11 Web Application Security Best Practices
Like any responsible website owner, you are probably well aware of the importance of online security. You may think that you have your ducks in a row in this department, but like many other website owners and companies, there probably hasn't been enough done to secure your web application(s).
If your website was affected by the massive DDoS attack that occurred in October of 2016, then you'll know that security is a major concern, even for large DNS companies like Dyn. As shown below, the number of DDoS attacks have consistently grown over the past few years and are expected to continue growing.
Although there is no way to guarantee complete 100% security, as unforeseen circumstances can happen (evident by the Dyn attack). However, there are methods that companies can implement to help reduce the chance of running into web application security problems. In this post, we've created a list of particularly important web application security best practices to keep and mind as you harden your web security.
1. Create a web application security blueprint
You can't hope to stay on top of web application security best practices without having a plan in place for doing so. All too often, companies take a disorganized approach to the situation and end up accomplishing next to nothing. Sit down with your IT security team to develop a detailed, actionable web application security plan. It should outline your organization's goals.
For example, perhaps you want to enhance your overall compliance, or maybe you need to protect your brand more carefully. It should also prioritize which applications should be secured first and how they will be tested. Whether you choose to do so manually, through a cloud solution, through software that you have on site, through a managed service provider or through some other means.
Although each company's security blueprint or checklist will differ depending on their infrastructure, Synopsys created a fairly detailed 6 step web application security checklist you can reference as a starting point.
Additionally, if your organization is large enough, your blueprint should name the individuals within the organization who should be involved in maintaining web application security best practices on an ongoing basis. Finally, be sure to factor in the costs that your organization will incur by engaging in these activities.
2. Perform an inventory of your web applications
Organized as though you think your company may be, you probably don't have a very clear idea about which applications it relies on on a daily basis. In fact, most organizations have many rogue applications running at any given time and never notice them until something goes wrong. You can't hope to maintain effective web application security without knowing precisely which applications your company uses.
How many are there? Where are they located? Performing such an inventory can be a big undertaking, and it is likely to take some time to complete. While performing it, make a note of the purpose of each application. Chances are that when it is all said and done, there will be many applications that are either redundant or completely pointless. This inventory will come in handy for the steps that are to follow too, so take your time and make sure to get every single application.
3. Prioritize your web applications
After completing the inventory of your existing web applications, sorting them in order of priority is the logical next step. You may doubt it now, but your list is likely to be very long. Without prioritizing which applications to focus on first, you will struggle to make any meaningful progress.
Sort the applications into three categories:
Critical applications are primarily those that are externally facing and contain customer information. These are the applications that should be managed first, as they are the most likely to be targeted and exploited by hackers. Serious applications may be internal or external and may contain some sensitive information. Normal applications have far less exposure, but they should be included in tests down the road.
By categorizing your applications like this, you can reserve extensive testing for critical ones and use less intensive testing for less critical ones. This allows you to make the most effective use of your company's resources and will help you achieve progress more quickly.
4. Prioritize vulnerabilities
As you work through the list of web applications prior to testing them, you need to decide which vulnerabilities are worth eliminating and which aren't too worrisome. The fact of the matter is that most web applications have many vulnerabilities. For instance, take a look Sucuri's Q2 hacked websites report which analyzed 9000 infected websites and categorized them by platform.
Eliminating all vulnerabilities from all web applications just isn't possible or even worth your time. Even after categorizing your applications according to importance, it will take considerable amounts of time to test them all. By limiting yourself to testing for only the most threatening vulnerabilities, you will save a ton of time and will get through the work a lot more quickly.
As far as determining which vulnerabilities to focus on, that really depends on the applications you're using. There are a few standard security measures that should be implemented (discussed further below) however applications-specific vulnerabilities need to be researched and analyzed.
Keep in mind as well that as testing unfolds, you may realize that you have overlooked certain issues. Don't be afraid to put the testing on hold in order to regroup and focus on additional vulnerabilities. Finally, remember that in the future, this work will be much easier, as you are starting from scratch now and won't be later.
5. Run applications using the fewest privileges possible
Even after all of your web applications have been assessed, tested and purged of the most problematic vulnerabilities, you aren't in the clear. Every web application has specific privileges on both local and remote computers. These privileges can and should be adjusted to enhance security.
Always use the least permissive settings for all web applications. This means that applications should be buttoned down. Only highly authorized people should be able to make system changes and the like. You might consider including this in your initial assessment. Otherwise, you will have to go back down the entire list adjusting settings again. For the vast majority of applications, only system administrators need complete access. Most other users can accomplish what they need with minimally permissive settings.
In the unlikely event that privileges are adjusted incorrectly for an application and certain users can't access the features that they need, the problem can be handled when it occurs. It is far better to be too restrictive in this situation than to be too permissive.
6. Have protection in place during the interim
Even if you run a small and fairly simple organization, it may take weeks - or even months - to get through the list of web applications and to make the necessary changes. During that time, your business may be more vulnerable to attacks. Therefore, it is crucial to have other protections in place in the meantime to avoid major problems. For this you have a couple of options:
- Remove some functionality from certain applications. If the functionality makes the application more vulnerable to attacks then it may be worth it to remove said functionality in the meantime.
- Use a web application firewall (WAF) to protect against the most troubling vulnerabilities.A WAF filters and blocks unwanted HTTP traffic going to a web application and helps protect against XSS, SQL injection, and more.
Throughout the process, existing web applications should be continually monitored to ensure that they aren't being breached by third parties. If your company or website suffers an attack during this time, identify the weak point and address it before continuing with the other work. You should get into the habit of carefully documenting such vulnerabilities and how they are handled so that future occurrences can be dealt with accordingly.
While you certainly don't have to stop using cookies - indeed, to do so would be a major step backward in many ways - you should adjust the settings for yours to minimize the risk of attacks.
- You should also be conservative when setting expiration dates for cookies. Sure, it's nice to know that a cookie will remain valid for a user for months on end, but the reality is that each one presents a security risk.
- Finally, consider encrypting the information that is stored in the cookies that you use.
9. Implement the following web security suggestions
Besides what we've already outlined in this post, there are a few other more "immediate" web application security suggestions that you can implement as a website or business owner. To learn more about each suggestion below, read the dedicated article pertaining to that topic and see if implementing each security enhancement is beneficial for your particular use-case.
- Implement HTTPS and redirect all HTTP traffic to HTTPS.
- Help prevent cross-site scripting attacks by implementing the x-xss-protection security header.
- Implement a content security policy.
- Help prevent man in the middle attacks by enabling public key pins.
- Apply subresource integrity to your resource's
- Use an updated version of TLS. To learn more, read our TLS 1.2 vs TLS 1.1 article and avoid using SSL completely.
- This goes without saying, use strong passwords that employ a combination of lowercase and uppercase letters, numbers, special symbols, etc. Use a program such as KeyPass to generate and store strong passwords.
10. Conduct web application security awareness training
If you run a company, chances are that only certain people within your organization have a decent grasp of the importance of web application security and how it works. The majority of users have only the most basic understanding of the issue, and this can make them careless. This is also problematic because uneducated users fail to identify security risks.
By educating employees, they will more readily spot vulnerabilities themselves. In essence, bringing everyone up to speed about web application security is a terrific way to get everyone in on the act of finding and eliminating vulnerabilities. With this in mind, consider bringing in a web application security specialist to conduct awareness training for your employees.
By bringing everyone on board and making sure that they know what to do if they encounter a vulnerability or other issue, you can strengthen your overall web application security process and maintain the best possible web application security best practices.
11. Introduce a bounty program
A great way to get feedback from the community regarding potential web application security issues is to introduce a bounty program. Even if you run a company with dedicated security professionals employed, they may not be able to identify all potential security risks. Therefore, to help encourage the community to find security risks and report them, offer a "bounty" of monetary value.
At KeyCDN, we've implemented our own security bounty program to help reduce the risk of any security issues while at the same time providing community users the chance to be rewarded.
As you can see, if you're part of an organization, maintaining web application security best practices is a team effort. There are certainly immediate steps you can take to quickly and effectively improve the security of your application. However, as applications grow, they become more cumbersome to keep track of in terms of security. Putting the proper web application security best practices in place, as outlined in the list above, will help ensure that your applications remain safe for everyone to use.