Web app security is not something that you can bolt on after developing your app, it should be a core part of the app development process. Web applications are by design, available to others and are very much exposed to many potential threats. As such, you need to ingrain security features within each component of your app and make security a part of each phase of the software development lifecycle to ensure that it is safe from threats.
There are several web application security best practices that you can follow to achieve this. These web application security best practices ensure that there are multiple layers of security incorporated in your app and development and testing processes.
In this post, we will list seven of the most important web application security best practices that you should follow to protect your apps from threats. So, let’s take a look at these app security best practices and why they are important.
1. Provide Application Security Training at All Levels
The first and most important step in ensuring web application security is to provide all software development personnel security training. It should not just be limited to app developers, but are related personnel involved in the process, such as Quality Assurance, Project Management, and operational staff. Training all disciplines associated with the development lifecycle helps to build a culture of security within the organization. Having trained personnel who understand the core security concepts associated with web application security lays the foundation for your security program.
2. Use Threat Modeling to Identify Threats and Vulnerabilities
One of the most important web application security best practices is to make threat models to identify threats. It allows you to look at all possible information assets that could be targeted and how they may be vulnerable and targeted by an attacker. This process is not done just once but repeated as changes are made to the application and the threat model should be constantly updated to capture new and emerging threats. The threat model will evolve over time and will mature as more people give it critical thought. This not only helps develop a good model but also serves to keep base security knowledge and concepts on the front mind of the entire team.
When creating a threat model, you must:
Identify all Information Assets
To prepare a threat model, you need to first identify all information assets (data) that may be targeted. You should hopefully already have identified sensitive data and categorized it with data classification levels. Within your application, you should know what data classification levels your application is working with, what that data is so that you can ensure that proper mechanisms are used to protect that data.
Identify and Define Possible Threats
Once you have identified critical data held within your application, you may start to consider the threats to this. This may be done in two manners, top-down or bottom-up. Bottom-up is more typically associated with how an actual attacker will work, they will probe the systems and find weaknesses and exploit and pivot until they get to the desired data. Top-down looks initially at the target and then looks to how someone may get access to it.
You may use either approach and sometimes it is helpful to use both to get different perspectives on the application’s threats.
Often times it is helpful to make use of some attack libraries (e.g., Mitre’s CAPEC) or vulnerability lists such as OWASP Top 10 to help seed the threat modeling effort.
Prioritize Vulnerabilities and Risks
Once you have developed and validated your threat model, you should assign priorities and risk values based on their impact and the probability of occurrence.
This may seem trivial but it is important. Every organization has limited resources and an efficient organization needs to wisely expend its resources to achieve the desired end state. Here, to reduce risk to the application, vulnerabilities, and threats must be based upon actual risk rather than what happens to pop up and is of interest this week.
3. Prepare a Web Application Security Architecture
Your development team will be focused on the rapid development and deployment of functionality. To make sure that this is secured, you have to develop a security architecture that makes it easy for them to develop and deploy secure code. This means that you have to have simple authentication and centralized authorization that ensures all requests (application, service requests, etc) are authorized vertically and horizontally without developers having to jump through hurdles to perform these critical security functions. You have to have your architecture use a data access framework that makes it impossible to open up a SQL injection vulnerability. You have to ensure that any untrusted data is being encoded prior to being sent to a browser. In short, ideally, your security architecture should make it trivial for your development team to develop code without opening any of the most common vulnerabilities such as found in the OWASP Top 10.
Your architecture should also plan for failure. Have mechanisms to alert on failure and limit the blast radius so that a single failure does not lead to catastrophic breaches. Multiple layered security controls help to enable this along with using numerous restricted least privilege accounts can help facilitate this.
Other web application security best practices that allow you to create a strong security architecture are:
-Keep a centralized structure where all authorization requests go through a central authority. -Ensure all security events are logged in a manner that they cannot be tampered with and that all security events are monitored to detect malicious behavior -Ensure all data is protected in accordance with appropriate standards for its classification levels (e.g., passwords, tokens, and other sensitive information are never transmitted or stored in clear text) -Use strong encryption algorithms such as AES and use strong key management controls (e.g, hardware security module or other appropriate key management tools)
4. Perform Regular Application Testing
Another effective web application security best practice is to regularly test your app for vulnerabilities throughout the development lifecycle.
Automated Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) tools should be used throughout the development lifecycle. Each has their own strengths and weaknesses but by combining their use, you get early issue identification that allows for rapid and cheaper fixes. By integrating these into your lifecycle, you get the additional benefit of maintaining a higher level of security awareness.
HOWEVER, be very careful to ensure that these tools do not flood your development teams with false positives. If they do, the tools will be routinely ignored. Ideally, you should have these tools integrate with your own issue tracking systems so that developers stay within their own normal workflow and security issues are identified and put in their normal work queue. Cypress Defense has extensive experience developing and integrating these tools into CI/CD pipelines for development teams so can assist with this if needed.
5. Use Real-Time Monitoring and Protection
As the old saying goes, “there are those that have been breached and know it and those that don’t know that they have been breached”. Organizations cannot depend upon preventative measures alone, but instead, need to have strong detection and response capabilities as well. The use of Web Application Firewalls (WAFs) along with detailed security logging integrated into robust SIEM (Security Information and Event Management) tools help you detect unusual activity that may require further attention. In many organizations, there is a disconnect between the operational side of the team and the development side, in which case, it may benefit your application to have your application be more attack aware (see below).
6. Develop Attack-Aware Applications
This web application security best practice takes your app security to the next level by providing immediate incident detection and response.
For this, you need to develop attack-aware apps that can detect intrusions or unusual activity immediately and either notify the security operations center (SOC) or take automated action. Many times developers are more knowledgeable of what standard behavior is and have more capabilities to detect malicious behavior. A standard user story for teams should be to detect malicious behavior.
The benefit of such apps is that intrusions or malicious actions are detected in real-time, which allows you to take immediate action. Apps can also be designed to take automated response actions like logging out the user and notifying the admin.
Similar to firewalls, this is an additional layer of security and is not meant to be the only security measure in place. This needs to be over and above an already securely-designed web application.
7. Run Applications with Few Privileges
Every web application provides some privileges to users on remote and local computers. As a web application security best practice, you should run apps on as few privileges as possible. As mentioned previously, it is preferred to plan on failure and use multiple least privilege accounts to limit the blast radius for when a failure does occur. Whenever privileged access is required, ensure that very strong authentication controls are established (e.g, multi-factor authentication only from internal network) and thorough auditing is in place.
Ensuring app security is a dynamic and ongoing process. Even after following all of the app security best practices above, you cannot afford to be complacent. You need to keep monitoring your app for security threats and improving your security measures.
The web application security best practices mentioned here provide a solid base for developing and running a secure web application. However, you still need to be vigilant and explore all other ways to secure your apps.