Web application security basics: 3 tips to get started

If you've ever been tasked with securing a web application for one reason or another, then you know it's not an easy feat to accomplish. Maybe you've read through several articles in an attempt to wrap your head around this endeavor. Well, look no further. I've put together a list of basic tips that you can use to start or upgrade your web application security strategy.

Tip 1: Don't wait until the app is in production to check for vulnerabilities

When you think about building security into your web application, the first thing that likely comes to mind is penetration testing.

It's easy for a group to produce something, reflect back on it, and identify issues with the thing (after all, hindsight is 20/20 as they say). However, this method is also the most expensive way to identify vulnerabilities within a web application. The earlier you start building security into your web application, the less expensive and easier it is to accomplish.

Making the investment to train your developers in secure coding can significantly reduce the number of vulnerabilities identified through a dynamic application security test (DAST), and consequently the number of resources required to fix a vulnerability.

Similarly, reviewing the application source code prior to pushing it to production will benefit you in few different ways:

• Avoid critical risks getting it into production.
• Identify vulnerabilities prior to any sort of penetration test and provide an opportunity to fix the risks at a lesser price point.
• Identify areas where your developers can improve their skills with effective, targeted training.

Tip 2: Compare yourself to your peers

Securing web applications isn’t easy, but luckily, you don’t have to complete this task alone. The BSIMM is designed to help organizations understand, measure, and plan a software security initiative (SSI). Joining the BSIMM Community will allow you to gain insight into what other organizations in your industry are doing and how your security initiative stacks up against others.

Tip 3: Don't trust your users further than you can throw them

You may think that your user base can do no wrong, but you'd be surprised. Injection attacks are one of the most prevalent attacks that your applications face. Properly protecting against them will prevent your web applications from being defaced and/or breached.

Protecting against injection attacks (such as cross-site scripting or SQL injection) requires some special consideration from your development team. Here are two important layered security techniques:

1. Input validation. A user's input should not be trusted. Ever. This means that you should sanitize all user-entered data in your web application. Several frameworks can help you protect your customers' data against malicious users. Choosing the best frameworks depends on your specific technology stack.
2. Output encoding. Input validation cannot protect your web applications from all types of injection attacks. Output encoding ensures that any malicious characters are rendered as text, and not as executable code by the application.