For many companies, 2020 was all about switching to remote work in cloud-based enterprise systems, and application security teams had to adapt to a change in usage and a growing number of challenges. Web application vulnerabilities were the cause of 43% of data breaches in 2019, according to The 2020 Verizon Data Breach Investigations Report. Surprisingly, 79% of organizations intentionally pushed vulnerable code to production, at the same time considering their own application security posture as being higher than 7 out of 10, according to Enterprise Strategy Group research. With the average cost of data breaches being , application security is certainly not something businesses can ignore. The numbers are going uprising 12% over the last five years. $3.86 million Compared to other IT assets, web applications are especially vulnerable to attack, because they are exposed to the Internet. Many attack vectors against web applications focus on manipulating user inputs via web forms, and machine inputs via APIs. In this article, we will discuss web application vulnerabilities and the best practices for protecting web applications against malicious attacks and accidental damage. You can download the to secure your web application from all angles. Web Application Security Requirements Checklist Web Application Vulnerabilities Web application vulnerabilities are security weaknesses that allow threat actors to manipulate source code, gain unauthorized access, steal data, or otherwise interfere with the normal operation of the application. The lists the most critical security risks to web applications. Let’s overview a few commonly known attack vectors: OWASP Top 10 document —occurs when attackers use malicious SQL code to manipulate backend databases. The result can include unauthorized data listing, dropping (deletion) of tables, and unauthorized administrative access. SQL Injection —an attack targeting users of an application. It can be used to access user accounts, inject Trojans, or change page content to deceive users or deface a website. Another, more dangerous variant is stored XSS when malicious code is injected persistently into the application. Reflected XSS is when malicious scripts are reflected from the application to the user’s browser. Cross-Site Scripting (XSS) —remote injection of files into a web application server. This can lead to malicious script and code execution in applications, compromise of the web server, and data theft. Remote File Inclusion (RFI) —an attack that can lead to unwanted transfers of funds, password changes, or data theft. Involves an attacker leveraging a user’s open session, causing the user’s browser to unknowingly perform actions on a site the user is logged into. Cross-Site Request Forgery (CSRF) Sanitizing application inputs and outputs, and adopting secure coding practices, can protect applications against most vulnerabilities. However, this is not enough. Web applications are under constant development, and security testing must be incorporated into every stage of the development lifecycle, to identify and fix vulnerable code early on. In addition, most web applications use third-party open source components, which may themselves be vulnerable, and must be scanned on an ongoing basis. Expert’s Advice: Most of the modern web frameworks provide out of the box security techniques to prevent common vulnerabilities like SQL Injection, XSS, CSRF. Web Application Security Techniques and Tools The most powerful security technique in web development is to think about security in all, even smallest, details. Web application security is about not just the code base, but also about project processes, data storing, company policies, etc. In the end, it doesn’t matter how good and protected your code is, if you have your API documentation publicly available, or the super admin password written on a whiteboard in the office. -Sergey Ivanov, Head of Quality Assurance at MobiDev So, first things first—security in applications comes from security in the project itself. But when all processes are perfect—what’s next? To gain information about web application security, generally, there are two main approaches. We are talking about static and dynamic security testing. They don’t exclude one another but should instead complement one another. Here are a few technologies you can use to protect your web applications against vulnerabilities, as well as respond to attacks if they happen. SAST Static Application Security Testing (SAST) solutions scan your source code for vulnerabilities and security risks. Many web applications integrate code scanning in multiple stages of development—mainly when committing new code to the codebase, and during a build. SAST is typically rule-based, and scan results typically include false positives, so you’ll need to carefully analyze and filter the results to identify real security issues. We use the SonarQube static analysis tool to monitor security issues that may be introduced during development. It is recommended to integrate it with CI/CD pipeline so it will scan every commit/merge commit. SonarQube has good visual representation and checks not only security aspects, but also maintainability and reliability of the code base. It supports 20+ different programming languages, so it works for most frontend and backend frameworks. Expert Advice: DAST Dynamic Application Security Testing (DAST), involves testing deployed or running code to find vulnerabilities. It can be performed both manually and automatically, using special tools. Manual testing revolves around working with application API with tools like Burp Suite, Fiddler, Postman. Automation to application code, including unexpected and malicious inputs, looking for vulnerabilities. It analyzes the results and identifies security weaknesses. DAST tools send a large number of requests After thoughtful manual security analysis, we use OwaspZap, an open-source web application security scanner, to speed up regression testing. Scanners can’t replace humans in terms of creativity, root cause analysis, or ability to think out of the box, but they can handle routine tasks at a much faster rate and volume. Expert Advice: PENETRATION TESTING Penetration testing is a security technique that combines dynamic scanning tools and with human's expertise in security to find gaps in a web application’s security posture. Pentesters act like real threat actors—exploiting vulnerabilities, gaining unauthorized access, stealing data, and disrupting services. However, they do so under contract with the web application’s owner, under an agreed scope, and without causing real damage to the organization. Compared to SAST and DAST, this technique is more complex to carry out but can identify additional risks that automated tools can miss. XDR are a new generation of security platforms that give security teams one interface that allows them to detect and respond to threats wherever they exist in the IT environment. eXtended detection and response (XDR) solutions XDR collects security data from all layers of the security stack, including web applications, networks, , and endpoints. It applies advanced analytics and automation to analyze, triage, and detect both known and unknown threats. Most importantly, it directly integrates with security tools and can automatically respond to threats in real-time. private and public clouds Web Application Security Best Practices in 2021 Here are a few best practices you can use to improve the security of your web applications. AUTHENTICATION AND ACCESS CONTROL While it may seem obvious, many web applications do not implement basic access control measures. Make sure you follow these principles: Enforce strong passwords—use secure password recovery, set sensible password expiration and rotation policies, and preferably, use multi-factor authentication. Force re-authentication when accessing sensitive capabilities or performing transactions. Use the principle of least privilege (POLP), and give each user only the privileges they need to perform their role in the system. Use SSL and encryption and ensure passwords and credentials are always encrypted, both at rest and in transit. Monitor user accounts and lock out users or request a change of password if you detect suspicious activity. For businesses, which must additionally provide data security and strict legal compliance with such acts as or , an advanced solution is needed. Read more about , which enables dynamic and context-specific access to resources that can be adapted to different access control policies. Expert Advice: GDPR HIPAA Attribute Based Access Control AVOID SECURITY MISCONFIGURATIONS Whatever CMS or web development framework you are using, there are many possibilities for misconfiguration. Watch for the following issues: Always set strong administrator passwords and change default usernames Protect files and directories with configuration or sensitive content Do not leave ports open if you don’t need them to be open unnecessarily Regularly update to the latest stable version for all software libraries, plugins, and the framework itself Scan all your packages regularly for security vulnerabilities Stay tuned for security vulnerabilities and updates affecting your software and infrastructure Use secure communication and networking protocols Ensure digital certificates are up to date We use Local PHP Security Checker after each PHP composer update. It helps us to prevent using libraries with known vulnerabilities. Usually regular updates to the latest stable version solve many security issues. Expert Advice: The use of open-source libraries and components in software development is almost ubiquitous, with some 99% of applications having at least one open-source component, according to the 2020 Open Source Security and Risk Analysis Report. Some industries, such as Retail, Healthcare, and Education saw exponential growth in revenue during the year 2020, largely due to consumer behavior and social interaction changes during COVID. As these industries used more open source in their applications, they had the largest number of vulnerabilities and high-risk vulnerabilities. Determining which open-source components are secure should be a primary concern for any application security group. EXCEPTION MANAGEMENT Exceptions are a commonly overlooked aspect of web application security. It is common to see exceptions or errors displaying long stack traces to the user—this information is extremely valuable to attackers. You should never display anything to a user other than an error message that explains what went wrong and what they can do to resolve it. Ensure you plan your web application for both “happy” and “unhappy” scenarios of every user operation. Anticipate all possible errors and handle them with meaningful exceptions. This will prevent attackers from exploiting edge cases to cause unexpected behavior. MANAGE CONTAINERS CAREFULLY Many web applications run on containers, using . Containers can create major security issues if not managed correctly. Take note of the following security guidelines: Docker Trusted images—when creating a container, always use trusted base images, and scan images for vulnerabilities (even your own images) before using them. Use secrets—it is a very bad practice to save credentials or other sensitive information directly in a container image because it will be openly available on any container created from that image. Instead, use the secrets mechanism in Docker or Kubernetes to store sensitive info. Never grant root access—a container that has root access on a system will also grant root access to an attacker, in the event the container is compromised. Always define a user in your images, and avoid using options like “privileged container” in Kubernetes. Network segmentation—ensure that containers can only access other systems if they really need to. Run containers in a protected subnet and avoid exposing them to the Internet unless absolutely necessary. (ECR) service provides security scans for Docker images. It is quite a useful feature to understand what potential security issues you have in your private Docker images. Expert Advice: Amazon Elastic Container Registry QUALITY ASSURANCE AND TESTING Security testing is essential for web application security. Follow these best practices: Use static and dynamic scanning—scan your source code for vulnerabilities during development using Static Application Security Testing (SAST) and in production using Dynamic Application Security Testing (DAST). Use penetration testing—you can use lightweight penetration testing as a service (PTaaS) solutions, or for large-scale applications, and a periodic full-scale penetration test by a certified ethical hacker. Adopt CI/CD—whenever you update your application, run your code through an automated testing process, and deploy it automatically, to ensure you do not introduce security risks due to installation issues. Take compliance into account—most organizations in the world are subject to the European Union’s GDPR regulation. Applications that process credit card data are subject to the PCI/DSS standard. Check if there are additional compliance standards or regulations that affect your application, and implement the necessary measures. In most cases, our usual deployment process in CI/CD includes the following 5 steps: Scan source code for code style violations Scan used 3rd party libraries for security issues Run unit test Prepare new source code for deployment. Create and deploy new Docker images to a selected environment. All sensitive credentials required to run your web application are stored in the secure storage of the CI/CD. The deployment will be stopped if any of these steps fail. This guarantees stable updates and a stable, safe environment. How MobiDev ensures web application security Applications remain a top cause of external breaches, and the prevalence of open source, API, and containers only adds complexity to the security team. Happily, companies have started to recognize the importance of embedding security more tightly into the development phase. The author - Anton Logvinenko, Web Team Leader at MobiDev

Amazon

MobiDev

Routine

Super

Transit

IoT Trends in 2021: Driving Innovation in Businesses

An Introduction to WebRTC App Development

Transform Your Vision Into Software

Too Long; Didn't Read

CTA: Download the FREE AI Productivity Shift report

4 Common Web App Vulnerabilities and How to Combat Them

4 Common Web App Vulnerabilities and How to Combat Them

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

How AI Transforms the Fitness Industry

108 Stories To Learn About Cybersecurity Tips

10 Ways to Mitigate Cybersecurity Risks and Prevent Data Theft

10 Tips For Securing Zoom Meetings

10 Things I Did To Increase CloudTrail Logs Security

How AI Transforms the Fitness Industry

108 Stories To Learn About Cybersecurity Tips

10 Ways to Mitigate Cybersecurity Risks and Prevent Data Theft

10 Tips For Securing Zoom Meetings

10 Things I Did To Increase CloudTrail Logs Security

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps