Trusted software development company since 2009. Custom DS/ML, AR, IoT solutions https://mobidev.biz
For many companies, 2020 was all about switching to remote work in cloud-based enterprise systems, and application security teams had to adapt to a change in usage and a growing number of challenges.
Web application vulnerabilities were the cause of 43% of data breaches in 2019, according to The 2020 Verizon Data Breach Investigations Report. Surprisingly, 79% of organizations intentionally pushed vulnerable code to production, at the same time considering their own application security posture as being higher than 7 out of 10, according to Enterprise Strategy Group research.
With the average cost of data breaches being $3.86 million, application security is certainly not something businesses can ignore. The numbers are going uprising 12% over the last five years.
Compared to other IT assets, web applications are especially vulnerable to attack, because they are exposed to the Internet. Many attack vectors against web applications focus on manipulating user inputs via web forms, and machine inputs via APIs.
In this article, we will discuss web application vulnerabilities and the best practices for protecting web applications against malicious attacks and accidental damage. You can download the Web Application Security Requirements Checklist to secure your web application from all angles.
Web application vulnerabilities are security weaknesses that allow threat actors to manipulate source code, gain unauthorized access, steal data, or otherwise interfere with the normal operation of the application.
The OWASP Top 10 document lists the most critical security risks to web applications. Let’s overview a few commonly known attack vectors:
Sanitizing application inputs and outputs, and adopting secure coding practices, can protect applications against most vulnerabilities. However, this is not enough. Web applications are under constant development, and security testing must be incorporated into every stage of the development lifecycle, to identify and fix vulnerable code early on.
In addition, most web applications use third-party open source components, which may themselves be vulnerable, and must be scanned on an ongoing basis.
Expert’s Advice: Most of the modern web frameworks provide out of the box security techniques to prevent common vulnerabilities like SQL Injection, XSS, CSRF.
The most powerful security technique in web development is to think about security in all, even smallest, details. Web application security is about not just the code base, but also about project processes, data storing, company policies, etc. In the end, it doesn’t matter how good and protected your code is, if you have your API documentation publicly available, or the super admin password written on a whiteboard in the office.
-Sergey Ivanov, Head of Quality Assurance at MobiDev
So, first things first—security in applications comes from security in the project itself. But when all processes are perfect—what’s next?
To gain information about web application security, generally, there are two main approaches. We are talking about static and dynamic security testing. They don’t exclude one another but should instead complement one another.
Here are a few technologies you can use to protect your web applications against vulnerabilities, as well as respond to attacks if they happen.
Static Application Security Testing (SAST) solutions scan your source code for vulnerabilities and security risks. Many web applications integrate code scanning in multiple stages of development—mainly when committing new code to the codebase, and during a build.
SAST is typically rule-based, and scan results typically include false positives, so you’ll need to carefully analyze and filter the results to identify real security issues.
Expert Advice: We use the SonarQube static analysis tool to monitor security issues that may be introduced during development. It is recommended to integrate it with CI/CD pipeline so it will scan every commit/merge commit. SonarQube has good visual representation and checks not only security aspects, but also maintainability and reliability of the code base. It supports 20+ different programming languages, so it works for most frontend and backend frameworks.
Dynamic Application Security Testing (DAST), involves testing deployed or running code to find vulnerabilities. It can be performed both manually and automatically, using special tools.
Manual testing revolves around working with application API with tools like Burp Suite, Fiddler, Postman. Automation DAST tools send a large number of requests to application code, including unexpected and malicious inputs, looking for vulnerabilities. It analyzes the results and identifies security weaknesses.
Expert Advice: After thoughtful manual security analysis, we use OwaspZap, an open-source web application security scanner, to speed up regression testing. Scanners can’t replace humans in terms of creativity, root cause analysis, or ability to think out of the box, but they can handle routine tasks at a much faster rate and volume.
Penetration testing is a security technique that combines dynamic scanning tools and with human's expertise in security to find gaps in a web application’s security posture.
Pentesters act like real threat actors—exploiting vulnerabilities, gaining unauthorized access, stealing data, and disrupting services. However, they do so under contract with the web application’s owner, under an agreed scope, and without causing real damage to the organization.
Compared to SAST and DAST, this technique is more complex to carry out but can identify additional risks that automated tools can miss.
eXtended detection and response (XDR) solutions are a new generation of security platforms that give security teams one interface that allows them to detect and respond to threats wherever they exist in the IT environment.
XDR collects security data from all layers of the security stack, including web applications, networks, private and public clouds, and endpoints. It applies advanced analytics and automation to analyze, triage, and detect both known and unknown threats. Most importantly, it directly integrates with security tools and can automatically respond to threats in real-time.
Here are a few best practices you can use to improve the security of your web applications.
AUTHENTICATION AND ACCESS CONTROL
While it may seem obvious, many web applications do not implement basic access control measures. Make sure you follow these principles:
Expert Advice: For businesses, which must additionally provide data security and strict legal compliance with such acts as GDPR or HIPAA, an advanced solution is needed. Read more about Attribute Based Access Control, which enables dynamic and context-specific access to resources that can be adapted to different access control policies.
AVOID SECURITY MISCONFIGURATIONS
Whatever CMS or web development framework you are using, there are many possibilities for misconfiguration. Watch for the following issues:
Expert Advice: We use Local PHP Security Checker after each PHP composer update. It helps us to prevent using libraries with known vulnerabilities. Usually regular updates to the latest stable version solve many security issues.
The use of open-source libraries and components in software development is almost ubiquitous, with some 99% of applications having at least one open-source component, according to the 2020 Open Source Security and Risk Analysis Report.
Some industries, such as Retail, Healthcare, and Education saw exponential growth in revenue during the year 2020, largely due to consumer behavior and social interaction changes during COVID. As these industries used more open source in their applications, they had the largest number of vulnerabilities and high-risk vulnerabilities. Determining which open-source components are secure should be a primary concern for any application security group.
Exceptions are a commonly overlooked aspect of web application security. It is common to see exceptions or errors displaying long stack traces to the user—this information is extremely valuable to attackers. You should never display anything to a user other than an error message that explains what went wrong and what they can do to resolve it.
Ensure you plan your web application for both “happy” and “unhappy” scenarios of every user operation. Anticipate all possible errors and handle them with meaningful exceptions. This will prevent attackers from exploiting edge cases to cause unexpected behavior.
MANAGE CONTAINERS CAREFULLY
Many web applications run on containers, using Docker. Containers can create major security issues if not managed correctly. Take note of the following security guidelines:
Expert Advice: Amazon Elastic Container Registry (ECR) service provides security scans for Docker images. It is quite a useful feature to understand what potential security issues you have in your private Docker images.
QUALITY ASSURANCE AND TESTING
Security testing is essential for web application security. Follow these best practices:
In most cases, our usual deployment process in CI/CD includes the following 5 steps:
The deployment will be stopped if any of these steps fail. This guarantees stable updates and a stable, safe environment.
Applications remain a top cause of external breaches, and the prevalence of open source, API, and containers only adds complexity to the security team. Happily, companies have started to recognize the importance of embedding security more tightly into the development phase.
The author - Anton Logvinenko, Web Team Leader at MobiDev
Create your free account to unlock your custom reading experience.