Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)

6 Application Security Best Practices

Posted DateMarch 8, 2018
Posted Time 6   min Read

Every day that an application is anything less than ‘fully secure’ is a day for a potential data breach. Consumer data, sensitive business information, monetary transactions, and business reputation; everything is at stake.

Thanks to the enthusiastic media coverage on data breaches in 2016, business owners understand the risks and are prepared to take action this year. But, where should they start? Should they focus on finding security vulnerabilities in existing applications or invest in application security best practices for Software Development Life Cycle (SDLC)?

Our security analysts bring you a complete blueprint for best practices in application security. Before you start, take a look at vulnerabilities in your web applications with an Indusface WAS Free Website Scan.

Step 1: Create a Web Application Threat Model

Businesses must keep up with the exponential growth in customer demands. New applications, customer portals, simplified payment solutions, marketing integrations, and other activities happen at lightning speeds. As a result, the organized approach is not really a priority.

Most businesses do not have a clear idea of their number of applications, their use, and when were they last updated. This problem should be addressed before anything else.

Companies cannot expect to implement a web application security model without a blueprint of all the assets in use. Create a database of applications, like an inventory sheet, with details on a number of applications, their use, last updated version, and plans to use them in the future.

Ensure that you include all applications in the list, it’s the most important part of our web application security best practices list. If possible, note down deployment mode, layers within the application, and existing security methods used in the app. This will help you patch vulnerabilities quickly and more efficiently once the vulnerabilities are found.

AppSec Practices

Step 2:  Sort The Applications in Priority Buckets

It is easy to lose focus with numerous applications to test and fix.

Start with defining priorities immediately after or during the app inventory. Sort all the applications in Critical, Serious, and Normal buckets for control over the progress in the coming months.

  • Critical: This bucket is primarily for external-facing apps that deal with sensitive customer data and monetary transactions. Hackers will have a higher motivation to target these apps. Hence, critical apps should be tested and fixed on priority.
  • Serious: These apps can be both external and internal, with sensitive company and customer information. They should be next in the priority line after critical apps.
  • Normal: Hackers might not have direct access or knowledge of these apps but they should still be tested and fixed later.

Create another bucket for apps that are no longer useful. These serve no purpose and should be immediately retired.

Ensure that you update the inventory sheet once the task is complete. The goal of this step is to minimize risk and save time spent in both testing and fixing vulnerabilities.

Step 3: Find and Analyze Your App Vulnerabilities

Once you create a web application security blueprint, it is only a matter of testing until you get a massive list of possible vulnerabilities. The real task is to prioritize vulnerabilities on their severity.

According to the Trustwave Global Security Report, an average application has 20 vulnerabilities. However, not all of them are severe enough to trigger a data breach or financial loss. For instance, a vulnerability like Injection and Cross-Site Scripting is far more serious and should be fixed immediately over something lower in priority like Unvalidated Redirects and Forwards.

Create a custom threat model prioritizing vulnerabilities for all your applications. Alternatively, use the OWASP Overall Risk Severity Scores.

Overall Risk Severity Scores

You can visit the individual OWASP Top 10 vulnerability pages. The OWASP foundation provides an in-depth analysis of threat agents, attack vectors, security weaknesses, technical impacts, and business impacts.

Business Impacts

Step 4: Fix Critical and High Vulnerabilities

Fixing vulnerabilities in the application requires an understanding of the problem and code changes. The process takes considerable time and resources, which makes eliminating all the vulnerabilities in an uphill project.

A smarter choice is to start with the vulnerabilities with a higher impact on business and brand reputation. Ensure that the developers dedicate their time to these issues only. Once the Critical and High vulnerabilities are fixed, move to the medium, and low.

Step 5: Deploy Some Protection

Ground realities are different from your app security plans. No matter how small your business is, it may take weeks to just find the vulnerabilities; months to fix them.

As per the Web Application Security Statistics Report, fixing the critical vulnerability is a 146-day job on an average. Can you really wait for 5 months? Will the hackers wait? In the meantime, you should deploy on alternative fixes to stop hackers from exploiting weaknesses.

Avg Days to fix Vulnerability

  • Get a Web Application Firewall (WAF): Traffic routed through a WAF is blocked if malicious. Advanced web application firewall even supports custom rules to block exploitation of any vulnerability, generic or app logic-specific. The web application firewall is critical to businesses with hundreds of applications and a shortage of resources to manage security risks.
  • Restrict Functionality: If you choose to wait until all the applications are fixed, limit the app functionality. Restrictions like limited access to the user database, sessions timeout, and others can help prevent some of the attacks.

Web Application FirewallIrrespective of the fact that an application is vulnerable, secure, or protected through WAF, continue monitoring traffic for possible data or money leakage. Manual penetration testing is the best way to look for such loopholes. This will help you identify weak points and fix them before external exploitation.

Step 6: Use Advanced Web Application Security Measures

Zero-day vulnerabilities, frequent code changes, third-party source code, app DDoS risks, and other unforeseeable circumstances make application security a difficult and never-ending project. However, implementing the above-mentioned steps, along with these quick tips, will help you stay secure.

  • Monitor Apps: Virtual patching through WAF, besides ‘time to fix’ benefits, also offers continuous web application monitoring and provides visibility into the vulnerabilities being blocked, where they come from, and what attackers do before and after during their attempt to exploit. These analytics help you build security intelligence to secure apps more efficiently. Monitoring is also effective against app DDoS attacks.
  • Use Automated + Penetration Testing: Most businesses rely on automated app testing, which is critical to find vulnerabilities. However, the machine is often weak against logical flaws in an application. Penetration testing with the help of trained security experts is a logical way of cracking an app like a hacker. Always conduct penetration testing when taking an app from development to the production phase. If possible, automate testing for all applications in your infrastructure only to augment penetration testing.
  • Retire applications: Often there are old apps that serve no purpose and nobody knows about them either. Forgetting about these apps is dangerous. Even a minor app for an inconsequential task can help hackers get into your database. Get rid of such applications on a regular basis.
  • Update Passwords: Change your administrator passwords periodically. While this is a basic security procedure, most admins are so busy taking the big steps that they overlook passwords. Follow the industry application security best practices in password structure and update frequency.
  • Study Log Forensics: If there is a data breach, security logs help find out what went wrong. This forensic data will not only help you detect breaches but also strengthen the infrastructure. Ensure that the security logs are impossible to delete and that the developers or security experts go through these error logs regularly.
  • Data Validation Model: Most administrators fail to parameterize input fields across the website. This practice attracts rogue entries and hence data leakage. Implement a data validation model across all input fields.
  • Restrict Privileges: User and application privileges should be limited. It is better to restrict than regret.
  • Authentication: Spend more time defining the authentication process. Use industry standards.
  • Content Policy: Develop a content security policy for the company.
  • File System: An unwritable file system prevents many types of attacks. Implement it. With it, hackers would have a hard time changing anything on the server.
  • Sessions Handling: Maintain a session timeout and deny multiple sessions from a single user.

Web Application Security Best Practices

Maintaining secure applications is a team effort. Although it can take months, you can start immediately by creating a blueprint for all the applications and a roadmap to securing them in the next 11 months.

It is critical to building the right foundation with a focus on three things.

  1. Finding vulnerabilities before attackers,
  2. Fixing vulnerabilities to stop hacking attempts, and
  3. Monitoring to collect data for security intelligence, visibility, and DDoS patterns.

If you have any questions about app security best practices, our analysts would love to help. Drop your questions in the comment box.

If you’re having trouble keeping tabs on frequent app code changes, penetration testing schedules, fixing, and monitoring, AppTrana can help.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

web application security banner

Venkatesh Sundar

Venky is an Application Security technologist who built the new age Web application Scanner and Cloud WAF - AppTrana at Indusface as a Founding CTO. Currently, he spends his time on driving Product Roadmap, Customer Success, Growth, and technology adoption for US businesses.

Share Article:

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

10 Web Application Security Best Practices for 2020
10 Web Application Security Best Practices for 2020

Successful attacks against web applications by malicious actors are known to cause hefty losses to the business. By following web application security best practices, vulnerabilities can be proactively identified.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!