Web Application Security: Best Practices Every Developer Should Know

The major benefit of web technology is that you can always upgrade to the latest, better, version. And there’s always someone out there, working on making this latest, better version. Professionals of all types strive to continuously improve and maintain the technology of today. There are also those who use advancement to breach security perimeters.

The digital sphere has always been vulnerable, but it keeps getting more unsafe. The unfortunate shadow of advancement is that cast by the criminals. They not only make use of the everyday user’s lack of security training, but also initiate advanced attacks for the purpose of finding zero-day vulnerabilities. Many of these attacks start with a web-based breach.

Today, the responsibility for securing web apps falls mostly on developers. This article offers a brief review of six best practices for securing web applications. Use it as a starting point to advance your security knowledge base.

1. Patch Your Systems

Whether you run your application on commercial software, open source, or a combination of both, there is almost a 100% chance that at least some of your components contain a security vulnerability. Always use mature, actively maintained products and components, and watch for updates from the publishers. When there is a security update, always patch your systems.

It’s true that upgrading to the latest version requires an effort and might break something. But leaving systems unpatched when there is a known vulnerability, and a security update is available, is just plain irresponsible. See what happened to Equifax, a financial institution in the USA, where developers failed to update their version of Struts, an open source framework, and a breach occurred in which millions of US citizens lost critical personal data.

2. Inspect Incoming Traffic

There are several ways to inspect and control incoming traffic to your application, to prevent bad actors from connecting to your systems in the first place. A few common ways are:

• Setup a firewall and ensure its security rules are appropriate for your industry, the legitimate communication you want to allow and the threats you are facing.
• Deploy a Web Application Firewall (WAF), a system that sits inline, inspecting all traffic that flows to your server and automatically blocking anything that looks like a cyber attack.
• Use logging and alerts to periodically check for anomalous network behavior
• Use network monitoring and inspection tools to get visibility of what’s happening on your network, how much traffic is hitting each resource and what the traffic is composed of. Analyze the data and do your own threat hunting to identify anomalies which might end up being a cyberattack.

3. Manage Containers Carefully

Many modern applications are based on container technology, using tools like Docker and Kubernetes. Containers are very convenient for developers and IT staff, but if they are not managed correctly, they can create major security problems.

Here are a few things you should watch out for if your application uses containers:

• Only use trusted base images, and always scan images for vulnerabilities.
• Never store credentials or sensitive data directly in your containers, use secrets for sensitive information.
• Always define a user in your images and containers and avoid giving any applications root access to the container.
• Carefully configure networking to ensure that containers can only access other containers or systems if and when they really need to.

4. Encrypt Everything

Whatever you to do protect your applications, breaches can inevitably occur. If you encrypt your data at rest using strong encryption, attackers will not be able to make use of the sensitive data they steal. Many of the world’s biggest security breaches were so catastrophic because passwords, user IDs and other sensitive data was stored in plaintext, or with weak encryption.

In addition, ensure that all communication channels are encrypted. HTTPS for website access by users is a must, and make sure to avoid “mixed content” - HTTPS pages that link to or use unsecure HTTP resources. Google has announced it will start penalizing mixed content by blocking it outright in Google Chrome.

Secure other communication vectors as well - file uploads, database connections, and any other data transfer should be conducted over an encrypted connection.

5. Server Security

Web application security is a huge topic, but don’t focus only on the application level. Take basic measures to ensure your server is secure as well. Install software that monitors login attempts and block suspicious behavior. Enable authentication only with SSH keys which are more secure than regular password credentials. Create an automated process for updating and patching the operating system and critical applications on the server.

Lastly, install a strong endpoint protection system. Vendors like McAfee and Symantec offer products that provide not only antivirus, but also intrusion prevention, behavioral analysis to protect against unknown zero-day threats, and automated security measures such as quarantining a server if infected by malware, and resetting a device automatically to last known good configuration.

Conclusion

Today’s security perimeters are distributed. You have a data center in one location, offices throughout the world, and a web app used by a wide range of users. Or maybe you’re using a public cloud service to host an application used solely by one company. Either way, you have endpoints distributed throughout locations, any of which could be vulnerable to attacks.

Best practices are not a law set in stone. If you find that not all are applicable to you or your project, then do away with those. It’s up to you to assess your network, and decided which security practices to apply. However, security is not something to avoid altogether. Set a budget, and secure your applications. Nobody wants to end up dealing with a breach.