In 2020, CVE Details data shows an average of 50 new vulnerabilities were discovered each day. As such, taking steps to secure your web applications is critical to your organization’s security. We explore seven such best practices that will go a long way when securing your web apps
Editor’s Note: This is a guest blog contribution from Astra Security CTO Ananda Krishna. Ananda shares his expert perspective on some of the ways you can make your web apps more secure by implementing these important web application security best practices.
Why is following web application security best practices necessary? Let’s look at the numbers. IBM reports, the average cost of a security breach is $3.86 million. Their analysis of attack vectors shows that 16% of the breaches stem from vulnerabilities in third-party software. Data from Verizon’s 2021 Data Breach Investigations Report shows that nearly two-in-five (39%) of data breaches stem from web app compromises.
Over the years, web applications have become more complex. With the emergence of SaaS businesses, a lot more data is on the cloud. Unlike the initial days of the internet, physical servers are becoming less common. In many cases, AWS (Amazon Web Services), Google Cloud, Azure etc. have taken the place of physical servers for many businesses because:
- They cost less than maintaining physical servers in a data center, and
- They can use cloud servers to host their web applications easily and cost-effectively.
However, the cloud has become one more thing business owners need to secure while securing their web applications. Similarly, we have connected marketing tools like a customer relationship management (CRM) tool, email marketing tool or web analytics tool to a web application too. While these tools add to the ease of doing business, they also become a part of the potential attack surface area hackers can target.
When it comes to web applications, SQL injections, cross-site scripting (XSS) attacks, and authentication flaws remain the favorite attack vectors that hackers use to exploit web apps. Although preventing every attack with 100% certainty might not be possible, mitigating the risks by following web application security best practices certainly improves your chances. (After all, security is always done in layers and there’s no silver bullet.)
But what is web app security, and what are some web application security best practices you can put into play right away?
Let’s hash it out.
What Is Web Application Security?
A web application is a software program that runs on your web server (meaning it’s not limited to individual devices like traditional desktop software). Web application security encompasses everything relating to protecting your web applications, services, and servers against cyber attacks and threats. This entails everything from the procedures and policies you have in place to the technologies you deploy to mitigate vulnerabilities that bad guys can exploit.
Web 1.0 consisted of basic web pages which had directory-like structures with textual information in them. These were websites built during the early days of the web and had less to no interaction with website visitors. During this phase, the security of web pages wasn’t a big concern.
The rise of dynamic websites brought about the evolution of Web 2.0. Dynamic websites are all about interacting with visitors, letting them add their information or search within websites more easily. This is when the importance of web application security really came to the forefront.If users could interact with a website and input sensitive information — usernames, passwords, etc. — then hackers could also input malicious code that would enable them to steal it if it’s not properly configured. This is the time where all the big vulnerabilities like SQL injections, XSS, and local file inclusion (LFI) attacks emerged.
Today, in the age of cloud computing, we build complex web applications which are capable of having digital copies of your entire life in one place. This makes web application security — both server-side and client-side — a necessity and not a luxury.
Why Having Strong Web Application Security Matters
Just like a store owner shouldn’t store millions of dollars worth of goods in their store until a security system is installed, no web application should exist without having security measures in place to secure it. A few consequences of not having web application security in place include:
Loss of Customer Data
To quote mathematician Clive Humby, “data is the new oil.” If your customers trust you with their data, then it’s your responsibility to ensure their data is securely stored within your application. This includes ensuring you have no vulnerabilities in your web application that can cause a data breach.
For a recent example of what happens when companies don’t keep their data secure, look no further than Ford. Ford’s website had a vulnerability that caused leaking of employee and customer data. Ideally, having a properly configured customer management system would have prevented this vulnerability.
Loss of Revenue
Not taking the necessary steps to guard your web application can result in massive service outages and downtime, leading to sales and revenue losses. Imagine an ecommerce store going down for hours due to a data breach — that could have a devastating effect on their business. Insurance carrier Hiscox revealed that hacks cause businesses an average loss of $200,000.
Loss of Customer Trust
With data breaches, ransomware attacks and web hacks making it to the news every other day customers are becoming more conscious about security than ever. For customers, cyber security is becoming one of the factors they look for before sharing their personal information on a web application. A hack can cause severe damage to the brand image and customer trust, even leading to the shutting down of business in some cases.
Compliance & Penalties
In the wake of data and privacy breaches, the government is becoming more strict towards companies not following adequate security standards. GDPR, HIPAA, PCI, ISO/IEC 27001 and more such compliances have kicked in to ensure that businesses don’t get away with compromising on security that protects user privacy. Not taking web application security seriously can lead to noncompliance issues regarding these regulations, which can result in heavy fines, penalties and lawsuits.
7 Web Application Security Best Practices
The important thing about web application security is to ensure that it works 24/7, constantly reinvents itself, and doesn’t compromise customer service. This begins by doing an in-depth security posture review by performing web application security testing for your web application.
Here are some aspects of an ideal security strategy that will allow you to maintain your web applications efficiently:
1. Carry Out a Full-Scale Security Audit
The best way to ensure that you’re following optimal web application security practices and identifying security loopholes within your systems is to regularly conduct security audits. This will help you to keep on top of potential security vulnerabilities hidden within the web application and remain safe from targeted breaches.
For a comprehensive and objective viewpoint, you should appoint a third-party testing team that has the necessary skills and experience to do the job right. With their professional security experience and lack of exposure to the code, they’ll be better trained to do penetration testing and help your team identify vulnerabilities that need to be patched or otherwise mitigated. A security audit is typically one of the following types:
- Black Box Security Audit: This type of security audit is a ‘hacker style’ audit where no information is asked about the web application and it’s tested for exploitable security vulnerabilities. Basically, you only give the blackbox audit team the relevant URL of the web application. (You don’t want to make it too easy, right?)
- White Box Security Audit: This process is the opposite of the black box approach we just discussed. In a white box audit, important information (including your code base) is often shared with the team performing the audit. The aim of the white box audit is to ensure all best practices are being followed right from secure coding practices to optimal configurations of cloud infrastructure.
- Gray Box Security Audit: As the name suggests, a gray box audit is a mix of black box and white box audits where some important information like testing account credentials is provided before performing the security audit.
Once a security audit finishes, the next step is to work on fixing all the found vulnerabilities. The best way to prioritize the fixing is to categorize the vulnerabilities by their impact and start with the highest-impact vulnerabilities.
2. Ensure Your Data Is Encrypted (Both In Transit and At Rest)
Whenever someone visits your web application, they might share confidential information on your website that needs to be protected from eavesdroppers. Ensuring data is encrypted in transit between the visitor’s browser and your server becomes important.
This is where SSL/TLS encryption comes into play. SSL/TLS encrypts all the communications that occur between your website visitors and your website via the secure HTTPS protocol. Encrypting this data in transit not only helps establish trust in your website visitors but also comes with SEO benefits, too. That’s because Google loves websites with SSL. (Google counts the use of HTTPS as one of their search engine’s ranking factors.) According to BuiltWith, 65.76% of the top one million websites now use SSL/TLS.
Still, there are websites that are running without SSL or using weak encryption. This is high time to start using an SSL to ensure that your customer’s data is secure when they are accessing your website.
Similarly, data at rest also requires the implementation of encryption standards to prevent server-side interventions. Employees from the inside, official staff, or systems administrators can take copies of or completely remove your drives, making all security barriers useless. A few best practices to protect data at rest include:
- Implementing network firewalls to ensure relevant protection against threats from within the network.
- Encrypting sensitive data with the strongest algorithms prior to storing it.
- Storing data in secure, password-protected databases on a separate server.
- Investing in infrastructure security.
3. Implement Real-Time Security Monitoring
Next on our list of web application security best practices is real-time security monitoring. While a security audit helps strengthen your web application’s core by helping patch all vulnerabilities, something more is needed for continuous 24/7 protection. That’s where a WAF comes in.
A web application firewall (WAF) covers all the aspects related to real-time monitoring of your web application’s security posture. A WAF helps you block any malicious-looking activity in your website or web app in real-time such as:
- SQL injections,
- XSS attacks, or
- bad bots trying to launch DDoS attacks or scrape content from your website).
However, there may be situations where WAFs end up showing false positives and miss signs of security being compromised. Therefore, in addition to a WAF, you also may want to use an application security management platform (ASMP) (e.g., Sqreen) or a Runtime Application Self-Protection (RASP) tool. These solutions modify themselves according to your security needs and provide real-time monitoring of threats and protection. Here’s how each of these helps:
- ASMP (Application Security Management Platforms): An ASM is embedded in your application and helps you protect your web application against unknown threats in real-time. It monitors various protocols beyond the application layer like FTP, ICMP, SOAP, TCP etc.
- Runtime Application Self-Protection (RASP): RASP is a technology that runs on your server and analyzes the behavior of your web application and the context of user inputs. If it detects anything unusual or malicious, it immediately ends the session or blocks the bad actors.
Using a WAF can be a good starting point for businesses. Based on their needs, eventually, more complex tools can be introduced further down the road.
4. Follow Proper Logging Practices
Not all security vulnerabilities are risky enough to catch the preliminary attention of scanners or firewalls. To tackle this, proper logging practices need to be implemented. This will make sure that you have details of what happens at what time, how the situation occurred, and what else was happening at the same time.
In order to capture data relating to security incidents or events, the right tools need to be put in place for logging them. Logging tools provide an excellent feedback mechanism to firewalls and security scanners too. You can use tools such as Linux Syslog, ELK stack, PaperTrail, etc. Logging also ensures that in case of a breach, the task of tracing the cause and even the threat actor becomes easier. Without proper logging in place, post-incident forensics becomes a daunting task.
5. Continuously Check for Common Web Application Vulnerabilities
For this, following the OWASP Top 10 list of web application security vulnerabilities should be enough. It’s important to stay on top of and test your web application regularly to ensure they’re resilient against such threats as they present critical threats to your web application. Injection attacks, broken authentication and session management, cross-site scripting attacks, and sensitive data exposure are a few of the common vulnerabilities that make it to the list.
6. Implement Security Hardening Measures
Here are a couple of components that will require security hardening measures beyond their default settings:
- Maximum script execution time: Script execution time defines how long a particular script can run on your server. It’s a good idea to define this based on your application’s use case. Having a low number as maximum execution time might be a good idea as it would narrow the attack possibilities by attackers.
- Disable modules: It’s always a good idea to disable modules or extensions on your web server that are not used by the application. This reduces the attack surface area.
- Add a content security policy: A strong content policy prevents malicious infections like redirection malware from taking over by specifying trusted redirect URLs.
7. Carry Out Regular Vulnerability Scans and Updates
As we mentioned at the beginning, more than 50 new vulnerabilities are found every day. Hackers are quick to identify websites running vulnerable software with these vulnerabilities. The next step hackers follow is to find ways to exploit these weaknesses. That’s why continuously testing your web applications for vulnerabilities is our last (but not least) important web application security best practice to mention.
Further, all servers where web applications are hosted should be up-to-date with the latest security releases. This process can be conducted through manual review or with automated tools (Unattended Upgrades, the Automatic Updates feature on Windows, etc.). Most software languages, dynamic or static, have package managers that allow them to manage and maintain external dependencies with automation during deployment. This procedure will also ensure that you remain updated on the latest security vulnerabilities and initiate protection measures for your web application.
Final Thoughts on Web Application Security Best Practices
The dynamics of the web are changing rapidly, and ignoring web application security can cause financial losses and reputational damages to businesses of all sizes. Thankfully, ensuring the security of applications is no longer a guessing game with so many guides and tools available.
Security is a journey, and if you’ve taken the first step toward better-implementing security for your web application, you’re already better than a number of others. While the above seven web application security practices give a holistic view of how your application’s security journey should look, it cannot be ignored that web app security dynamics are changing every day.
Security is best done in layers, and each of the security best practices we mentioned adds a strong layer to your application’s defenses. Thankfully, there are now tools that make security web applications and securing SaaS & web applications easier.