In 2020, CVE Details data shows an average of 50 new vulnerabilities were discovered each day. As such, taking steps to secure your web applications is critical to your organization’s security. We explore seven such best practices that will go a long way when securing your web apps
Editor’s Note: This is a guest blog contribution from Astra Security CTO Ananda Krishna. Ananda shares his expert perspective on some of the ways you can make your web apps more secure by implementing these important web application security best practices.
Why is following web application security best practices necessary? Let’s look at the numbers. IBM reports, the average cost of a security breach is $3.86 million. Their analysis of attack vectors shows that 16% of the breaches stem from vulnerabilities in third-party software. Data from Verizon’s 2021 Data Breach Investigations Report shows that nearly two-in-five (39%) of data breaches stem from web app compromises.
Over the years, web applications have become more complex. With the emergence of SaaS businesses, a lot more data is on the cloud. Unlike the initial days of the internet, physical servers are becoming less common. In many cases, AWS (Amazon Web Services), Google Cloud, Azure etc. have taken the place of physical servers for many businesses because:
- They cost less than maintaining physical servers in a data center, and
- They can use cloud servers to host their web applications easily and cost-effectively.
However, the cloud has become one more thing business owners need to secure while securing their web applications. Similarly, we have connected marketing tools like a customer relationship management (CRM) tool, email marketing tool or web analytics tool to a web application too. While these tools add to the ease of doing business, they also become a part of the potential attack surface area hackers can target.
When it comes to web applications, SQL injections, cross-site scripting (XSS) attacks, and authentication flaws remain the favorite attack vectors that hackers use to exploit web apps. Although preventing every attack with 100% certainty might not be possible, mitigating the risks by following web application security best practices certainly improves your chances. (After all, security is always done in layers and there’s no silver bullet.)
But what is web app security, and what are some web application security best practices you can put into play right away?
Let’s hash it out.
What Is Web Application Security?
A web application is a software program that runs on your web server (meaning it’s not limited to individual devices like traditional desktop software). Web application security encompasses everything relating to protecting your web applications, services, and servers against cyber attacks and threats. This entails everything from the procedures and policies you have in place to the technologies you deploy to mitigate vulnerabilities that bad guys can exploit.
Web 1.0 consisted of basic web pages which had directory-like structures with textual information in them. These were websites built during the early days of the web and had less to no interaction with website visitors. During this phase, the security of web pages wasn’t a big concern.
The rise of dynamic websites brought about the evolution of Web 2.0. Dynamic websites are all about interacting with visitors, letting them add their information or search within websites more easily. This is when the importance of web application security really came to the forefront.If users could interact with a website and input sensitive information — usernames, passwords, etc. — then hackers could also input malicious code that would enable them to steal it if it’s not properly configured. This is the time where all the big vulnerabilities like SQL injections, XSS, and local file inclusion (LFI) attacks emerged.
Today, in the age of cloud computing, we build complex web applications which are capable of having digital copies of your entire life in one place. This makes web application security — both server-side and client-side — a necessity and not a luxury.
Why Having Strong Web Application Security Matters
Just like a store owner shouldn’t store millions of dollars worth of goods in their store until a security system is installed, no web application should exist without having security measures in place to secure it. A few consequences of not having web application security in place include:
Loss of Customer Data
To quote mathematician Clive Humby, “data is the new oil.” If your customers trust you with their data, then it’s your responsibility to ensure their data is securely stored within your application. This includes ensuring you have no vulnerabilities in your web application that can cause a data breach.
For a recent example of what happens when companies don’t keep their data secure, look no further than Ford. Ford’s website had a vulnerability that caused leaking of employee and customer data. Ideally, having a properly configured customer management system would have prevented this vulnerability.
Loss of Revenue
Not taking the necessary steps to guard your web application can result in massive service outages and downtime, leading to sales and revenue losses. Imagine an ecommerce store going down for hours due to a data breach — that could have a devastating effect on their business. Insurance carrier Hiscox revealed that hacks cause businesses an average loss of $200,000.
Loss of Customer Trust
With data breaches, ransomware attacks and web hacks making it to the news every other day customers are becoming more conscious about security than ever. For customers, cyber security is becoming one of the factors they look for before sharing their personal information on a web application. A hack can cause severe damage to the brand image and customer trust, even leading to the shutting down of business in some cases.
Compliance & Penalties
In the wake of data and privacy breaches, the government is becoming more strict towards companies not following adequate security standards. GDPR, HIPAA, PCI, ISO/IEC 27001 and more such compliances have kicked in to ensure that businesses don’t get away with compromising on security that protects user privacy. Not taking web application security seriously can lead to noncompliance issues regarding these regulations, which can result in heavy fines, penalties and lawsuits.
7 Web Application Security Best Practices
The important thing about web application security is to ensure that it works 24/7, constantly reinvents itself, and doesn’t compromise customer service. This begins by doing an in-depth security posture review by performing web application security testing for your web application.
Here are some aspects of an ideal security strategy that will allow you to maintain your web applications efficiently:
1. Carry Out a Full-Scale Security Audit
The best way to ensure that you’re following optimal web application security practices and identifying security loopholes within your systems is to regularly conduct security audits. This will help you to keep on top of potential security vulnerabilities hidden within the web application and remain safe from targeted breaches.
For a comprehensive and objective viewpoint, you should appoint a third-party testing team that has the necessary skills and experience to do the job right. With their professional security experience and lack of exposure to the code, they’ll be better trained to do penetration testing and help your team identify vulnerabilities that need to be patched or otherwise mitigated. A security audit is typically one of the following types:
- Black Box Security Audit: This type of security audit is a ‘hacker style’ audit where no information is asked about the web application and it’s tested for exploitable security vulnerabilities. Basically, you only give the blackbox audit team the relevant URL of the web application. (You don’t want to make it too easy, right?)
- White Box Security Audit: This process is the opposite of the black box approach we just discussed. In a white box audit, important information (including your code base) is often shared with the team performing the audit. The aim of the white box audit is to ensure all best practices are being followed right from secure coding practices to optimal configurations of cloud infrastructure.
- Gray Box Security Audit: As the name suggests, a gray box audit is a mix of black box and white box audits where some important information like testing account credentials is provided before performing the security audit.
Once a security audit finishes, the next step is to work on fixing all the found vulnerabilities. The best way to prioritize the fixing is to categorize the vulnerabilities by their impact and start with the highest-impact vulnerabilities.
2. Ensure Your Data Is Encrypted (Both In Transit and At Rest)
Whenever someone visits your web application, they might share confidential information on your website that needs to be protected from eavesdroppers. Ensuring data is encrypted in transit between the visitor’s browser and your server becomes important.
This is where SSL/TLS encryption comes into play. SSL/TLS encrypts all the communications that occur between your website visitors and your website via the secure HTTPS protocol. Encrypting this data in transit not only helps establish trust in your website visitors but also comes with SEO benefits, too. That’s because Google loves websites with SSL. (Google counts the use of HTTPS as one of their search engine’s ranking factors.) According to BuiltWith, 65.76% of the top one million websites now use SSL/TLS.
Still, there are websites that are running without SSL or using weak encryption. This is high time to start using an SSL to ensure that your customer’s data is secure when they are accessing your website.
Similarly, data at rest also requires the implementation of encryption standards to prevent server-side interventions. Employees from the inside, official staff, or systems administrators can take copies of or completely remove your drives, making all security barriers useless. A few best practices to protect data at rest include:
- Implementing network firewalls to ensure relevant protection against threats from within the network.
- Encrypting sensitive data with the strongest algorithms prior to storing it.
- Storing data in secure, password-protected databases on a separate server.
- Investing in infrastructure security.
3. Implement Real-Time Security Monitoring
Next on our list of web application security best practices is real-time security monitoring. While a security audit helps strengthen your web application’s core by helping patch all vulnerabilities, something more is needed for continuous 24/7 protection. That’s where a WAF comes in.
A web application firewall (WAF) covers all the aspects related to real-time monitoring of your web application’s security posture. A WAF helps you block any malicious-looking activity in your website or web app in real-time such as:
- SQL injections,
- XSS attacks, or
- bad bots trying to launch DDoS attacks or scrape content from your website).
However, there may be situations where WAFs end up showing false positives and miss signs of security being compromised. Therefore, in addition to a WAF, you also may want to use an application security management platform (ASMP) (e.g., Sqreen) or a Runtime Application Self-Protection (RASP) tool. These solutions modify themselves according to your security needs and provide real-time monitoring of threats and protection….