6 Web Application Security Best Practices

LEARN MORE

Because security is a critical part of any application being developed, we’re going to outline what we consider to be web application security best practices.

1. Full-scale security audit

One of the best ways to ensure there are no security loopholes in your web applications is to have regular security audits.

A security audit can include one or more of the following:

Black box security audit: this is the ‘hacker approach’. The application is tested for exploitable vulnerabilities without access to the source code.

White box security audit: opposite to black box security audits, in a white box security audit you or the team performing the audit have access to information including the code base. This type of a security audit ensures you are following all the best practices, starting with secure coding practices.

Grey box security audit: as the name suggests, this is a mix approach of white box and black box security audits. In this approach some important information is shared before the audit.

If there are any vulnerabilities detected after your audit, the best approach is to categorise them by their impact, prioritise their remediation and start fixing them with the highest impact vulnerabilities first (Critical / High).

2. Encrypt data

Visitors and customers could share sensitive information on your website. The data in transit between the visitor’s browser and your server has to be encrypted.

Encrypting the data in transit does not only help with customer trust, but also plays an important role in SEO ranking. Search engines like Google prefer websites with SSL. The use of HTTPS is even a ranking factor for Google.

However, it’s not only the data in transport that has to be encrypted. You also have to encrypt the data in rest to make sure malicious actors can’t just copy or destroy it. Follow these practices to make sure your data is secure:

Implement network firewalls. That will help prevent threats from within the network
Chose a strong encryption algorithm and encrypt the data before you store it
Store data on a separate server in a password-protected database
Infrastructure security is important. Don’t neglect it and invest in infrastructure security

3. Real time security monitoring

We already mentioned the importance of regular security audits, but those will not be enough without a robust real time monitoring. Consider using a web application firewall (WAF) which will help you block any malicious activity in real time.
As web application firewalls can indicate false positive events or miss some threats, consider using ASMP or RASP in addition.

An Application Security Management Platform (ASMP) monitors protocols beyond the application layer and helps you protect your apps against unknown threats in real time. While ASMP is embedded into your app, RASP runs on your server and monitors the behaviour of your web applications and context of user input. If RASP detects suspicious activity, it will immediately terminate the session and block the malicious user. Please keep in mind that neither of those guarantees 100% success.

4. Proper logging practices

To have a good insight into events in your app, like what happened at white time, was there something else happening at the same time and how that affected a situation that occurred, you need to have proper logging in place. While this is important information to continually have and monitor, it’s especially important in case of a security incident.

Post-incident forensics can become a daunting task without proper logging in place. On the other hand, with a proper logging mechanism, the task of analysing the cause and understanding the bad actor in case of a data breach becomes much easier.

5. Implement security hardening measures

Default settings won’t be enough for some components and will need security hardening measures, such as:

Maximum script execution time: Set the maximum time a particular script can run on the server. A low number here could help narrow the attack possibilities. Define the maximum script execution time by your application’s use case.
Disable modules: Are there modules and extensions on your server that are not in use by the application? Disable them.
Have a content security policy in place: a good content security policy can help prevent infections like redirection malwares from taking over.

6. Regular vulnerability scans and updates

Hackers are quick when it comes to identifying websites running vulnerable software. Be one step ahead of them by running regular vulnerability scans and identifying vulnerabilities in your web applications or websites before they hit production.

This is achieved by implementing automated security testing into your CI/CD pipelines. SAST tools are traditionally implemented earlier into the SDLC, but the results are high in false positives, while requiring a more complex configuration and access to your source code. On the other hand, while traditional DAST tools are language agnostic (they don’t need access to the source code), they are typically used by security professionals and implemented later into the SDLC or used on production.

How Bright makes the difference!

Security teams trust the Bright platform and developers love the fact they can confidently build apps with a scanning and testing tool built with them in mind.

Through integration across pipelines to scan every build / commit as part of the CICD, it’s secure by design.

Easy to use and intuitive, no security expertise is needed to start a scan. With NO false positives, Bright automatically validates every finding so you don’t have to.

Thanks to the integration with various ticketing systems, all findings can be easily assigned to different team members for remediation, with developer friendly remediation guidelines for immediate and easy fix at the cheapest, most efficient time.

By the time the Security team need to get involved in the release/approval process, they’re sure that any vulnerabilities have already been detected and remediated.