Software Integrity


3 tips to ramp up your web application security

If you’ve ever been tasked with securing a web application for one reason or another, then you know it’s not an easy feat to accomplish. Maybe you’ve read through several articles in an attempt to wrap your head around this endeavor. Well, look no further. I’ve put together a list of entry to mid-level tips that you can use to start or upgrade your web application security strategy.

Tip #1: Don’t wait until the app is in production to check for vulnerabilities.

When you think about building security into your application, the first thing that likely comes to mind is penetration testing.

It’s easy for a group to produce something, reflect back on it, and identify issues with the thing (after all, hindsight is 20/20 as they say). However, this method is also the most expensive way to identify vulnerabilities within a web application. The earlier you start building security into your application, the less expensive and easier it is to accomplish.

Making the investment to train your developers in secure coding can significantly reduce the number of vulnerabilities identified through a dynamic application security test (DAST), and consequently the number of resources required to fix a vulnerability.

Similarly, reviewing the application source code prior to pushing it to production will benefit you in few different ways:

  • Avoid critical risks getting it into production.
  • Identify vulnerabilities prior to any sort of penetration test and provide an opportunity to fix the risks at a lesser price point.
  • Identify areas where your developers can improve their skills with effective, targeted training.

Tip #2: Compare yourself against your peers.

Securing applications isn’t easy, but luckily you don’t have to complete this task alone. The BSIMM is designed to help organizations understand, measure, and plan a software security initiative (SSI). Participating in the BSIMM community will allow you to gain insight into what other organizations in your industry are doing and how your security initiative stacks up against others.

Tip #3: Don’t trust your users further than you can throw them.

You may think that your user base can do no wrong, but you’d be surprised. Injection attacks are one of the most prevalent attacks that your applications face. Properly protecting against them will prevent your applications from being defaced and/or breached.

Protecting against injection attacks (such as cross-site scripting or SQL injection) requires some special consideration from your development team. Two important layered security techniques are:

  1. Input validation: A user’s input should not be trusted. Ever. This means that all user-entered data within your application should be sanitized. There are several frameworks that can help you protect your customers’ data against malicious users. Choosing the best frameworks depends on your specific technology stack.
  2. Output encoding: Input validation cannot protect your web applications from all types of injection attacks. Output encoding ensures that any malicious characters are rendered as text, and not as executable code by the application.

Summing it up.

These three tips aren’t comprehensive by any means—but they’re a great start to begin building security in and working to mature your SSI.

Stay current with Web application security testing courses