session tokens, or exploit other implementation flaws to assume other users' identities, either temporarily or permanently.
- Enable and enforce MFA
- Ensure that default passwords are only for one-time use and are updated as the user logins
- Enforce a password policy to prevent users from setting weak passwords
- Rate limit the critical endpoints
- Get your applications pentester and any code being pushed to production must be reviewed and well tested against such issues
Software and Data Integrity Failures
Software and data integrity failures relate to code and infrastructure that do not protect against integrity violations. This can occur when you use software from untrusted sources and repositories or even software that has been tampered with at the source, in transit, or even the endpoint cache. Attackers can exploit this to potentially introduce unauthorized access, malicious code, or system compromise as part of the following attacks:
- Cache Poisoning
- Code injection
- Command execution
- Denial of Service
- Always ensure that the app you are using is trusted and uses sane security practices
- As a developer, ensure that the apps are signed and the trusted data sources are also tamper-proof
- Ensure that your CI/CD pipelines are secure and any malicious code doesn’t go in
- Audit the code before it makes it to the production
- Get your software pen tested frequently to ensure high-security levels
Security Logging and Monitoring Failures
Nearly all major security incidents originate from the exploitation of insufficient logging, unplanned security strategies, or insufficient monitoring. Businesses using mobile apps with insufficient or no logging functions run the risk of attack taking so long to be mitigated that those can do considerable damage to the entire tech stack.
Hackers leverage gaps in logging and monitoring by relying on the fact that security teams will take time to detect and remediate the attack to try and escalate privileges. This section explores the threats associated with insufficient logging & monitoring and the business impacts of a successful attack.
- Ensure sufficient logging for all authentication failures, including login, access control, and server-side validation.
- Create context and understand baseline traffic to enable easy identification of suspicious and malicious activity
- Have an audit trail for critical and high-value transactions to prevent deletion or tampering
- Backup log files on multiple servers to enable fault tolerance
- Authenticate access to logs
- Automate monitoring and alerts for log events
SSRF - Server Side Request Forgery
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.
- Sanitize and validate all client-supplied input data
- Enforce the URL schema, port, and destination with a positive allow list
- Do not send raw responses to clients
- Disable HTTP redirections
- Be aware of the URL consistency to avoid attacks such as DNS rebinding and “time of check, time of use” (TOCTOU) race conditions
Web app security is important. There are many security risks associated with web application security, but with the right approach, it is easy to prevent or minimize them during all software development lifecycle.
So if you're thinking about web application security you need to take a broad approach because everything is vulnerable in some way. Therefore, application security tools, as well as conscious employee education and assessment, should be implemented for a complete process.
software development outsourcing
AuthorBartosz Kaczmarczyk DevOps Engineer
Bartosz is a skillful system administrator, responsible for the full lifecycle of building IT systems - from analysis, development, implementation and support, testing and deployments. Bartosz has 11 years of experiance and is always on the lookout for opportunities to learn, that's why he wants to implement systems with the DevOps philosophy, increasing an organization's ability to deliver applications and services at high velocity.
What are the best practices for securing the Web Apps? ›
- Include everyone in security practices. ...
- Adopt a cybersecurity framework. ...
- Automate and integrate security tools. ...
- Follow secure software development practices. ...
- Use diverse security measures. ...
- Perform security exercises. ...
- Maintain a bounty program.
The Application Security Checklist is one of OWASP's repositories that offers guidance to assess, identify, and remediate web security issues. This article delves into various vulnerabilities of web applications and outlines OWASP's guidance on testing to mitigate such vulnerabilities.What is the best standard for Web application security do we need to follow? ›
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.How do you ensure security of web applications? ›
- Maintain Security During Web App Development. ...
- Be Paranoid: Require Injection & Input Validation (User Input Is Not Your Friend) ...
- Encrypt your data. ...
- Use Exception Management. ...
- Apply Authentication, Role Management & Access Control.
The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.What are the four 4 most secure encryption techniques? ›
- AES. The Advanced Encryption Standard (AES) is the trusted standard algorithm used by the United States government, as well as other organizations. ...
- Triple DES. ...
- RSA. ...
- Blowfish. ...
- Twofish. ...
- Rivest-Shamir-Adleman (RSA).
- Install only what is required. ...
- Lock and expire default user accounts. ...
- Change default user passwords. ...
- Enable data dictionary protection. ...
- Practice the principle of least privilege. ...
- Enforce access controls effectively. ...
- Restrict operating system access.
Regardless of security policy goals, one cannot completely ignore any of the three major requirements—confidentiality, integrity, and availability—which support one another. For example, confidentiality is needed to protect passwords.What are the top 10 application security risks? ›
- Injection. Injection attacks happen when untrusted data is sent to a code interpreter through a form input or some other data submission to a web application. ...
- Broken Authentication. ...
- Sensitive Data Exposure. ...
- XML External Entities (XEE) ...
- Broken Access Control. ...
- Security Misconfiguration.
- Secure the web environment (prevent web server bugs)
- Validate user input (prevent XSS and injection attacks)
- Avoid third-party scripts and CSS.
- Use encryption (protect data, prevent mixed content bugs)
- Use the right authentication.
- Authorize requests (prevent XSRF, XSSI etc)
What are the 3 most important things you do to protect your security online? ›
- Install an Antivirus and Keep It Updated. ...
- Explore the Security Tools You Install. ...
- Use Unique Passwords for Every Login. ...
- Get a VPN and Use It. ...
- Use Multi-factor Authentication. ...
- Use Passcodes Even When They Are Optional. ...
- Pay With Your Smartphone.
- Identify Weaknesses With Cyber Security Assessments. Step one is to find any weaknesses in your cyber security. ...
- Create And Manage Stronger Passwords. The second step is to fix your passwords. ...
- Cyber Security and Data Protection Training.
Web application security refers to a variety of processes, technologies, or methods for protecting web servers, web applications, and web services such as APIs from attack by Internet-based threats.What is a Web application security policy? ›
Web Application Security is a branch of information security that deals specifically with the security of websites, web applications, and web services.Why security is important in web applications? ›
Web security is important to keeping hackers and cyber-thieves from accessing sensitive information. Without a proactive security strategy, businesses risk the spread and escalation of malware, attacks on other websites, networks, and other IT infrastructures.What are the 5 essential elements of cyber security? ›
Different Elements of Cybersecurity:
Information security. Disaster Recovery Planning. Network Security. End-user Security.
- Use Strong Passwords. ...
- Secure your computer. ...
- Be Social-Media Savvy. ...
- Secure your Mobile Devices. ...
- Install the latest operating system updates. ...
- Protect your Data. ...
- Secure your wireless network. ...
- Protect your e-identity.
There are two types of encryption in widespread use today: symmetric and asymmetric encryption. The name derives from whether or not the same key is used for encryption and decryption.What are the 3 major components of encryption system? ›
Security in Wireless Systems
The main components of an encryption system are: (1) plaintext (not encrypted message), (2) encryption algorithm (works like a locking mechanism to a safe), (3) key (works like the safe's combination), and (4) ciphertext (produced from plaintext message by encryption key).
- Step 1: Identify “Stupid Mistakes” That Cause Failure. ...
- Step 2: Seek Additional Input From Others. ...
- Step 3: Create Simple “Do” Steps. ...
- Step 4: Create Simple “Talk” Steps. ...
- Step 5: Test The Checklist. ...
- Step 6: Refine the Checklist.
What is a checklist example? ›
A checklist is a type of job aid used in repetitive tasks to reduce failure by compensating for potential limits of human memory and attention. It helps to ensure consistency and completeness in carrying out a task. A basic example is the "to do list".What is a basic checklist? ›
A simple checklist template is any kind of process or list of tasks arranged in the form of a checklist; in other words, it's a to-do list where the order of tasks is usually important.What are the 5 types of security? ›
- Critical infrastructure security.
- Application security.
- Network security.
- Cloud security.
- Internet of Things (IoT) security.
- Access Controls. The act of restricting access to sensitive data or systems enables your enterprise to mitigate the potential risks associated with data exposure. ...
- Application Security. ...
- Behavioral Analytics. ...
- Firewalls. ...
- Virtual Private Networks. ...
- Wireless Security.
We outline the anatomy of the AMBI-CYBER architecture adopting a balanced scorecard, multistage approach under a 7Ps stage gate model (Patient, Persistent, Persevering, Proactive, Predictive, Preventive, and Preemptive).What are the 4 main types of security vulnerability? ›
- Network Vulnerabilities. These are issues with a network's hardware or software that expose it to possible intrusion by an outside party. ...
- Operating System Vulnerabilities. ...
- Human Vulnerabilities. ...
- Process Vulnerabilities.
The top three most common application security risks are broken access control, cryptographic failures, and injection (including SQL injection and cross-site scripting), according to the 2021 OWASP Top 10.What is the most common attacks on Web applications? ›
- Denial of service (DoS) and distributed denial of service (DDoS) attacks.
- Man-in-the-middle / man-in-the-browser attacks.
- Drive-by download attacks.
- Phishing and spear-phishing attacks.
- Password-based attacks.
- SQL injection attacks.
- Cross-site scripting attacks.
Confidentiality (the data exchanged is encrypted). Message integrity (the data is checked for possible corruption). Secure key exchange between client and server.What are the 10 basic rules in protecting yourself online? ›
- Don't open mail from strangers. ...
- Make sure your devices are up to date. ...
- Use strong passwords. ...
- Use two-factor authentication. ...
- Don't click on strange-looking links. ...
- Avoid using unsecured public Wi-Fi. ...
- Back up your data regularly. ...
- Be smart with financial information.
What are the four components of security approach? ›
An effective security system comprises of four elements: Protection, Detection, Verification & Reaction.What makes a good security strategy? ›
A security policy is of no use to an organization or the individuals within an organization if they cannot implement the guidelines or regulations within the policy. It should be concise, clearly written and as detailed as possible in order to provide the information necessary to implement the regulation.What is web security and its types? ›
In general, web security refers to the protective measures and protocols that organizations adopt to protect the organization from cyber criminals and threats that use the web channel. Web security is critical to business continuity and to protecting data, users and companies from risk.What is web security and how it works? ›
How Does Web Security Work? Web security is enforced by a security appliance that acts as a web proxy, sitting between users and the Internet. This appliance can either be an on-premises or cloud-based appliance or software deployed within the user's web browser.What are the common Web application security issues? ›
The Top 10 security vulnerabilities as per OWASP Top 10 are:
Insecure Direct Object References. Cross Site Request Forgery. Security Misconfiguration. Insecure Cryptographic Storage.
What are Application Security Tools? Application Security Tools are designed to protect software applications from external threats throughout the entire application lifecycle. Enterprise applications sometimes contain vulnerabilities that can be exploited by bad actors.What is web app security testing? ›
Web application security testing is the process of testing, analyzing and reporting on the security level and/or posture of a Web application. It is used by Web developers and security administrators to test and gauge the security strength of a Web application using manual and automated security testing techniques.What is the most important function of security? ›
Their job is to prevent a crime from happening by proactively watching for suspicious behavior, mitigating risks as they appear and contacting the proper authorities when an incident occurs. Simply put, security guards keep people, property and other valuable assets safe and secure.What is securing Web application? ›
Web application security refers to a variety of processes, technologies, or methods for protecting web servers, web applications, and web services such as APIs from attack by Internet-based threats.What are three ways to secure applications? ›
Three Ways To Secure Application Services – Authentication, Automation, And Collaboration - Information Security Buzz.
What are the best practices for privacy and security? ›
- Understand data technologies and databases. ...
- Identify and classify sensitive data. ...
- Create a data usage policy. ...
- Control access to sensitive data. ...
- Implement change management and database auditing. ...
- Use data encryption. ...
- Back up your data. ...
- Use RAID on your servers.
Web security is important to keeping hackers and cyber-thieves from accessing sensitive information. Without a proactive security strategy, businesses risk the spread and escalation of malware, attacks on other websites, networks, and other IT infrastructures.What are the types of application security? ›
Different types of application security features include authentication, authorization, encryption, logging, and application security testing. Developers can also code applications to reduce security vulnerabilities.What are the 7 principles of security? ›
- Principle of Least Privilege. ...
- Principle of Separation of Duties. ...
- Principle of Defense in Depth. ...
- Principle of Failing Securely. ...
- Principle of Open Design. ...
- Principle of Avoiding Security by Obscurity. ...
- Principle of Minimizing Attack Surface Area.
- Confidentiality: The degree of confidentiality determines the secrecy of the information. ...
- Authentication: Authentication is the mechanism to identify the user or system or the entity. ...
- Integrity: ...
- Non-Repudiation: ...
- Access control: ...
- Availability. ...
- Integrity. ...
- Confidentiality. ...