6 Application Security Best Practices
Every day that an application is anything less than ‘fully secure’ is a day for a potential data breach. Consumer data, sensitive business information, monetary transactions, and business reputation; everything is at stake.
Thanks to the enthusiastic media coverage on data breaches in 2016, business owners understand the risks and are prepared to take action this year. But, where should they start? Should they focus on finding security vulnerabilities in existing applications or invest in application security best practices for Software Development Life Cycle (SDLC)?
Our security analysts bring you a complete blueprint for best practices in application security. Before you start, take a look at vulnerabilities in your web applications with an Indusface WAS Free Website Scan.
Step 1: Create a Web Application Threat Model
Businesses must keep up with the exponential growth in customer demands. New applications, customer portals, simplified payment solutions, marketing integrations, and other activities happen at lightning speeds. As a result, the organized approach is not really a priority.
Most businesses do not have a clear idea of their number of applications, their use, and when were they last updated. This problem should be addressed before anything else.
Companies cannot expect to implement a web application security model without a blueprint of all the assets in use. Create a database of applications, like an inventory sheet, with details on a number of applications, their use, last updated version, and plans to use them in the future.
Ensure that you include all applications in the list, it’s the most important part of our web application security best practices list. If possible, note down deployment mode, layers within the application, and existing security methods used in the app. This will help you patch vulnerabilities quickly and more efficiently once the vulnerabilities are found.
Step 2: Sort The Applications in Priority Buckets
It is easy to lose focus with numerous applications to test and fix.
Start with defining priorities immediately after or during the app inventory. Sort all the applications in Critical, Serious, and Normal buckets for control over the progress in the coming months.
- Critical: This bucket is primarily for external-facing apps that deal with sensitive customer data and monetary transactions. Hackers will have a higher motivation to target these apps. Hence, critical apps should be tested and fixed on priority.
- Serious: These apps can be both external and internal, with sensitive company and customer information. They should be next in the priority line after critical apps.
- Normal: Hackers might not have direct access or knowledge of these apps but they should still be tested and fixed later.
Create another bucket for apps that are no longer useful. These serve no purpose and should be immediately retired.
Ensure that you update the inventory sheet once the task is complete. The goal of this step is to minimize risk and save time spent in both testing and fixing vulnerabilities.
Step 3: Find and Analyze Your App Vulnerabilities
Once you create a web application security blueprint, it is only a matter of testing until you get a massive list of possible vulnerabilities. The real task is to prioritize vulnerabilities on their severity.
According to the Trustwave Global Security Report, an average application has 20 vulnerabilities. However, not all of them are severe enough to trigger a data breach or financial loss. For instance, a vulnerability like Injection and Cross-Site Scripting is far more serious and should be fixed immediately over something lower in priority like Unvalidated Redirects and Forwards.
Create a custom threat model prioritizing vulnerabilities for all your applications. Alternatively, use the OWASP Overall Risk Severity Scores.
You can visit the individual OWASP Top 10 vulnerability pages. The OWASP foundation provides an in-depth analysis of threat agents, attack vectors, security weaknesses, technical impacts, and business impacts.
Step 4: Fix Critical and High Vulnerabilities
Fixing vulnerabilities in the application requires an understanding of the problem and code changes. The process takes considerable time and resources, which makes eliminating all the vulnerabilities in an uphill project.
A smarter choice is to start with the vulnerabilities with a higher impact on business and brand reputation. Ensure that the developers dedicate their time to these issues only. Once the Critical and High vulnerabilities are fixed, move to the medium, and low.
Step 5: Deploy Some Protection
Ground realities are different from your app security plans. No matter how small your business is, it may take weeks to just find the vulnerabilities; months to fix them.
As per the Web Application Security Statistics Report, fixing the critical vulnerability is a 146-day job on an average. Can you really wait for 5 months? Will the hackers wait? In the meantime, you should deploy on alternative fixes to stop hackers from exploiting weaknesses.
- Get a Web Application Firewall (WAF): Traffic routed through a WAF is blocked if malicious. Advanced web application firewall even supports custom rules to block exploitation of any vulnerability, generic or app logic-specific. The web application firewall is critical to businesses with hundreds of applications and a shortage of resources to manage security risks.
- Restrict Functionality: If you choose to wait until all the applications are fixed, limit the app functionality. Restrictions like limited access to the user database, sessions timeout, and others can help prevent some of the attacks.
Irrespective of the fact that an application is vulnerable, secure, or protected through WAF, continue monitoring traffic for possible data or money leakage. Manual penetration testing is the best way to look for such loopholes. This will help you identify weak points and fix them before external exploitation.
Step 6: Use Advanced Web Application Security Measures
Zero-day vulnerabilities, frequent code changes, third-party source code, app DDoS risks, and other unforeseeable circumstances make application security a difficult and never-ending project. However, implementing the above-mentioned steps, along with these quick tips, will help you stay secure.
- Monitor Apps: Virtual patching through WAF, besides ‘time to fix’ benefits, also offers continuous web application monitoring and provides visibility into the vulnerabilities being blocked, where they come from, and what attackers do before and after during their attempt to exploit. These analytics help you build security intelligence to secure apps more efficiently. Monitoring is also effective against app DDoS attacks.
- Use Automated + Penetration Testing: Most businesses rely on automated app testing, which is critical to find vulnerabilities. However, the machine is often weak against logical flaws in an application. Penetration testing with the help of trained security experts is a logical way of cracking an app like a hacker. Always conduct penetration testing when taking an app from development to the production phase. If possible, automate testing for all applications in your infrastructure only to augment penetration testing.
- Retire applications: Often there are old apps that serve no purpose and nobody knows about them either. Forgetting about these apps is dangerous. Even a minor app for an inconsequential task can help hackers get into your database. Get rid of such applications on a regular basis.
- Update Passwords: Change your administrator passwords periodically. While this is a basic security procedure, most admins are so busy taking the big steps that they overlook passwords. Follow the industry application security best practices in password structure and update frequency.
- Study Log Forensics: If there is a data breach, security logs help find out what went wrong. This forensic data will not only help you detect breaches but also strengthen the infrastructure. Ensure that the security logs are impossible to delete and that the developers or security experts go through these error logs regularly.
- Data Validation Model: Most administrators fail to parameterize input fields across the website. This practice attracts rogue entries and hence data leakage. Implement a data validation model across all input fields.
- Restrict Privileges: User and application privileges should be limited. It is better to restrict than regret.
- Authentication: Spend more time defining the authentication process. Use industry standards.
- Content Policy: Develop a content security policy for the company.
- File System: An unwritable file system prevents many types of attacks. Implement it. With it, hackers would have a hard time changing anything on the server.
- Sessions Handling: Maintain a session timeout and deny multiple sessions from a single user.
Web Application Security Best Practices
Maintaining secure applications is a team effort. Although it can take months, you can start immediately by creating a blueprint for all the applications and a roadmap to securing them in the next 11 months.
It is critical to building the right foundation with a focus on three things.
- Finding vulnerabilities before attackers,
- Fixing vulnerabilities to stop hacking attempts, and
- Monitoring to collect data for security intelligence, visibility, and DDoS patterns.
If you have any questions about app security best practices, our analysts would love to help. Drop your questions in the comment box.
If you’re having trouble keeping tabs on frequent app code changes, penetration testing schedules, fixing, and monitoring, AppTrana can help.