Security should be a crucial part of any application you are working on. In this article we are going to cover the web application security best practices you should consider when working on your next project, but before we do that, let us quickly cover why security is so important:
Why is it so crucial to have strong application security?
Loss of customer data
Customers trust you with their data. It’s your responsibility to keep that data secure from malicious users and attackers.
Loss of revenue
Service outages and downtime can cost your business a lot of money, let alone the reputational damage that as a result of a breach. How much depends on the business – imagine an ecommerce store being down for hours or days due to a breach.
Loss of customer trust
Customers are more cautious about their data and where it is shared. Losing customers’ data due to a cybersecurity breach can be devastating both to the brand image and customer trust. Loss of customers’ data can in some cases even lead to a shutdown of the business.
Compliance and penalties
Governments are imposing security standards such as GDPR, HIPAA, PCI and ISO 27001 to make sure companies don’t get away with neglecting security. Having your company not comply with those standards can result in fines, penalties or lawsuits.
In this article, we’ll cover the following web application security best practices:
- Full-scale security audit
- Encrypt data
- Real time security monitoring
- Proper logging practices
- Implement security hardening measures
- Regular vulnerability scans and updates
1. Full-scale security audit
One of the best ways to ensure there are no security loopholes in your web applications is to have regular security audits.
A security audit can include one or more of the following:
- Black box security audit: this is the ‘hacker approach’. The application is tested for exploitable vulnerabilities without access to the source code.
- White box security audit: opposite to black box security audits, in a white box security audit you or the team performing the audit have access to information including the code base. This type of a security audit ensures you are following all the best practices, starting with secure coding practices.
- Grey box security audit: as the name suggests, this is a mix approach of white box and black box security audits. In this approach some important information is shared before the audit.
If there are any vulnerabilities detected after your audit, the best approach is to categorise them by their impact, prioritise their remediation and start fixing them with the highest impact vulnerabilities first (Critical / High).
2. Encrypt data
Visitors and customers could share sensitive information on your website. The data in transit between the visitor’s browser and your server has to be encrypted.
Encrypting the data in transit does not only help with customer trust, but also plays an important role in SEO ranking. Search engines like Google prefer websites with SSL. The use of HTTPS is even a ranking factor for Google.
However, it’s not only the data in transport that has to be encrypted. You also have to encrypt the data in rest to make sure malicious actors can’t just copy or destroy it. Follow these practices to make sure your data is secure:
- Implement network firewalls. That will help prevent threats from within the network
- Chose a strong encryption algorithm and encrypt the data before you store it
- Store data on a separate server in a password-protected database
- Infrastructure security is important. Don’t neglect it and invest in infrastructure security
3. Real time security monitoring
We already mentioned the importance of regular security audits, but those will not be enough without a robust real time monitoring. Consider using a web application firewall (WAF) which will help you block any malicious activity in real time.
As web application firewalls can indicate false positive events or miss some threats, consider using ASMP or RASP in addition.
An Application Security Management Platform (ASMP) monitors protocols beyond the application layer and helps you protect your apps against unknown threats in real time. While ASMP is embedded into your app, RASP runs on your server and monitors the behavior of your web applications and context of user input. If RASP detects suspicious activity, it will immediately terminate the session and block the malicious user. Please keep in mind that neither of those guarantees 100% success.
4. Proper logging practices
To have a good insight into events in your app, like what happened at white time, was there something else happening at the same time and how that affected a situation that occurred, you need to have proper logging in place. While this is important information to continually have and monitor, it’s especially important in case of a security incident.
Post-incident forensics can become a daunting task without proper logging in place. On the other hand, with a proper logging mechanism, the task of analysing the cause and understanding the bad actor in case of a data breach becomes much easier.
5. Implement security hardening measures
Default settings won’t be enough for some components and will need security hardening measures, such as:
- Maximum script execution time: Set the maximum time a particular script can run on the server. A low number here could help narrow the attack possibilities. Define the maximum script execution time by your application’s use case.
- Disable modules: Are there modules and extensions on your server that are not in use by the application? Disable them.
- Have a content security policy in place: a good content security policy can help prevent infections like redirection malwares from taking over.
6. Regular vulnerability scans and updates
Hackers are quick when it comes to identifying websites running vulnerable software. Be one step ahead of them by running regular vulnerability scans and identifying vulnerabilities in your web applications or websites before they hit production. This is achieved by implementing automated security testing into your CI/CD pipelines. SAST tools are traditionally implemented earlier into the SDLC, but the results are high in false positives, while requiring a more complex configuration and access to your source code. On the other hand, while traditional DAST tools are language agnostic (they don’t need access to the source code), they are typically used by security professionals and implemented later into the SDLC or used on production.
Unlike other DAST tools, Bright is built from the ground-up to be developer first, integrated across your pipelines to scan every build / commit as part of your CICD to be secure by design. Easy to use and intuitive, you don’t have to be a security expert to start a scan. With NO false positives, Bright automatically validates every finding so you don’t have to. Thanks to the integration with various ticketing systems, all findings can be easily assigned to different team members for remediation, with developer friendly remediation guidelines for immediate and easy fix at the cheapest, most efficient time.
Sign up for free and see for yourself why Bright is a platform that security teams trust and developers love.