|Image is licensed under CC Attribution|
Web Application Security Concerns Abound
InformationWeek identifies Web applications as the preferred method for gaining access to a corporation’s assets. Despite this, many web applications contain vulnerabilities that are relatively simple to eliminate with proper testing and security protocols.
It’s a problem that’s been around for years. In 2010, OWASP identified the top 10 vulnerability concerns facing Web applications. The list includes lack of data validation and cleansing, broken or lacking access controls and authentication, cross-site scripting (XSS) and SQL injection, as well as others. Fortunately, there are steps you can take to ensure the security of your Web applications, whether third-party or internally developed.
There are a few steps involved in ensuring the security of your web applications.
- Consult OWASP’s Top Ten to guide your coding efforts. Entering the coding phase with common vulnerabilities in mind will help you reduce the likelihood of introducing vulnerabilities to your applications. Even if it’s not a vulnerability you can address during the coding phase, you can document potential issues to re-check and secure later in development.
- Gather the necessary information. If you’re developing the application yourself, you already know much of what you need to in order to move further into the security process. You’ll want to know what technologies are used, user roles, application entry points, client-side code, host names and ports and whether any third-party hosted content is utilized.
- Ensure data encoding or escaping. When data will be interacting with a database, web browser, or other external component, proper escaping is critical to avoid data interception.
- Implement data encryption. Login authentication credentials, customer information and other sensitive data sent across a network is vulnerable for interception and interpretation without proper data encryption.
- Make sure your application controls access to the server file system. Improper access controls can lead to easier access for hackers. Access control checks should be performed consistently across all potential execution paths.
- Use industry-standard, cryptographic algorithms. Avoid using hardcoded credentials and cryptographic keys.
- Implement secure launch permissions. When your application is launched, if secure default permissions aren’t set it leaves the user open to attacks.
- Utilize third-party web application testing services. Even if you’ve taken every precaution in the development phase to create secure code and eliminate vulnerabilities, you should subject your applications to third-party scanning for vulnerabilities. Some of these services also offer detailed recommendations for eradicating the flaws discovered during testing, providing a fool-proof way to ensure you’re delivering a vulnerability-free product to the market.
Depending on the nature of your application, there are dozens of other steps that will ensure the security of your product. Web application security testing is the most critical step in the process. Whether you’ve carefully analyzed every snippet of code in your application, you can still miss less-obvious flaws that thorough static and binary scanning you can detect. Using web application security testing as a standard part of your application development process is the one step that will ensure your applications won’t expose your customers to unnecessary risks.
Feel free to leave your comments below if you have any views and suggestions.
Fergal Glynn is the Director of Product Marketing at Veracode.com, an award-winning application security company specializing in secure software supply chain and other security breaches with effective risk assessment tools like secure software supply chain toolkit.