Developing Secure Web Apps: 5 Considerations
According to a 2019 report by Acunetix, out of 10,000 web applications scanned 87% had at least one vulnerability. These applications face significant risks, especially as the rate of cyberattacks increases. Lack of application security has costly implications for both organizations and users, from loss of privacy to regulatory fines.
To avoid security risks and prevent harm, companies are beginning to focus more on secure development. In this article, you’ll learn the most common issues undermining secure development in web applications. You’ll also learn some best practices for protecting against these vulnerabilities.
Major Security Issues in Web Apps
To secure your web applications, you must first understand which vulnerabilities are relevant. Below are the 10 most common issues, as identified by the Open Web Application Security Project (OWASP).
- Code injection — Malicious code or scripts are hidden in user inputs. Injection vulnerabilities enable attackers to trick your application into running commands or modify application functionality.
- Broken authentication — Authentication or session management is mishandled. Broken authentication enables attackers to compromise user credentials or exploit implementation flaws to assume false identities.
- Sensitive data exposure — Data is not encrypted or is transferred insecurely. Attackers can intercept data or infiltrate systems and steal data more easily.
- XML external entities — External entities processed within XML documents. Processing entities in XML docs enables attackers to uncover application structure and access internal files.
- Broken access control — User actions are insufficiently restricted or enforced. Broken access controls grant attackers easy access to restricted resources.
- Security misconfiguration — Includes the use of default configurations, open cloud storage, and error messages with sensitive information. Security misconfiguration reveals vulnerabilities to attackers or leaves open access.
- Cross-Site Scripting (XSS) — Occurs when untrusted data is used without validation. XSS enables attackers to hijack sessions, alter websites, and redirect users.
- Insecure deserialization — Occurs when data is read from a data stream without validation measures. Insecure deserialization enables attackers to perform remote code execution and escalate privileges.
- Including vulnerable components — Attackers can exploit vulnerabilities present in components to gain broader access. Lack of patching or updating grants continued access to known vulnerabilities.
- Insufficient logging and monitoring — Lack of monitoring or inattention to alerts makes attack detection ineffective. The longer attackers can bypass detection, the more damage they can cause.
5 Best Practices for Developing Secure Web Apps
Addressing the above security concerns takes significant care and planning. The following best practices can help you address or at least partially address many of the OWASP top 10 vulnerabilities.
1. Zero Trust
You should not trust user inputs or externally submitted information, regardless of its source. This is true for all input fields in your applications, even if fields are hidden and presumably “inaccessible”. Any data taken in should be validated or parameterized. Validation assures that no malicious characters or commands are included in inputs. Parameterization prevents included commands from being run unintentionally.
In general, you should keep your application as opaque as possible to attackers. The less potential attackers know about how your application works, the harder it will be to exploit it.
Keep sensitive information out of URLs and prevent manual changing of parameters, such as page location, whenever possible. You can prevent manual changes using flow control mechanisms. Flow control defines how a user can navigate through your application and prevents users from skipping restrictive measures.
2. Embrace Simplicity
The more simple your code logic is, the easier it is to secure. Complex logic is harder to follow and can lead to more bugs due to human error. The same goes for application structure. Try to eliminate or reduce cross dependencies whenever possible so you have the minimum amount of maintenance and attack surface area.
There is at least one exception; be careful about using client-side logic. It can provide a better user experience and can be simpler to enforce but it presents greater security risks. At minimum, don’t use only client-side security, for example, verification of inputs. Attackers can bypass or manipulate client-side measures more easily than server-side ones. Creating multiple layers of security and verification is one exception that creates greater benefit than risk.
3. Secure Third-Party Tools and Dependencies
You need to keep track of known vulnerabilities and apply patches as soon as available. There are multiple sources of information you should use. These include vulnerability databases, threat intelligence feeds, and vendor or project notices.
Make sure that any default settings, such as users or access settings are updated or removed as appropriate. Taking these steps ensures that access will only be available to you and not third-parties. Also, avoid installing sample or demo applications if these come with the tools you’re using. Demos often include vulnerabilities that could be used as a backdoor to your application or systems.
4. Set Session Limits
As long as a session is left open it presents an opportunity for breach. You should try to find a balance between security and user convenience.
Issues to focus on include:
- Inactive sessions — Set session timeouts for inactivity. The recommended range is 15-30 minutes. Session timeouts help keep sessions secure when users forget to logout.
- Long sessions — Set time cap on session length. The timing depends on the app and the average length of time a legitimate user is active; typically no more than a few hours. This can help ensure that bots or scripted processes aren’t keeping access open.
- Security errors — Any security-related error should end a session. Errors and users should be logged. You may also wish to implement a waiting period before the next sign in or use two-factor verification.
- Multiple sessions — Multiple sessions increase attack surface area and increase the chance that a user’s session will be misused. Unless there are legitimate reasons for multiple sessions, you should limit users to one active session at a time.
5. Use Encryption and Obscurity
Use SSL for information streams to encrypt data in transit but don’t depend on encryption for security. You should encrypt vulnerable fields within your HTML forms. Doing so can obscure sensitive content and application structure. Additionally, all fields and links should be signed to prevent tampering.
Keep your links relative whenever possible. Relative links obscure the full path of a site and prevent attackers from gaining structural information about your application. Further obscurity can be achieved if you use HTTP POST methods instead of GET. Post methods conceal sent parameters within the body of your request instead of in the visible header or URL.
When developing web applications, make sure to focus on security throughout the development process. You should start by including security at the design phase and continue into production. This includes frequent and comprehensive testing at all development stages.
Devoting time and consideration to secure development can ensure your web apps are safe for you and your users. Hopefully, this article helped you understand some of the vulnerabilities to be avoided. Using the best practices covered here is a good place to start.
Consulting is free – let us help you grow!
Choose Your Language
- Digital Marketing
- IT Consulting
- Project Management