Every day that a web application is anything less than ‘fully secure’ is a day for potential data breach. Consumer data, sensitive business information, monetary transactions, and business reputation; everything is at stake.

Thanks to the enthusiastic media coverage on data breaches in 2016, business owners understand the risks and are prepared to take actions this year. But, where should they start? Should they focus on finding security vulnerabilities in existing applications or invest in web application security best practices for Software Development Life Cycle (SDLC)?

Our security analysts bring you a complete blueprint for best practices in application security.

Step 1: Create a Web Application Threat Model

Businesses must keep up with the exponential growth in customer demands. New applications, customer portals, simplified payment solutions, marketing integrations and other activities happen at lightning speeds. As a result, the organized approach is not really a priority.

Most businesses do not have a clear idea of their number of applications, their use, and when were they last updated. This problem should be addressed before anything else.

Companies cannot expect to implement a web application security model without a blueprint of all the assets in use. Create a database of applications, like an inventory sheet, with details on number of applications, their use, last updated version, and plans to use them in future.

Ensure that you include all applications in the list, it’s the most important part of our web application best practices list. If possible, note down deployment mode, layers within the application and existing security methods used in the app. This will help you patch vulnerabilities quickly and more efficiently once the vulnerabilities are found.

AppSec Practices

Step 2:  Sort The Applications in Priority Buckets

It is easy to lose focus with numerous applications to test and fix.

Start with defining priorities immediately after or during the app inventory. Sort all the applications in Critical, Serious, and Normal buckets for control over the progress in the coming months.

  • Critical: This bucket is primarily for external-facing apps that deal with sensitive customer data and monetary transactions. Hackers will have a higher motivation to target these apps. Hence, critical apps should be tested and fixed on priority.
  • Serious: These apps can be both external and internal, with sensitive company and customer information. They should be next in the priority line after critical apps.
  • Normal: Hackers might not have direct access or knowledge of these apps but they should still be tested and fixed later.

Create another bucket for apps that are no longer useful. These serve no purpose and should be immediately retired.

Ensure that you update the inventory sheet once the task is complete. The goal of this step is to minimize risk and save time spent in both testing and fixing vulnerabilities.

Step 3: Find and Analyze Your App Vulnerabilities

Once you create a web application security blueprint, it is only a matter of testing until you get a massive list of possible vulnerabilities. The real task is to prioritize vulnerabilities on their severity.

According to the Trustwave Global Security Report, an average application has 20 vulnerabilities. However, not all of them are severe enough to trigger a data breach or financial loss. For instance, a vulnerability like Injection and Cross-Site Scripting is far more serious and should be fixed immediately over something lower in priority like Unvalidated Redirects and Forwards.

Create a custom threat model prioritizing vulnerabilities for all your applications. Alternatively, use the OWASP Overall Risk Severity Scores.

AppSec Practices

You can visit the individual OWASP  Top 10 vulnerability pages. The OWASP foundation provides in-depth analysis of threat agents, attack vectors, security weaknesses, technical impacts and business impacts.

AppSec Practices

Step 4: Fix Critical and High Vulnerabilities

Fixing vulnerabilities in the application requires an understanding of the problem and code changes. The process takes considerable time and resources, which makes eliminating all the vulnerabilities in an uphill project.

A smarter choice is to start with the vulnerabilities with higher impact on the business and brand reputation. Ensure that the developers dedicate their time to these issues only. Once the Critical and High vulnerabilities are fixed, move to the medium and low.

Step 5: Deploy Some Protection

Ground realities are different from your app security plans. No matter how small your business is, it may take weeks to just find the vulnerabilities; months to fix them.

As per the Web Application Security Statistics Report, fixing critical vulnerability is a 146-day job on an average. Can you really wait for 5 months? Will the hackers wait? In the meantime, you should deploy on alternative fixes to stop hackers from exploiting weaknesses.

AppSec Practices

  • Get a Web Application Firewall (WAF): Traffic routed through a WAF is blocked if malicious. Advanced web application firewall even supports custom rules to block exploitation of any vulnerability, generic or app logic-specific. Web application firewall is critical to businesses with hundreds of applications and a shortage of resources to manage security risks.

AppSec Practices

  • Restrict Functionality: If you choose to wait until all the applications are fixed, limit the app functionality. Restrictions like limited access to the user database, sessions timeout and others can help prevent some of the attacks.

Irrespective of the fact that an application is vulnerable, secure or protected through WAF, continue monitoring traffic for possible data or money leakage. Manual penetration testing is the best way to look for such loopholes. This will help you identify weak points and fix them before external exploitation.

Step 6: Use Advanced Application Security Measures

Zero-day vulnerabilities, frequent code changes, third-party source code, app DDoS risks, and other unforeseeable circumstances make application security a difficult and never-ending project. However, implementing the above-mentioned steps, along with these quick tips, will help you stay secure.

  • Monitor Apps: Virtual patching through WAF, besides ‘time to fix’ benefits, also offers continuous web application monitoring and provides visibility into the vulnerabilities being blocked, where they come from and what attackers do before and after during their attempt to exploit. These analytics help you build security intelligence to secure apps more efficiently. Monitoring is also effective against app DDoS attacks.
  • Use Automated + Penetration Testing: Most businesses rely on automated app testing, which is critical to find vulnerabilities. However, machine is often weak against logical flaws in an application. Penetration testing with the help of trained security experts is a logical way of cracking an app like a hacker. Always conduct penetration testing when taking an app from development to production phase. If possible, automate testing for all applications in your infrastructure only to augment penetration testing.
  • Retire applications: Often there are old apps that serve no purpose and nobody knows about them either. Forgetting about these apps is dangerous. Even a minor app for an inconsequential task can help hackers get into your database. Get rid of such applications on a regular basis.
  • Update Passwords: Change your administrator passwords periodically. While this is a basic security procedure, most admins are so busy in taking the big steps that they overlook passwords. Follow the industry application security best practices in password structure and update frequency.
  • Study Log Forensics: If there is a data breach, security logs help find out what went wrong. This forensic data will not only help you detect breaches but also strengthen the infrastructure. Ensure that the security logs are impossible to delete and that the developers or security experts go through these error logs regularly.
  • Data Validation Model: Most administrators fail to parameterize inputs fields across the website. This practice attracts rogue entries and hence data leakage. Implement a data validation model across all input fields.
  • Restrict Privileges: User and application privileges should be limited. It is better to restrict than regret.
  • Authentication: Spend more time defining the authentication process. Use industry standards.
  • Content Policy: Develop a content security policy for the company.
  • File System: An unwritable file system prevents many types of attacks. Implement it. With it, hackers would have a hard time changing anything on the server.
  • Sessions Handling: Maintain a session timeout and deny multiple sessions from a single user.

Application Security Best Practices

Maintaining secure applications is a team effort. Although it can take months, you can start immediately by creating a blueprint for all the applications and a roadmap to securing them in the next 11 months.

It is critical to build the right foundation with focus on three things.

  1. Finding vulnerabilities before attackers,
  2. Fixing vulnerabilities to stop hacking attempts, and
  3. Monitoring to collect data for security intelligence, visibility and DDoS patterns.

If you have any questions about app security best practices, our analysts would love to help. Drop your questions in the comment box.

If you’re having trouble keeping tabs on frequent app code changes, penetration testing schedules, fixing and monitoring, AppTrana can help.

Start Free Forever Plan

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.