The importance of security in web applications can’t be understated. In today's digital age, web applications play a central role in our personal and professional lives. These applications are an integral part of our day-to-day interactions with the world, for better or for worse. One of the biggest concerns for most people and organizations is how these applications are storing and processing our most sensitive data. This data includes financial data, personal details, and other confidential information that users expect to be secure. As a result, web applications must remain secure and free from vulnerabilities that attackers could exploit.
In this article, we will discuss the key considerations for securing a web application. To make it as targeted as possible, we will provide a checklist of ten improvements that can help ensure the security of your web application. By following these best practices and taking a proactive approach to web application security, you can protect your users' data and ensure the integrity of your web applications.
Web Application Security Checklist
Securing a web app requires the regular review and improvement of existing security measures. Although web security and vulnerabilities are constantly changing, the practices below are timeless and should always be implemented and applied. Here is a list of things to check when building and securing your web apps. In each point, we also are sure to mention how to implement each suggestion and which vulnerabilities are addressed by implementing it. With that, let's get started.
1. Input Validation
Our first security measure to implement is input validation. By sanitizing and validating user input, you can prevent injection attacks and cross-site scripting. These types of vulnerabilities allow attackers to execute arbitrary code and potentially access sensitive data. These types of attacks can be easily executed, however, they can also be easily stopped.
The best way to ensure input validation is cohesive is by implementing measures on the front end and the back end (server) of the application. If you are only able to implement it in a single place, always make sure that the backend input is validated and sanitized. Sanitizing user input involves removing potentially harmful characters or data from user input. Validating user input involves ensuring that the input meets certain criteria, such as being in the correct format or within a certain range.
Many frameworks and languages have tools in place that allow users to easily implement this in their code. For instance, if you are building query strings in your code by simply taking user input and pushing it into a query, this is extremely unsafe and could easily leave you vulnerable to a SQL injection attack. A better way may be to use a parameterized query, call a stored procedure, or by using an ORM solution to access and manipulate data.
2. Authentication and Access Control
Making sure that your application can only be accessed by authorized users is the second improvement on our list. By making sure that users are supposed to have access, we can exponentially cut down the number of exploits available to potential hackers. To go further, you may also want to implement access control so that users only have access to the data and services that they require, nothing more.
As part of the authentication implementation, implementing secure password storage is crucial. If passwords are easily attained by attackers, entry into the application is no longer a barrier. To further protect users and your application, multi-factor authentication should also be included in your authentication measure. Multi-factor authentication, or MFA, helps prevent unauthorized access to your web application by enforcing another step in the authentication process. A common way of doing this is to send a login code to a trusted device via SMS or email to make sure that the user is fully authenticated.
The two best ways to achieve great authentication and access control standards are:
Using secure hashing algorithms for storing passwords
Requiring regular password updates
Implementing authentication methods, like two-factor (2FA) and biometric authentication
Many different services and frameworks include mechanisms for ensuring that authentication, authorization, and access control standards can easily be implemented.
3. Use of HTTPS and TLS encryption
Our next suggestion is to ensure that your applications are secured with the use of HTTPS and TLS encryption. This approach to web application access has become a standard even for apps that are not dealing with secure data or transactions. Many customers expect that all sites will be secure, especially the ones that are handling sensitive data.
HTTPS, which stands for Hypertext Transfer Protocol Secure, is a more secure extension of the standard HTTP protocol. HTTPS establishes an encrypted connection between a web server and a client's browser using Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL).
By using the HTTPS protocol, you can ensure that your applications are being accessed securely. Part of this is done by restricting access to your application through HTTP and only allowing access through HTTPS. If there is an issue with an HTTPS connection, many browsers will let the user know that the site may not be secure, which helps to inform users to be cautious or even avoid the site until the security issue is fixed.
By implementing HTTPS and proper certificate management, you can protect data in transit from man-in-the-middle attacks and interceptions. These types of attacks are easily executed over unsecure connections and networks and can be limited by using HTTPS. Many hosting solutions make it easy to deploy and maintain your applications with secure connections using the principles mentioned above.
4. Cross-Origin Resource Sharing (CORS)
Ensuring that your services and resources are only accessed by trusted domains is another easy way to minimize potential exploits. Creating a CORS policy allows your applications to figure out what traffic to block and which to let in, depending on where it originates from.
Proper CORS headers can allow or deny access from other domains to resources. This helps to prevent cross-site request forgery and cross-site scripting attacks. By properly configuring CORS headers, you can restrict access to your web application's resources to trusted domains and reduce the risk of these types of attacks.
Many frameworks will have CORS functionality built directly into them so it is available out-of-the-box and extremely easy to configure. For example, in Spring Boot we can set up a CORS policy like this:
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("https://example.com")
.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
.allowedHeaders("*")
.allowCredentials(true)
.maxAge(3600);
}
}
This example configuration stipulates the following:
Allows all resources to be accessed from https://example.com using any of the HTTP methods GET, POST, PUT, DELETE, and OPTIONS.
The * value for allowed headers means that any header is allowed in the request.
The allowCredentials setting is set to true, allowing credentials to be sent in the request.
The maxAge value of 3600 indicates that the preflight response can be cached for up to one hour.
Using even a simple configuration like the one above can add a massive amount of security to your application. As mentioned, many other frameworks have similar configuration options available.
5. Penetration testing
Our fifth suggestion is to implement penetration testing as part of your application security measures. Penetration testing is a method of testing an application's security by simulating a cyber attack. You can use it to identify vulnerabilities and weaknesses in a web application's security that an attacker could exploit.
To perform a penetration test, a team of security experts uses specialized tools and techniques to try to gain unauthorized access to the web application and its data. They then use the results of the test to identify and fix any vulnerabilities.
There are three types of penetration testing: white box, black box, and grey box. Let's take a look at each of the styles in more depth.
White box penetration testing
White box penetration testing involves sharing full network and system information with the tester, including network maps and credentials. The testing team will essentially be given as much information as possible to save time and reduce the overall cost of an engagement. A white box penetration test is great for simulating a targeted attack while utilizing as many attack vectors as possible.
Black box penetration testing
In a black box penetration test, no information is provided to the tester at all. Typically the most costly and time-consuming option, the pen tester in this instance follows the approach of an unprivileged attacker, from initial access and execution through to exploitation. In most scenarios, this is how attackers would operate, without knowledge of the system's internal workings. Because of the nature of this type of testing, there is a chance that potential vulnerabilities will be missed, and heavily depends on the skills of the tester executing the testing.
Grey box penetration testing
In a grey box penetration test, limited information is shared with the tester. Usually, this takes the form of login credentials or another mechanism for gaining access to the system without force. Grey box testing can help organizations understand the level of access a privileged user could gain and the potential damage they could cause. This can then help the organization implement the correct controls to mitigate the damage caused once an attacker has gained access to the application.
Adopting any of the penetration test techniques mentioned above is a great addition to your web application security practices. Many different firms and tools are available to assist with your pen testing needs.
6. Adopt a DevSecOps Approach
A DevSecOps approach involves bringing security experts into the development process. These experts integrate security testing into the development and operations process at every stage of the software development lifecycle. Much of these efforts include automating security controls, especially within the CI/CD pipeline used to build the application. DevSecOps aims to build security into the web application from the start, rather than adding it as an afterthought.
DevSecOps uses preventive measures against injection attacks, cross-site scripting, and sensitive data exposure, to avoid introducing vulnerabilities. Many different tools can be used within DevSecOps workflows. Examples of DevSecOps tools include:
SAST (Static Application Security Testing) tools
DAST (Dynamic Application Security Testing) tools
Container Security Tools
Infrastructure as Code (IaC) Security Tools
Vulnerability Management Tools
Secret Management Tools
By using the tools above, a high degree of automation and security can be added when building and maintaining web apps. These tools cover everything from scanning code and applications for vulnerabilities to ensuring that the infrastructure where the code is deployed is secure.
7. Secure Configuration and Deployment Practices
Properly configuring and deploying your web application is crucial to maintain its security. This includes following best practices when setting up your web server, securing your database, and implementing secure coding practices.
A big factor in this is making sure that your organization and team have the correct skillsets to handle a secure deployment of the application. This also will involve ensuring that the deployment checklist and steps that will take place are coordinated. Each step should take security best practices into account.
Making sure that the servers and database configurations are set up correctly is also important. Making sure that servers are hardened and not easily accessed by bad actors should not be overlooked and preferably audited as part of the deployment checklist. This is extremely important for database servers where sensitive data is stored at rest.
Many servers and CI/CD pipelines come built-in with the capabilities to adopt best practices. Be sure to research and follow the recommended security configuration as outlined in the docs provided by the vendors of these products.
8. OWASP's Application Security Checklist
Following OWASP's comprehensive list of security measures improves the security of your web application and protects against potential threats. This checklist covers a wide range of security measures for your web application, including authentication and access controls, input validation, error handling, and encryption. By following this checklist, developers can ensure that they implement the most up-to-date and effective security measures.
Although many of the topics are covered in this breakdown, it is good practice to make all technical participants in a project aware of the OWASP Application Security Checklist. As part of this, during code and deployment reviews, the checklist should be used as a reference to make sure that best practices are enforced.
9. Follow Proper Logging Practices
Monitoring and logging activity on your web application helps identify potential security threats and provides valuable information for forensic investigations in the event of a security breach. By keeping a detailed log of each application event, it is easy to trace the steps of an attacker and seal the vulnerability from being exploited in the future.
Proper logging practices also ensure that logs are not easily accessible to outside attackers. Just as internal investigators may use logs to identify how a breach occurred, attackers can also use data within the logs to plan an attack or see vulnerabilities.
When data is pushed to the logs, you should ensure that any sensitive data is masked or not included in the log statements. Data like credit card numbers, passwords, and other sensitive data should never make it into a log file without at least being masked. If an attacker gets access to a log with this type of data, it can be as detrimental as them getting access to the application itself.
Lastly, you should also ensure that debug log statements that print to a console or response are not pushed out into production code. They involve something as simple as a console.log in a JavaScript file which may expose an error occurring that the attacker could exploit.
10. Use a Web-Application Firewall (WAF)
Implementing a web-application firewall (WAF) helps protect your web application from common web-based attacks. Exploits such as cross-site scripting, SQL injection, and denial of service attacks can easily be warded off by a properly configured WAF. A WAF analyzes incoming traffic to your application and blocks any malicious requests.
Although it is not a silver bullet against all web-based exploits, WAFs are relatively simple to implement and can be a first line of defense for incoming traffic to the application. If you are deploying your application on the cloud, many cloud providers offer a WAF as part of their stack. For something more agnostic to the platform you are deploying your app to you could use Cloudflare WAF or Wallarm Cloud WAF, just to name a few.
Using StackHawk DAST for Web Application Security
Stackhawk is a dynamic application security testing (DAST) tool that tests the security of web applications. It identifies vulnerabilities and weaknesses in a web application's security before you deploy the app to production. StackHawk can automate testing by scanning and executing potential attacks against web applications and APIs. A report is then created showing potential vulnerabilities and leads developers to potential fixes.
The benefits of using DAST for web application security include:
Comprehensive testing: DAST tests for a wide range of vulnerabilities, including injection attacks, cross-site scripting, and sensitive data exposure.
Continuous testing: You can set DAST up to run automated tests regularly to catch potential vulnerabilities early on.
Easy integration: You can easily integrate DAST into your development workflow, allowing you to catch and fix vulnerabilities as part of your regular development process.
For more information on exactly how StackHawk works, check out our comprehensive blog post.
Web Application Security FAQs
Have more questions about Web Application Security? Below we have compiled a few common questions and comprehensive answers to help you and your team keep your web applications safe.
What Are the Security Requirements for a Web Application?
The security requirements for a web application depend on the specific needs and goals of the application. However, the following are considered the most important security requirements:
Authentication and Access Control: Ensure that only authorized users can access the web application and its sensitive data.
Data Encryption: always encrypt sensitive data, both in transit and at rest, to protect it from unauthorized access.
Input Validation and Sanitization: Prevent web applications from accepting malicious data by validating and cleaning user inputs.
These three security requirements are closely interrelated; ensure that you implement them correctly to provide robust security for web applications.
How Do You Maintain Web Application Security?
Maintaining web application security involves regularly reviewing and improving upon existing security measures to ensure that your web application remains protected against potential threats. Here are some best practices for maintaining web application security:
Keep software and libraries up to date: Updating your web application's software, libraries, and extensions regularly is essential as it protects your app from attackers who are always on the lookout for the latest security vulnerabilities and know how to exploit them.
Implement secure coding practices: Following best practices for secure coding helps prevent common vulnerabilities such as injection attacks and cross-site scripting. This includes validating and sanitizing user input, properly handling sensitive data, and following best practices for error handling and logging.
Regularly test for vulnerabilities: Security assessments and penetration testing can identify potential vulnerabilities in your web application and allow you to fix them before attackers exploit them.
Monitor and log activity: Regularly monitoring and logging activity on your web application helps identify potential security threats and provides valuable information for forensic investigations in the event of a security breach.
Keep regular backups: Having a backup system in place is a key method for safeguarding your web application's data. Store backups on a separate server or device, such as a home computer or hard drive, to protect them from potential attacks on the main server. You can also store backups on a cloud-based platform, which allows for easy access from anywhere.
Conclusion
To ensure the security of your web application, you must regularly review and improve upon existing security measures. This can include input validation, authentication, access control, TLS, and CORS, as well as following best practices for secure coding and deployment. Using tools like StackHawk can help identify and fix potential vulnerabilities before attackers exploit them.
By following these best practices and regularly reviewing and improving upon your web application's security measures, you can ensure that your web application is protected against potential threats and maintain its security over time.
Looking to take the first step towards making your applications more secure? Sign up and try out StackHawk for free! Scan your code, detect potential vulnerabilities, fix, and repeat. By including StackHawk in your CI/CD pipeline, you can ensure that every commit is scanned automatically and that your application is secure before it hits production.
Learn more
Read on to see how StackHawk’s CSO, Scott Gerlach talks about “Shift Left” being more than just a buzzword here.
Check out why Omdia’s On the Radar report highlights StackHawk as an “interesting alternative to most other DAST tools” here.
Getting started with StackHawk? Check out Advice and Answers from the amazing StackHawk team here.