Traditional, downloadable, applications are becoming less common as cloud services expand. Instead, organizations and consumers are turning to programs they can use from any connected device: web applications. Web applications allow organizations to accommodate remote workers, as well as access a globalized market of connected customers. However, these applications require that services be constantly accessible and that data transfer is secure. An application breach or service inaccessibility can cause significant impacts to you and your customers.
In this article, we’ll look at some of the most common risks faced by web applications and cover some best practices for keeping you safe and your customers happy.
Common Risks for Web Apps
While web applications face some of the same risks as traditional offline applications, their connected nature can introduce additional concerns. Organizations like Open Web Application Security Project (OWASP) can be useful. They provide resources, and even suggested guidelines, for identifying and addressing these issues. You’ll want to visit their site for a full list, but the most common vulnerabilities include:
- Cross-Site Scripting (XSS)—attacker executes scripts in a user’s browser. This type of attack is used to redirect users to malicious sites, steal cookies with user information, and automatically download malware.
- Injection attacks—attacker submits code to be executed via user input fields. This type of attack is used to read or modify sensitive data, add malicious functions to applications, and access restricted servers.
- Remote Code Execution (RCE)—attacker uses automated tools to execute code remotely. This type of attack is used to escalate privileges for further attacks or insert malicious code.
- Direct Denial of Service (DDOS) attacks—attacker uses a network of compromised devices to spam and overload servers. This type of attack is used to shut down sites and cause revenue loss or to distract security teams and allow for other types of attacks.
- Logical vulnerabilities—attackers exploit logical flaws to access private data, modify parameters, bypass security measures, etc. For example, an attacker might change the price of an item in an online store by modifying the price in the URL and reloading their cart.
Best Practices for Improving Security for Web Apps
It is impossible to make any web application 100% secure. However, there are some best practices you can employ to minimize your vulnerability.
Shift Security Left
Shifting security left means integrating security teams and procedures earlier in the application development process. You can accomplish this by adopting a DevSecOps strategy, in which development, security, and operations teams work collaboratively. Doing so allows you to better create an actionable plan for security. It also facilitates continuous testing and correction of vulnerabilities. Addressing these issues during development, as opposed to post-deployment, reduces the risk of attack and often increases productivity.
When implementing security processes earlier, you should make sure to use a variety of tools and testing procedures. This will ensure that you cover both code-based and logical vulnerabilities in an efficient and comprehensive way. These tools and tests should include Dynamic Application Security Testing (DAST), which evaluates apps in their environment. Static Application Security Testing (SAST), which evaluates source code, should be included as well. Lastly, do not forget to include manual source code audits and both manual and automated penetration tests.
Use Web Application Firewalls (WAFs)
Relying on traditional firewalls will not keep your application secure. These firewalls are not able to analyze traffic for intelligent restriction and blocking all external traffic is not an option. Doing so would prevent customers from accessing your services. Such tools simply cannot provide adequate protection. Instead, you should consider a WAF.
With WAF you can analyze HTTP and HTTPS traffic and identify and block attacks on the application layer. This provides an extra layer of protection, but it is not a full solution. Keep in mind, WAFs work by pattern matching against known vulnerabilities. Unfortunately, this makes them useless against zero day exploits. Also, although WAFs are able to block identified exploits, these tools do not eliminate the vulnerabilities themselves.
Regardless of what aspect of access you’re addressing, you should implement the principle of least privilege. This will ensure that users and services are only given access to what they need. It will also reduce the damage that an attacker can do should they compromise services or credentials. Administrators should be able to access web servers locally, but regardless of whether this is possible, all remote traffic should be tunneled and encrypted. This means that source and destination addresses are hidden and unavailable to potential attackers. Adding these limitations reduces the risk of opportunities for remote attack.
When designing applications you should only include the functionality that is needed. Unnecessary or redundant code, services, or daemons can create vulnerabilities or gaps in security that can otherwise be avoided. If possible, switch off or permanently disable these non-essential or unused features.
Consider a Bug Bounty Program
Bug bounty programs are programs in which an organization offers a monetary reward. These rewards are given for the discovery and confidential reporting of newly discovered vulnerabilities or exploits. Instituting such a program can grant access to highly skilled hackers and other outside expertise without requiring upfront costs. Bug bounty programs allow you to benefit from continued security testing after an application has been deployed. These programs can reward your consumer base for engaging with security concerns. They can also highlight your dedication to security.
Depending on your resources and in-house expertise, you can either host a bounty program on your own or use a platform like Hackerone or Bugcrowd. Hosting on your own requires significantly more work. You have to clearly define bounty guidelines, develop a system for accepting reports, verify reports, and resolve reports once claims are verified or refuted. Platforms can be used to either accumulate reports or provide triage and verification of reports.
The rise in popularity of web applications has presented new challenges and benefits for organizations and potential attackers alike. To ensure that you and your customers continue to benefit from these applications and prevent attackers from interfering, you should adapt to these new challenges accordingly.
You can use the resources available to you to stay up to date on vulnerabilities as they are uncovered, as well as security best practices. Start with the risks and best practices covered here. This knowledge will give you a head start and a solid foundation to work from.
Author Bio: Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Gilad can be contacted via LinkedIn
Gilad David Maayan is a guest blogger. All opinions are his own.