Every day that a web application is anything less than ‘fully secure’ is a day for a potential data breach. Consumer data, sensitive business information, monetary transactions, and business reputation; everything is at stake.
Thanks to the enthusiastic media coverage on data breaches in 2016, business owners understand the risks and are prepared to take actions this year. But, where should they start? Should they focus on finding security vulnerabilities in existing applications or invest in web application security best practices for Software Development Life Cycle (SDLC)?
Our security analysts bring you a complete blueprint for best practices in application security. Before you start, take a look at vulnerabilities in your web applications with an AppTrana Free Website Scan.
Businesses must keep up with the exponential growth in customer demands. New applications, customer portals, simplified payment solutions, marketing integrations, and other activities happen at lightning speeds. As a result, the organized approach is not really a priority.
Most businesses do not have a clear idea of their number of applications, their use, and when were they last updated. This problem should be addressed before anything else.
Companies cannot expect to implement a web application security model without a blueprint of all the assets in use. Create a database of applications, like an inventory sheet, with details on a number of applications, their use, last updated version, and plans to use them in the future.
Ensure that you include all applications in the list, it’s the most important part of our web application security best practices list. If possible, note down deployment mode, layers within the application and existing security methods used in the app. This will help you patch vulnerabilities quickly and more efficiently once the vulnerabilities are found.
It is easy to lose focus with numerous applications to test and fix.
Start with defining priorities immediately after or during the app inventory. Sort all the applications in Critical, Serious, and Normal buckets for control over the progress in the coming months.
Create another bucket for apps that are no longer useful. These serve no purpose and should be immediately retired.
Ensure that you update the inventory sheet once the task is complete. The goal of this step is to minimize risk and save time spent in both testing and fixing vulnerabilities.
Once you create a web application security blueprint, it is only a matter of testing until you get a massive list of possible vulnerabilities. The real task is to prioritize vulnerabilities on their severity.
According to the Trustwave Global Security Report, an average application has 20 vulnerabilities. However, not all of them are severe enough to trigger a data breach or financial loss. For instance, a vulnerability like Injection and Cross-Site Scripting is far more serious and should be fixed immediately over something lower in priority like Unvalidated Redirects and Forwards.
Create a custom threat model prioritizing vulnerabilities for all your applications. Alternatively, use the OWASP Overall Risk Severity Scores.
You can visit the individual OWASP Top 10 vulnerability pages. The OWASP foundation provides an in-depth analysis of threat agents, attack vectors, security weaknesses, technical impacts, and business impacts.
Fixing vulnerabilities in the application requires an understanding of the problem and code changes. The process takes considerable time and resources, which makes eliminating all the vulnerabilities in an uphill project.
A smarter choice is to start with the vulnerabilities with higher impact on the business and brand reputation. Ensure that the developers dedicate their time to these issues only. Once the Critical and High vulnerabilities are fixed, move to the medium and low.
Ground realities are different from your app security plans. No matter how small your business is, it may take weeks to just find the vulnerabilities; months to fix them.
As per the Web Application Security Statistics Report, fixing the critical vulnerability is a 146-day job on an average. Can you really wait for 5 months? Will the hackers wait? In the meantime, you should deploy on alternative fixes to stop hackers from exploiting weaknesses.
Irrespective of the fact that an application is vulnerable, secure or protected through WAF, continue monitoring traffic for possible data or money leakage. Manual penetration testing is the best way to look for such loopholes. This will help you identify weak points and fix them before external exploitation.
Zero-day vulnerabilities, frequent code changes, third-party source code, app DDoS risks, and other unforeseeable circumstances make application security a difficult and never-ending project. However, implementing the above-mentioned steps, along with these quick tips, will help you stay secure.
Maintaining secure applications is a team effort. Although it can take months, you can start immediately by creating a blueprint for all the applications and a roadmap to securing them in the next 11 months.
It is critical to building the right foundation with a focus on three things.
If you have any questions about app security best practices, our analysts would love to help. Drop your questions in the comment box.
If you’re having trouble keeping tabs on frequent app code changes, penetration testing schedules, fixing and monitoring, AppTrana can help.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.