Secure Web Application Best Practices

by Sarah Harvey / August 20th, 2015

It isn’t news that maintaining a secure web environment is extremely important in today’s technological climate. Performing regular scans and tests of your security posture is best practice and becoming an essential piece to maintaining security at your organization. Web applications have become a common target for hackers, thus the need for better practices.

Last week, we tapped into our own developers’ minds to help us put together a list of best practices for secure web application in order to educate and inspire our community of security-minded individuals.

Here are our top Secure Web Application Best Practices:

1. Training

If you’re a web application developer, you should always be aware of security risks and best practices for defending your application from those risks. OWASP is a great resource for learning about web application security. The OWASP Top 10 is a great list that creates awareness around some of the most critical web application security flaws. SANS is another great resource for information security training. Additionally, many web application frameworks publish security guides that cover built-in security features. (Ex. Ruby on Rails, Django, and .NET publish security guides to help you as you are building applications).

2. HTTPS Everywhere

HTTPS provides your users with the confidence that the web application they are connecting to is, in fact, yours. It also provides a secure channel for sending and receiving data. One risk involved in using HTTPS is when additional content is loaded insecurely over HTTP. While your site may be securely loaded over HTTPS, even a single JavaScript file loaded insecurely over HTTP is at risk to be intercepted and modified by an attacker. Ensure all your content and resources are loaded securely.

3. Strong Password Storage Practices

When storing users’ passwords, it is extremely important to follow best practices. Never, ever, store passwords in plain text. You should store your users’ passwords as hashes, making use of cryptographic algorithms that are designed for password protections. View the OWASP Password Storage Cheat sheet.

4. Keep Application Dependencies Up-to-Date

Your web application most likely makes use of a framework and several libraries or components. Each one of these components is potentially vulnerable to attack. It is best to identify all of the components and versions currently being utilized in your application. Once you have that, monitor public databases (CVE, NVD) for reported risks to the components you use. Also, keep up to date with security mailing lists relevant to the frameworks you use and immediately update any components that release security fixes.

5. Always Install Security Patches

Related to keeping your application dependencies up to date, you should also ensure your application stack is up to date. Ensure you OS, web server, application server, and databases are all up to date with the latest patches and configurations.

6. Web Application Firewall

A web application firewall (WAF) can be helpful in identifying and blocking threats to your application. A WAF applies rules to the HTTP traffic coming in to your application. If certain patterns are detected that are commonly associated with attacks, the request is blocked. These rules can be customized based on the specific threats to your application. Running a WAF requires maintenance and tuning, but it can be very effective in blocking many known attacks.

7. Logging

It is always important to know what is going on within your applications. Collecting logs is vital to having an audit trail of activity. You should collect all authentication and user access events including access to your servers and user access to your applications. Collect data access, user events, and errors. Logs should be centrally collected and stored where they can be reviewed and correlated.

8. Assume All Input from Users is Malicious

As a developer, you should always assume that all user input is malicious. This includes form data, URL parameters, query strings, cookies, and HTTP headers. Validate all input based on type, length, and a whitelist of allowed value ranges. Many attacks such as SQL injection and cross-site scripting take advantage of applications that trust user input without proper validation. View the OWASP Data Validation.

9. Security Testing

Testing your application for vulnerabilities is an important step in finding and fixing flaws before you suffer from an attack. This can include static code analysis and penetration testing. Static code analysis will scan your source code for flaws and potential security risks. These tools can be integrated into the development lifecycle, alerting developers to potential hot-spots in their code. Web application penetration tests simulate attacks in order to analyze the security of your system. These tools are necessary in order to ensure your application is secure.

For more information or help regarding the security of your web applications, contact us today.