Web applications are more popular among organizations and their customers. Many organizations provide web application access to their customers and employees. That enables them to carry out their activities effectively. Most web applications have great functionalities and capabilities. That creates the task of securing them. Many developers try their best to protect their application but fail somewhere. This blog talks about 10 little things you can do to protect your web applications. Here we go…!
1. Prior and continual Risk Assessments
One of the most important things in any project is to conduct a risk assessment before everything. Many developers consider doing risk assessments but in the middle of the development. But ideally, the risk assessments should be done in the very beginning. Identifying risk can be done in many approaches. The assessments should consider the main three pillars of information security. They are Confidentiality, Integrity, and Availability. A developer should identify any potential way of compromise in any of those pillars. That may give a good amount of risks identified even before the development is started. Identifying the risks is not enough, but the risks should be treated within the development period.
2. Authentications and Authorization
This is where almost every application relies on. If the authentication process is poor, the whole application could be compromised. Your application should be able to authenticate the legitimate user and reject the malicious users. There comes the challenge. Here are some things to be considered before implementation. Make sure you introduce a lockout process for failed login attempts. Also, log every failed attempt and successful attempt. Don’t forget to review them. Have a considerable time to unlock back the account. Then comes the password management. Enforce complex passwords and force changing the passwords periodically. Do not allow dictionary passwords, and repeated passwords to be used. Do not use guessable usernames, but modify them. If possible, use two-factor authentication. Try to make the authenticating transaction encrypted, and send them in a POST request.
Once the user is authorized, make sure you assign the correct access rights. Do not allow using the highest privileged user account for daily use, and do log the activities of admin users. Review them periodically.
3. Data validation
The trust between the user and the application is very important. Violating the trust of these may aid to attacks. Expected inputs should be sent through a field, but not a malicious script. To prevent from violations of data validation, create a criterion that defines what is allowed and blocked. For example, numbers shouldn’t be allowed in a name field. Likewise, define the length, type, and other parameters. Try to block known bad inputs when creating the criteria.
4. Cross-Site Scripting (XSS)
Cross-Site scripting attack is also can be considered as a violation of input validation. But, it’s a little more advanced. XSS attacks are done through social engineering techniques. Wonder what is that? Social engineering is the act of misleading a user by a human weakness. It’s a huge chapter to discuss. Anyway, in an XSS, a legitimate user may get a malicious popup that may lead to a compromise. To protect from such attacks, the developers should validate every input sent. All codes must be reviewed and validated before the output is generated. Fields like headers, cookies, form fields should have defined acceptable values.
5. Session Management
Managing sessions is very important. Most of the compromises have taken advantage because of the lack of session management. One of the good practices is not sending sensitive information via cookies because they are plain texted. Have unique session IDs for every user, and protect the session IDs from hijacking. If possible, protect them with SSL. Make sure to overwrite the session ID on logouts. Make the sessions expire if the user is inactive.
6. Buffer Overflows
Buffer overflow is an attack, which takes advantage of the length and type of inputs. An attacker may send large amounts of data to the application where it cannot handle it, and act in the attackers intend. To protect from these attacks, the application should review the HTTP request and identify large inputs before it comes. If inappropriate inputs identified, the application should drop the data. In addition, input data fields must be defined with field lengths and data types. Also, make sure to limit the amount of allowed text inputs in free forms.
7. SQL Injection
Command injection is another way of attacking web applications. SQL injection is the most popular of them. Protecting from SQL injection is a huge task and a huge chapter to explain. Putting it in simple terms, make sure to build a filter that verifies and confirms that the expected inputs are only allowed. If you need to have symbols, make sure they are converted to HTML. Give users the only needed SQL stored procedures. Try to avoid the use of shell commands. Have a mechanism to block and timeout the session if unacceptable data is found.
8. Error Handling
This is the thing! Most of our developers fail to handle the error messages. These inappropriately handled error messages disclose a lot and lot of information to the attackers. If possible, have an error handling policy during the development. Carefully decide which errors should provide a message to the user. And carefully draft error messages where the user gets only the needed information. Make sure nothing confidential is disclosed. But there are circumstances where default error messages give information to the users, which is inevitable. Try to log the error messages shown with the user information. Keep the log secure. Before the launch of the application, do a thorough testing to identify the possible errors and rectify them if anything found.
9. Logging and Monitoring
Logging is very important in the information world. Logs make the admins work easy and aid them in investigations. An appropriate logging mechanism may even aid the admins to prevent a potential attack by monitoring the log. Make sure to have time synchronization in your environment. Make sure your application syncs with a timeserver. Make your application logs the following, but not limited to, Date, Time, User, Process, Description, etc. Log all login events. Both successful and fail login attempts should be logged. Monitor the activities of all users, but especially administrator activities. Log any modification, addition and deletion activities. Archive the logs and review it in a periodic manner.
10. Web server configurations
Last, but not least. Above all, your web server should be protected to have your application protected. So make sure your web server OS is updated and patched. Configure the server to have separation with the application and the OS. Disable any service that is not used by the application. This may help you guys a lot in the protection; trust me. Delete default accounts and rename the common accounts, also disable the guest accounts. Do not use self-signed SSL certificates. Make sure appropriate cryptographic controls are implemented. Consider the protection of keys, certificates, and passwords. Make sure to use secure algorithms.
Above all, make sure you conduct independent security reviews on the web application. Don’t forget to identify any misconfiguration on the web server.
Above information is a very brief guide to protecting the web applications you develop. It doesn’t cover all the prevention mechanisms. Have these guidelines in mind and do a search on detailed implementation of each of those. Have a good day!