A good web application security strategy starts with the basics. Check out our list of entry to mid-level tips to start improving your web security today.
If you’ve ever been tasked with securing a web application for one reason or another, then you know it’s not an easy feat to accomplish. Maybe you’ve read through several articles in an attempt to wrap your head around this endeavor. Well, look no further. I’ve put together a list of basic tips that you can use to start or upgrade your web application security strategy.
When you think about building security into your web application, the first thing that likely comes to mind is penetration testing.
It’s easy for a group to produce something, reflect back on it, and identify issues with the thing (after all, hindsight is 20/20 as they say). However, this method is also the most expensive way to identify vulnerabilities within a web application. The earlier you start building security into your web application, the less expensive and easier it is to accomplish.
Making the investment to train your developers in secure coding can significantly reduce the number of vulnerabilities identified through a dynamic application security test (DAST), and consequently the number of resources required to fix a vulnerability.
Similarly, reviewing the application source code prior to pushing it to production will benefit you in few different ways:
Securing web applications isn’t easy, but luckily, you don’t have to complete this task alone. The BSIMM is designed to help organizations understand, measure, and plan a software security initiative (SSI). Joining the BSIMM Community will allow you to gain insight into what other organizations in your industry are doing and how your security initiative stacks up against others.
You may think that your user base can do no wrong, but you’d be surprised. Injection attacks are one of the most prevalent attacks that your applications face. Properly protecting against them will prevent your web applications from being defaced and/or breached.
Protecting against injection attacks (such as cross-site scripting or SQL injection) requires some special consideration from your development team. Here are two important layered security techniques:
These three tips aren’t comprehensive by any means—but they’re a great start to begin building security in and working to mature your SSI.
Ben Ronallo is a senior security consultant at Synopsys. He comes from a background in system administration and web development. Ben focuses his attention on improving the processes and capabilities of Synopsys' practices. When he's not teaching his puppy how to execute cross-site scripting, he's delving into the world of mobile security where he's documenting best practices and working with other subject matter experts to understand the ever-changing mobile landscape.