Security has become an integral part of software development and operations lifecycle. When it comes to web applications, there are well-established patterns and practices to ensure securing the data. Typically most of us consider access control and securing the data at rest and transit for protection. Though these areas are fundamentally important, there are many more things to do to establish overall security of a web application. This article focuses on providing a broader perspective of things, in developing secure software focusing mostly on web applications.
Let's start with External Factors Governing Security
Building a secure web application requires to identify the level of security needed for the particular domain. Regulations, standards, and compliance typically govern domain-related security demands.
For example, a financial application requires to comply with PCI DSS if it handles credit cards payments for compliance. For an application offering payment services need to adhere to the regulatory requirements like PSD2 if it operates in Europe. Compliance with these standards and regulatory requirements are essential to establish healthy security guidelines to secure financial data as well as for the interoperability with other systems. There are standard domain requirements as well like handling personally identifiable data which still requires to adhere to regulations like GDPR.
At the ground level, these external factors drive the need for securing the communication channels, enforcing sensitive data encryption at rest and healthy levels of access controls with an incident response plan to mitigate any security risks at hand.
Security by Design and Architectural Best Practices
Another critical aspect is to have a top-down approach to secure the web application by looking at security from an architectural standpoint. You might wonder why not look for the best possible security implementation. The reason is that security implementation comes with a cost, typically impacting application performance and the total cost of ownership. Let's look at some of the standard security requirements and best practices we need to follow in designing web applications.
First of all, it is essential to identify the security boundaries of the application. For instance, we need to address questions like;
- Who is the intended audience of the application, and do they need to access the web application via the internet or only inside a corporate network?
- Are there any internal or third-party integrations, what data needs to flow inward or outward, and how will they connect to the application?
It is vital to identify these boundaries to secure them by design, for example, if the intended audience is only office staff, its not necessary to serve the application on the internet (or use a VPN in doing so) which dramatically reduces the attack surface of the web application.
When designing web applications, most of the developers look into access control as a rule of thumb. Access control is also an area we typically overlook and spending more time in terms of security. Let's break it down to authentication and authorization for easier reference.
If we look at the modern web applications, we no longer try to implement the authentication by hand. How to secure password, hash, and salt are typically someone else's problem. There are authentication frameworks we could readily use like OpenID Connect with third-party services like AWS Cognito, Azure B2C, Auth0 providing plug-in solutions. It is also possible to use OAuth2 Scopes and Claims using ABAC or use RBAC approach for authorization as required by the application.
It is also important to note that developers moving away from Cookies and uses JWT tokens for authentication as well as for authorization. Modern web application architecture styles like Single Page Applications, tends to go for authentication and authorization frameworks like OpenID Connect/ OAuth2. However, this doesn't mean that Cookies are dead or becoming to vanish soon.
From another perspective, the implementation for authentication and authorization should be extensible. For instance, it might require to support federated identities like Microsoft Login, Google Login for authentication. Besides, for developers, there need to be clear guidelines on how we extend the authorization framework into code implementing fine-grained access control with minimalist decision making. How to implement an authorization framework based on application requirements, I will keep for another topic.
These points need to be carefully considered and design the application accordingly from the start to ensuring the overall security of the web application.
Security Information and Event Management
When designing web applications, we consider storing application logs mainly to identify issues and debug and to monitor application health. In terms of security, it is also essential that we carefully design to capture logs information considering security.
These log information typically fed into security information and event management (SIEM) systems for security health monitoring. These SIEM systems are capable of identifying the anomalies and keep track of the historical data for incident response. If you are new to the area, check SIEM Gartner quadrant for available solutions.
These tools are essential when it comes to modern web application security management, where it could not only help to identify security threats but also to reduce the impact and the blast radius of an incident.
Securing the Infrastructure
Securing the application infrastructure is a broader area that requires expertise in terms of networking, hardware, operating systems, and specialized software for firewalls. For web applications, it is also becoming a common practice to use web application firewalls as a powerful defense system, that could protect the web application from well-known external threats.
When it comes to web applications, typically network design should protect sensitive data by facilitating internal and external communication and storage. Besides, identity management and access control for resources also need to be managed accordingly. Other, areas of operations require operating systems and software security patching and managing updates as necessary to ensure security.
The focus used for infrastructure security could differ based on the application platform. For instance, if we use cloud-native technologies, we might need to focus more on adhering to the security best practices recommended by the platform since the cloud provider manages the underlying platform security. Here, the shared responsibility model for security comes in to play.
When designing the solutions architecture of the application, it is necessary to identify different types of data and classify them to treat them based on their sensitiveness. Two main areas we need to consider here is securing data at rest (when storing data are we using encryption?) and the transit of data (when data is moving via a network).
Typically for web applications, we use SSL/TLS to encrypt the channel. Since SSL/TLS supported by almost all the web servers, it is easy to implement this and used widely. For additional security for an administrative section, we could use two-way certificates installing one at the web browser. Using SSL/TLS has almost become an industry norm for all the web applications, even running inside a corporate network.
For encryption at rest, almost all the database systems support encryption at rest, which is easy to configure. Encryption at rest equally applies for the file system if we need to store files securely. Here it is crucial to implement a strategy to manage the encryption keys, whether we store them in a Key Management Service (KMS) or store them in the host in files or environment variables. However, saying all these, you have to critically evaluate and decide, which information you need to encrypt or not since it could add the additional cost of ownership and potentially impact the performance depending on how you are using it.
Continuous Process to Drive Security
As you have already identified, it requires both the implementation level and operational level establishments for actively securing web applications. When developing software, it is likely to have issues in the web application. However, an application issue looks like a minor bug in terms of functionally could have adverse effects in terms of security. Therefore the establishment of a robust process for web application security is essential.
Vulnerability assessment is a way of identifying potential security loopholes in an application with the help of an ethical hacker. The idea is to attack the web application in every means which a potential intruder could attempt and take actions to fix the loopholes. It is recommended at least to carry out an assessment annually since there could be so many factors affecting the web application security.
Secure Code Reviews
Having security code reviews, both when introducing new code as well as as a route assessment, is essential. The most important activity is to establish a secure practices document with best practices each developer and operation engineer needs to follow. Beyond having these only in a text, it is also important to have forums where people evaluate the past mistakes and do a root cause assessment for every incident/mistake in code so that the team doesn't repeat the errors.
When developing software, we might follow different process models. Depending on the process model, each team might agree to follow a set of best practices to assure the secure development of the web application. However, with time, there could be deviations from practices that needed. Having a security audit process mitigates the risks of differences affecting in the long term by identifying them as early as possible. These audits could be carried out with a security checklist to asses, either quarterly or annually depending on the organizational requirements. Typically organizations with ISO27001 certifications has a well-established auditing process to get the compliance for security. Researching ISO27001 would be a great start to establish the criteria for security audits if you are new to this area.