Background

Web applications now a days are the primary means for Govt., Private and Businesses Organizations to provide service to their customers. A secure Web Application allow users to quickly get required information and service they need the most. The dependency on Web based applications for information or services is increasing day by day. All business sectors are now a days are depend on secure Web applications to power their customer centric services. Without a good and secure Web Application we can’t get a single service be it Banking, Insurance, Finance to name a few.

At the same time the Web based applications have become the prime target for the cyber attackers looking to steal important and valuable customer data or disrupt business operations. Such type of attack lead to severe consequences including but not limited to

• Loss of Customer Data
• Reputational damage
• Loss of Customer Trust
• Loss of Revenue
• Compliance and Penalties

According to ISACA, organizations typically spend between $3,500 and $300,000 on new tools and services, awareness programs, administrative policies, and additional staffing after a data breach.

Standard Security Audit Observations

• Weak Password
• SQL Injection

Best Practices

Considering the above security threat what we need a thorough understanding on Web Application Security best Practices. It is advisable to include web application security best practices during the design and coding phases. These practices need to be followed during various phases of project development life cycle to make our applications secure and robust.

Design Phase

At this phase the awareness regarding application security is developed among the Design and Development team. In this process, the development teams along with security architects, have a series of discussions. Some of the security best practices need to be implemented at this phase are :

• Data Encryption
• Strong Password
• Multiple levels of user privileges
• Input Validation

Development Phase

Developers working on applications should be trained on the Open Web Application Security Project’s OWASP Top 10 and the SANS Institute’s SANS web application security checklist. This will help them be aware of issues that need to be avoided during coding. It is best to always use secure frameworks rather than writing one’s own code. You should also make sure to use the latest versions of libraries and third-party codes. Always check for openings in third-party and open-source software. Fix these before adding them to the code.

Some of the security best practices need to be implemented at this phase are :

• Input Checks
• Command Injection
• SQL Injection

Team should follow these web application security best practices to avoid weaknesses in the code:

Input Checks

Make sure to validate input fields on both the server and client side. Malicious processes can easily bypass it at the client side. For cases where a malicious user has bypassed the client-side validation, the server side will handle it.

Always perform boundary checks to prevent buffer overflow problems. Buffer overflow can open the code up to many types of risks, such as denial of service and remote code injection. Hence, performing boundary checks for input fields can prevent such risks.

Adopt whitelisting instead of blacklisting to check input fields. The blacklisting approach can make it difficult to restrict malicious inputs. In turn, it may leave the door open for threat actors. Using whitelisting to allow only the required type of characters will help in preventing many types of input validation risks.

Command Injection

You should make sure the code avoids running commands directly from the input value received. If it does, you may find openings like operating system (OS) command injection. In this case, the threat actor can run OS commands on the server by injecting them in the input fields that have not been properly sanitized. Even in cases where it may be required to run commands, always run with the least privilege required.

SQL Injection

Structured query language (SQL) injection is one of the top risks you might encounter. In this type of attack, a SQL statement enters the input fields, which results in running these statements in the database (DB). This reveals the DB contents and allows for dumping of the entire DB or inserting malicious values in the DB. To avoid such risks, use prepared statements for the DB query instead of forming a query directly from user input. Using stored procedures is also a good practice.

Other Best Practices

Many security headers have been defined to prevent issues, such as cross-site scripting (XSS), clickjacking and other issues. Using headers is an easy way to provide a minimum level of safety for such issues and provide a defence-in-depth barrier against those risks. Some common types of security headers are HTTP strict transport security (HSTS), X-XSS-protection, X-content-type-options, X-frame-options and content-security-policy.

In cases where a file upload option is provided to the user, restrict the type of file being uploaded to only the expected type. Make sure to require that the file extension and the content of the file being uploaded are verified. In addition, perform a scan on the uploaded file to check for any malicious content.

Avoid having a uniform resource locator (URL) or path input field. Using the path input directly in the code can lead to risks such as local file inclusion, remote file inclusion, server-side request forgery and un-validated redirect and forward. Even if it is required to have paths and URLs in input value, use proper whitelisting to prevent any misuse.

Encryption

Encryption is one of the most important aspects of securing your work. Make sure it is in place for data in transit and at rest, taking special care when data includes sensitive information. Always use HTTPS and never allow access over HTTP. It is important to use well-known encryption techniques instead of trying to implement your own. Along with encryption, check that data is secure using techniques, such as hashing.

While using encryption, one should avoid known weak algorithms, ciphers or versions. Even when storing sensitive data in log files or DB, the data needs to be encrypted.

Strong Passwords and Logins

Make sure the passwords your users choose are complex. The password should be a minimum of eight characters (longer is better) and contain a mix of upper, lower and special characters. This will make brute force and dictionary attacks more difficult to execute. To further improve this step, use two-factor authentication. In addition, you should implement an account lockout when the system detects the maximum number of password attempts.

In order to make sure only authorized users get in, use graded, privilege based access with least privilege for the default role. Use role-based access to resources in order to ensure access to specific resources is only granted for users with the required privilege.

Carry out a Full Scale Security Audit

It is vital to carry out a full scale security audit of the Web application and all it’s elements including

• Web Services
• Application Server
• Database Server
• Application Code

Always do the above security audit before launching the web application. Also plan for audit at regular intervals. Use automated penetration testing tools to scan open ports and identify the software’s running on them.

Implement Real-Time Security Monitoring

As a rule of thumb, you should always look for ways to improve security. It can range from adding firewalls and IDS/IPS systems to regular vulnerability scans.

Keeping track of your app’s security can be extremely difficult — especially as it grows. You will have to monitor multiple data streams manually and analyze them to detect any malicious activity or vulnerabilities.

Fortunately, real-time security monitoring is now available thanks to new technology. Skilled developers can create software that collects, analyzes, and interprets data from multiple sources, including logs, firewall alerts, security reports, etc.

This software then presents the data in an easy-to-understand dashboard that allows you to identify suspicious activity and take action before the situation escalates.

Follow Proper Logging Practices

The log files are a valuable source of information for any web application. They can reveal security vulnerabilities, application functionality, and even its performance.

Log files are helpful to make changes to your application or its code. But following proper logging practices will ensure that you’re not storing sensitive data in log files directly accessible by anyone with physical access to your computer.

Logging is a critical part of web app security practices. It’s also essential to consider the types of data you’re storing, what kind of format it is in, and how long you should keep it before being purged.

Final Thoughts on Web App Security Practices

The web application security best practices are an excellent way to start with building and evaluating a minimum viable product.

It has good guidelines for developers and security specialists who look after web applications, thus helping them stay away from the most common vulnerabilities. It means a better user experience and, therefore, more beneficial for your product!