Why care about your web app’s security?
Everything that has access to the internet, can be hacked: from computers to small IoT devices with online connection. Because nowadays each smallest device tracks personal information, it’s a gateway for hackers to get sensitive data about millions of people. According to the Forrester, only three industries account for the largest amount of successful cyber attacks. They are:
These three sectors are the most popular among hackers, however, even if your web application or website is from another domain, it’s not a reason to relax. If your database stores information about your users, it’s reason enough to protect your software and eliminate any security issues.
According to Corero, a single DDoS attack can cost a company around $50,000 in lost revenue. The loss in case of a security breach is not only all the personal data of the users, but more importantly, their trust for the business. Lost trust leads to even more significant financial and reputational losses for the business.
There are many types of cyberattacks that you can experience. Here are some of the most popular ones:
- Cross-Site Scripting
- SQL Injection
- DDoS Attack
- Cross-Site Request Forgery (CSRF)
- Broken Authentication
- Exploiting Inclusion Vulnerabilities – LFI and RFI
So, what is web application security? It’s all the strategies, tools and technologies you should use to prevent these attacks from hurting your code and your clients’ private data.
In this article I’ll be talking about the application security best practices: we’ll talk about cybersecurity strategies, and also small things that make a difference.
11 best practices for web security
1. Document all the changes in your software
It’s always easier to find something in a room, where everything’s in order. In real life, however, there’s always no time for this. It’s the same with software: once your web app goes live, the number of features, new changes and advancements is growing exponentially.
A single breach in a third-party library can cause a major data infringement incident
While chasing the ever changing requests from users and trying to keep up, software developers and owners put documenting the changes off, and risk their web security. From a security standpoint, it’s a huge mistake that can cost a company too much.
As your project grows and evolves, developers add new frameworks, libraries and features. A single breach in a third-party library can cause a major data infringement incident in a company, and without a documentation it will be very hard to find where the problem occurred.
2. Make a classification of potential entry points for hackers
Some parts of your software design are more vulnerable than others, because they face customers and data transactions. To make sure you focus on making web application security checks on the right places, divide your software features into modules according to security priorities:
Critical modules — are the most vulnerable, customer-facing features that are the closest to free internet access. These are the most attractive entry-points for hackers, they can try to access: for example, login, checkout page, etc.
Serious modules — involve parts of the software that store sensitive information about the company or its users.
Normal modules — don’t have direct access to sensitive information in your app, but also require attention and constant checkups.
3. Use a web application firewall (WAF)
Web application firewalls is basically a filter for HTTP traffic between a server and a source of server requests. It doesn’t let any malicious requests go through it and infiltrate your databases.
Firewalls are one of the most popular ways to protect software at the entry points, as they analyze all the incoming traffic and stop all suspicious activity. WAFs don’t need developers to change anything in the source code, which also makes them convenient to use.
However, traditional firewalls have their drawbacks too, and can’t detect some types of attacks. To ensure maximum security, use advanced WAFs that will be able to protect your application from SQL injection attacks and cross-site scripting.
4. Encrypt everything you can
First of all, use basic things like HTTPS and HSTS encryption, but don’t stop there.
Implement SSL encryption to all user data you send and receive from the server. While HTTPS is great, and it makes Man In The Middle attacks nearly impossible, it’s not enough, if someone has access to your server.
This someone can be anybody: from a system administrator to your ex-employee. To keep your data safe even when someone is at it, you need encryption and hashing.
5. Use penetration testing
Penetration testing is one of the most advanced parts of any security testing. It puts your software in near to real-world situations where a QA specialist plays a role of a hacker and tries to infiltrate the system by any ways: from programming to physical violation.
Penetration testing allows you to effectively find most of the vulnerabilities and also get a detailed document that can serve as a basis for a security check and your reference when finding a vulnerability that caused a breach. It has several techniques to make sure all situations were considered.
If you want to know more about penetration testing and its results, read our article on this topic:
There are over ten possible reasons for software vulnerability, and a regular web app of medium complexity has dozens of entry points that can be used by hackers like cloud access. This is what penetration testing is for: it allows a QA to play lots of scenarios and try to infiltrate the system with as much knowledge of it, as a hacker would have in a real-world situation.
If you don’t have an expertise in penetration testing, it’s a good solution to hire an expert from another company. A third-party professional will not only test your web app, but also make a full security audit of it while performing penetration testing.
Auditing your software with the help of an outsider often allows you and your employees see the flaws you didn’t know existed.
6. Keep your web app updated
When I say about updating your web application, I don’t mean only your software, but all the third-party services and libraries you use in its infrastructure. Hackers often use third-party software to infiltrate the main system, so beware of these threats as well. Here’s where your web app’s documentation will help a lot.
Many developers hesitate to update third-party services for their software, and this may lead to major breaches
Look at your documentation and find out what libraries you use. Get rid of ones that don’t actually make any difference to your app, and update everything that remains. At least, build an update strategy, because just updating libraries sounds easier than it actually is. Many developers hesitate to update third-party services for their software, because they may lack back-compatibility and mess the whole system up.
So, to avoid vulnerabilities that are present in any framework or library, you should:
a) Make sure you actually use all those libraries integrated into your software;
b) Use the latest version of each, if it’s stable.
7. Set up your cookies
However, cookies can be a way for hackers to get in, so be sure that your cookies are safe. There are three main parameters to look at:
1. The information that your cookies store — make sure, it’s not sensitive. Don’t store passwords in your cookies, otherwise hackers will easily get them and enter your system from another user account.
2. Cookies expiration date — don’t make cookies last endlessly. Cookies should last less than a month, so request authorisation repeatedly around every other two weeks — this will make your web app more secure and you’ll know for sure that it’s your user who enters the app each time.
3. Cookie encryption — encrypt all the information you store in cookies for more reliable security.
8. Implement real-time monitoring
According to the Ponemon, it takes around 6 months on average for a company to detect a security breach, even if it’s major. If you store lots of sensitive data, your priority is finding the breach as soon as possible and eliminate it. For this, you can use special monitoring software that detects all actions your employees do on their work computers. This can help you make sure all the security requirements are met.
According to Chief Executive, 90% of all security breaches become possible because of the human error. This is why monitoring your employees might be a good idea: this will allow you to quickly find out what action on which computer compromised your system, because everything will be on the record.
9. Educate your employees
We’ve already spoken about the human error, and it’s more common if people don’t know where exactly they can make a mistake. If you have a big organization, it’s easy to lose track of what your employees deal with in different departments on a daily basis.
While you can always monitor them, it’s more effective to prevent a security breach rather than to hastily search for it after the incident occurred. Educate your employees on how to use software securely and what actions can lead to data infringement.
Teach your staff what to do in case of data breach and develop security standards that control their actions. To do that, you’ll need to take the next step.
10. Hope for the best, prepare for the worst
The last thing on our web application security checklist is having a plan, when a data breach happened.
According to the Ponemon Institute, 70% of companies don’t have a plan in case of a cyber security incident and a strategy for securing web applications. This leads to:
- Slow response to cyberattacks
- More significant losses in time and money
- Loss of trust from both employees and clients
Your plan should contain the classification of attacks, and for each type it should have a list of actions and also the time frame. Not only should you have an emergency plan, but you should also test it regularly to make sure your systems work properly, and employees react quickly and effectively.
To make your response to threats more effective, you can automate most of it by using:
- Identity management tools
- Authentication technologies
- Incident response platform
- Security information and event management tools
11. Manage your permissions
Limit your employees’ access to your software according to their needs. Create a permission level grid to provide your employees with permissions they’ll need for their work.
If your own employee decides to harm your company, you’ll also be sure that they can’t access any sensitive data through their own account
Giving workers different levels of access to your system has two main advantages. First, if someone breaks into your system through an employee’s credentials, you’ll make sure they can’t go any further than what the system allows.
Second, if your own employee decides to put your company in a difficult situation, you’ll also be sure that they can’t actually access any sensitive data solely through their own account. Blocking your former employees and changing passwords after a key developer leaves the company is also one of the web application security best practices.
These are some other suggestions that you can find useful in your particular case:
- Use an encrypting service (e.g. Let’s Encrypt) or buy an SSL certificate to redirect all your HTTP requests to HTTPS
- Implement x-xss-protection security header to defend your web app from cross-site scripting
- Use strong passwords, as simple, short and predictable passwords are the primary way for hackers to infiltrate your system
- Define approved content sources with the help of a content web app security policy — this will prevent the website from loading all the files from a potentially malicious source
In this article I’ve shown how to secure web applications. These are eleven web development security best practices you should follow if you want to keep your business and reputation free of malicious hacker attacks. Of course, nothing can guarantee security 100%, however, you can significantly decrease the chances of data infringement.
To do this, you need to keep your software in order: document all the changes and make sure that all third party modules, libraries and frameworks you use are up to date. To protect the data inside your databases, you should definitely encrypt it: in this way, hackers won’t be able to get any use of it even if they get to it.
Why Does Your Product Company Need to Outstaff Developers Even If You Have In-house Devs? >
It’s also a good idea to pretend to be a hacker yourself and perform penetration testing on your code. This will allow you to test your web application in real-world situation and also audit your code.
And, of course, don’t forget about your employees: they should know what to do in case of a hacker attack, and also beware of the human error. Educate your employees on secure behavior to minimize the chance of a mistake.
If you feel like you could use a security audit of your web application, or a penetration testing report, be sure to contact us — we are a mobile and web development with a business mindset, and we view security as one of the vital factors for any business’s success.
Web security services
Want to make sure your web app won't give away any user personal data? We can make your web software bullet-proof!