Applications are the backbone and most valuable asset of almost every business that exists today. Being as valuable and crucial to business operations as they are, web applications tend to also attract attackers. Because of this, web application security has become a prime focus for developers and their enterprises. It’s never too early or too late to adopt best practices for application security but neglecting to implement them will almost always lead to disaster. As is said about many things, “it’s not if, it’s when”. Every application will likely be put to the test by attackers at some point so it pays to be prepared.
In this post, we'll look into 10 popular application security best practices. Some of these apply directly to the code within your web application itself, the infrastructure it is deployed on, and also the potential human factors which lead to security vulnerabilities. Whether you're just starting with security and want to know what it entails, or you’re a veteran developer looking for a refresher, you’ve come to the right place. Let’s dig deep and first take a look at several important principles of application security.
What Are the Principles of Application Security?
Principle of Least Privileges
The principle of least privileges focuses on controlling an entity's access to resources. This principle states that any entity should be given only the least amount of privileges required per business needs. By limiting access, you’re reducing the risk of intentional or accidental harm. With this principle, it is an important part of a security audit to check that entities have the correct access to certain data and system privileges.
Learn how StackHawk supports this principle with Teams and Roles.
Security by Obscurity
Obscurity means the state of being unknown. You can think of security by obscurity as the next level of security after authentication and encryption. With authentication and encryption, you’re making sure that only authorized users are allowed to access the system and that data is encrypted and kept out of the hands of an attacker. However, the attackers will still know that these mechanisms are in place and will likely try to break or bypass them to gain access to the system.
Security by obscurity is the practice of hiding data, mechanisms, or systems to keep them away from attackers’ eyes. The idea is that if the attackers don’t know that there’s something present, then won’t try to actively attack it. It’s important to layer this approach with the other principles and not solely rely on it.
This principle is about preparing for the worst. No matter how much security you implement, your systems will never be 100% secure. With the security landscape constantly changing, and with the fundamental reality that sometimes technology fails, there's always a chance that things will fail. This principle is about damage control and minimizing the impact of potential security failures and breaches—aka managing risk at an acceptable level. Failing securely is about planning for failures so that you contain the impact of the failure and that the failure doesn't open doors for attackers to breach your application or cause more damage.
Minimizing the Attack Surface
Modern applications are complex and made up of several components and features. This increase in complexity also increases the attack surface. Modern software usually uses third-party extensions and dependencies, distributed services, and many other components which may be outside of your direct control. This provides more ways for attackers to gain access to your web application and data. It also makes it difficult for you to strengthen security against these factors. Minimizing the attack surface will leave fewer opportunities for attackers to take advantage of a vulnerability.
Application Security Best Practices
Now that we've reviewed these crucial principles of application security, let's look into application security best practices. Each best practice below makes up a piece of a holistic approach to application security. It’s important to remember that the list below is not exhaustive, many other best practices could be included in your security strategy, and any single best practice is not sufficient to protect against all threats. Combining the techniques below is the best way to protect your applications.
Application security is incomplete without encryption. Without encryption, data at rest and in transit can easily be accessed by potential attackers. Encrypting data is an initial and perhaps the most crucial practice you should implement on this list. Every application deals with some kind of sensitive data, and encryption helps you keep this data out of the hands of unauthorized personnel. As important as using encryption is, using strong encryption mechanisms is equally important. If you don't use encryption, attackers can easily take advantage of access to your data storage systems. Attackers can also use attacks, such as the Man-in-the-Middle technique, to steal sensitive information. This is why, as mentioned earlier, your encryption strategy should focus on both data in transit and data at rest.
As a first step, evaluate your application and understand what components or areas of the application need encryption. Once you have established this, you'll need to plan any changes to the application to cater to the needed encryption. Many languages and frameworks can easily integrate encryption best practices directly into them with minimal work. Then, eventually, you can make the shift from an insufficient or non-existent encryption implementation to a sufficient encryption strategy.
Bring in Security Early
As companies have started to focus more on app security, the practice of bringing in security during the early stages of development has become quite popular. DevSecOps is a popular practice that has gained a lot of steam in the last few years. This approach to bringing security influence early into the development lifecycle is allowing application security to “shift left”. When you start focusing on security earlier, you make everyone responsible for it. Not just the security teams, but the developers and testers also take a security-focused approach when building and testing an application. With this, you will be able to identify and remediate security weaknesses as they are introduced into the application before they make it to production. This will strengthen the application's security at its core.
When you don't focus on app security early in the development lifecycle and leave it until after the application is developed, it's more expensive to fix weaknesses identified later. For instance, if a major vulnerability is found and is baked into multiple areas of the code, a major refactor will need to take place. Generally, this means that the code will then need to go through deployment and QA release processes again too. This increases the cost of a project and the timeline for the release.
Most importantly, if you fail to identify or fix these weaknesses in time and the application is pushed into production, the application remains insecure and gives an upper hand to attackers. DevSecOps can reduce the likelihood of these scenarios taking place. Bringing in a DevSecOps methodology does require a cultural shift, so if you plan on bringing DevSecOps to your organization, you have to start by changing the mindset of your teams and training them accordingly.
Risk assessment is the process of identifying and evaluating risks. Understanding security risk is important because it helps you interpret where you're at and what security measures are appropriate for you. Performing risk assessments and acting on the results helps you avoid breaches and regulatory issues and reduces long-term costs. Many enterprises, especially those that are heavily regulated, have risk assessments built into their software development lifecycle by default. Usually, this involves having a rating system to classify the risk associated with each application based on specific factors. These factors may include the impact of data loss, network or application outages, or a data breach.
Risk assessment gives you a larger picture of your application's security. Without it, you might not be able to identify all areas where you need to implement or enhance security. Risk assessment starts with identifying risks and evaluating them. Then, you can begin to design and apply improvements to decrease the risk within the application. Finally, you should test your improved app to make sure that it has improved in the areas outlined for improvement. Risk assessment is an ongoing process that should be conducted as part of the duties of application design, build, and ownership.
A lot of intelligence can come from data produced by your applications and application logs are a great source of data to evaluate and enhance application security. As part of this, you need to ensure that proper logging is implemented for your application to truly get a better understanding of what's happening behind the scenes.
Logs can be used for proactive and reactive security. You can identify how attackers are trying to break into the security of your application and work on improving security to avoid a breach. Logs play a significant role in incident response if attackers manage a breach. Without proper logging, you don't have visibility into your application and its infrastructure. A great way to use logs for security is to deploy a log monitoring tool that can look for specific patterns and scenarios and alert teams of potential security threats.
You need to be very tactful in how you plan and implement logging for your applications. Too much or too little is not good. Too little logging will not allow you to see how your application is truly being used. Too much could clog up the log stream and be hard to parse through. As well, logging too much data could expose data that could cause issues, such as logging login credentials or sensitive data, if an attacker were to gain access to the logs. Therefore, your logging strategy is an extremely important part of the implementation. Before you start implementing logging systems, try to understand what needs to be logged and how long your log retention period should be. After that, go about designing and implementing logging.
Real-time Monitoring and Protection
A couple of minutes, or even seconds in some cases, is enough to do a lot of damage when an application is breached. You might have implemented extremely sophisticated and intelligent security systems, but if they don't act on time, they're no help when attackers strike. We live in an age where only real-time reactivity is fast enough. Real-time monitoring and protection help you act in time and manage incidents in the moments they occur either by notifying the appropriate parties or through automation. However, it’s important to note that not all areas of an application necessarily need this real-time monitoring and protection. The best approach is to start by identifying which areas need real-time monitoring and protection, the potential tools that offer real-time monitoring and protection, and, lastly, applying the capabilities of the tool to fit the needs of your application.
Vulnerability and Patch Management
Vulnerability management is the process of identifying and prioritizing vulnerabilities. Patch management is the process of planning and applying patches to the software and infrastructure that your application uses. Both of these processes are important to stay up to date with the latest fixes and avoid a potential breach.
As applications have become more complex, security vulnerability and patch management is not an easy task anymore. There are generally a wide variety of languages, frameworks, third-party dependencies, and infrastructure products that are used to create modern web apps. Based on each of these components, you need to track and apply fixes and mitigations in time, without impacting “business-as-usual” processes. Not patching a security issue in time leaves room for attackers to exploit them. One way to approach this is by identifying all components that need management, putting policies in place for vulnerability and patch management, and defining processes for handling the work involved. Automation can be of great help in this process since some systems can automatically manage and install the latest patches.
When it comes to cloud applications, some managed services where an app is hosted will automatically have the latest patches applied. This is one aspect of cloud application security that can give it a leg up on traditional on-premise vulnerability and patch management. This is part of the allure of shifting applications to the cloud.
One of the weakest links in security is humans. In any organization, there are a wide array of employees with various knowledge of security best practices. This leaves a potential gap for attackers who can use tactics, such as social engineering, to gain access to a system via an unknowing employee. For example, a malicious link could be used in an email to phish for access credentials.
Security training is important for two reasons. First, training and awareness result in employees building secure applications and implementing secure practices as they manage and deploy applications. Second, it avoids breaches through attacks involving humans, such as social engineering attacks. Proper training helps employees think in terms of security, which will be reflected in their tasks and boost the application's security.
Use a Cybersecurity Framework
Cybersecurity frameworks provide guidelines to improve the security of different types of applications and infrastructure. There are several frameworks out there, such as NIST or MITRE, that you can apply to your applications and use for enhancing security. You can use these frameworks to analyze your current security implementations to see if there's any aspect you're lacking. Alternatively, if no security is in place yet, you can use them as a blueprint to build your security design.
Although using cybersecurity frameworks is mostly up to one's preference, you might have to adhere to one or more of these frameworks for regulatory purposes. Certain industries require that certain standards or frameworks are adhered to. Failing to adhere to the expected standards or framework might result in large fines and other penalties. If you are in such an industry, the first step is to go through the regulations and see what frameworks you must adhere to. After researching and defining what your security strategy must look like, you can then implement the appropriate security mechanisms.
Application Security Testing
Once you've applied all security measures you can, it's time to see the outcome and test the security of the application. Application security testing plays a very important role as it helps you evaluate your security implementations and identify anything you might have missed. Without testing, you can't be sure about the impact of your security measures. There are plenty of ways that application security testing can be applied to developed software.
Of course, one type of security testing we can think to implement is the manual approach of penetration testing. On top of penetration testing your systems, you also may look to automate testing as well. Many different security tools exist for this, most of which can be implemented at the onset of application development.
Two types of application security testing tools we will look at here are:
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
SAST involves scanning the application code to identify security loopholes in code implementation, potentially including vulnerable dependencies or components of the application. The great part about SAST is that it doesn't need the application to be running. This means it can be applied as soon as the first line of code is written.
DAST, on the other hand, tests the application while it's running. It focuses on interacting with the application and checking to see how it responds to actions. Unlike SAST, DAST tools require that the application is in a runnable state since it executes its testing procedures against the live, running application. Both tools are extremely complimentary to each other and are a great base for an automated testing strategy.
Depending on your application, you have the choice to choose a tool that works best for you. A great DAST tool you might want to check out StackHawk's DAST tool since it is extremely easy to configure and set up. It's a complete solution that tests your running applications, services, and APIs for security vulnerabilities. It integrates into engineers' workflow by integrating directly into the CI/CD pipeline, giving them quick and automated feedback loops to find, fix, and triage. This also gives security teams complete visibility into what is happening and control over what to prioritize and fix.
Conduct Bug Bounty Programs
Bug bounty programs are an extension of security testing. Depending on the tools you use and your team's knowledge, you might be limited in what weaknesses you discover in the application. Also, prior knowledge of what the application is and how it functions might narrow your view while testing. A bug bounty program is a great way to get an outsider's view of your application security.
A bug bounty program generally offers a financial reward to people who find and report bugs in an application. These programs have become a mainstay for many companies including Yahoo, Cisco, Snapchat, and many others. Bug bounty programs are a great way to include the security community and ethical hackers in the process of making your applications more secure.
Check out StackHawk's ZAP bounty program.
Application security is a must in this era, and it's good that companies are focusing on it at an increasing rate. Building a highly secure web application is not an easy task, especially when modern web applications have become so complex. You need good planning, design, and execution to get it right. In this post, we went through some of the most popular application security best practices to build a baseline for your application’s security. Depending on your application and business needs, you might need to incorporate more security practices than what we have covered here. At a minimum, applying each security best practice mentioned in this article is a good place to start.
One of the game-changing factors in application security is the set of tools you use. StackHawk's DAST is one such tool that can change the way you look at application testing and API security. Easily integrated into your CI/CD pipeline, StackHawk allows for repeatable and automated testing to ensure the security of your application. If you're interested in knowing more about this tool, check out the demo to see exactly how powerful and easy the platform is to use.