From 200 million in the year 2000 to 3.5 billion users in 2019, the staggering growth is the testimony of the internet’s all-pervasive nature. It has transformed itself from an option to a necessity indispensable for any entity.
As the world and its economy are fully internet-dependent now, it is fully exposed to the threats of online attacks from malicious hackers, syndicate gangs, spy agencies, or even hostile governments. Earlier, most of the online attacks ended up defacing sites, data thefts, and DoS. More recently, cyber-attacks are more of ransomware nature. Ransomware attacks hijack operations for an exorbitant cost.
A study report conducted by Sonicwall, 2019 saw a 52% increase in attacks on web applications. Some of the organizations and products which have been considered impregnable viz Apple iPhones or some US defense sites were breached in 2019, albeit with minimal impact. This leads us to conclude that no application or device exposed to the internet is ever secured permanently. A foolproof design based on threat models published threat profiles, and secured design patterns are the building blocks of implementing web applications security.
Most companies invest heavily in network security and firewalls to ensure bad guys are kept at bay. Secured networks are undoubtedly a very important and critical aspect of application security apparatus and should be done with cautious planning. However, the most important aspect of any web application security is its overall design and its implementation. In 2019, of all the successful attacks, 82% of vulnerabilities were found in application code. The focus of this write-up is more design, development, and deployment of web applications. No network security and firewall can safeguard against an ill-designed application.
As most vulnerabilities are found in application codes, more emphasis on the design of web applications is never a redundant exercise. Web application security can be broadly based on the security framework, which can be broken down into the following segments:
The city of Troy was impregnable until the incoming traffic was sanitized. The trojan horse was an unverified input that eventually allowed intruders in. Users interact with a web or mobile application through the interfaces that ask for inputs. This is also the route through which a known hacker breaches the security by the well-known vulnerability of cross-scripting or XSS. 54% of vulnerabilities are attributed to cross-scripting.
Some of the guidelines in this category are:
A very nice explanation of XSS and steps to prevent it is provided in Google’s documentation, which can be found at Google’s Application Security guidelines.
If a web application is a vault, authentication is its lock and key. Only authorized users who have the key to the lock can only enter the vault. Managing authentication using strong passwords, 2-way authentication, and/or digital tokens should be securely implemented. Many applications allow the transit of passwords in plaintext. This is a recipe for disaster. Many applications allow SSOs for organization-wide integration. Ensure the authentication policy of ADS, LDAP, or any other directory services have a strong authentication mechanism.
Important guidelines in this category are:
Authentication and authorization always go hand-in-hand. While authentication is about who can log in to the application, authorization is about what one can do after logging in. Can a user start or stop a service? Can a user rename, delete, suspend, or reset passwords of other users and many other levels of permissions? Can a user access the database directly? Can a user access an API.
Authorization is not just limited to just users, but execution permissions to services, integration with other applications, exposure to APIs, and databases also are an integral aspect of authorization.
Important guidelines to follow:
A web application’s main objective is to access, store, and present data. Access to databases and data storage is vital. Applications store data on primary and secondary storage. Primary storage, like memory and secondary storage, like disks, are equally vulnerable to security breaches. If an intruder gains access to memory addresses, it can access the vital data that the application is processing. When it comes to sensitive data, encryption of data while in transit and at rest becomes absolutely necessary.
Few guidelines in the category are:
Usually, when attacks happen, especially the DOS type of attacks, services, or daemons, stop functioning as expected. In case of a function failure, exception handling should ensure graceful failures and swift garbage cleaning to prevent leakages.
Applications should have fully equipped logging and audit functionality to monitor, debug, trace, and audit all activities.
Having looked at the design of web applications, let us also look at another important aspect of web applications security – Servers on which the web applications are hosted. Servers are important as they house the web applications. If not configured correctly, they are the first defense that falls apart, leaving the application exposed to threats. Guidelines to secure application servers are as below:
Even though one may secure the applications and servers at a point in time, as the software stack is updated, new vulnerabilities still creep in. That’s why frequent and in-depth testing is important. Here’s a guideline from OWASP (https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Web_Application_Penetration_Checklist_v1_1.pdf).
No one has the time and skilled staff to execute all such tests repeatedly. Therefore the best approach is to use a combination of frequent automated scans using reliable and comprehensive tools (https://owasp.org/www-community/Vulnerability_Scanning_Tools) and at least quarterly full penetration testing by experts.
As web applications development technologies are evolving constantly and new frameworks get adopted, a new set of vulnerabilities get introduced. In this ever-changing environment, continuous in-depth testing and quickly fixing critical issues is your best defense.
Ashish Pradhan is responsible for all technology functions like engineering, client services and customer support at Indusface. Prior to joining Indusface, Ashish held various senior leadership roles at Symantec Corporation in India and USA. During his 25 years of global experience in the software industry, Ashish has helped create and grow a broad variety of software products spanning systems management, IT compliance, and information security domains.