The tremendous growth in web application deployments has come hand-in-hand with concerns around security. Web application security needs to be addressed at every stage of the software development life cycle (SDLC) and even after an application has been deployed into the production environment. Here are ten tips on how to improve your web application security.
Every three years, the Open Web Application Security Project (OWASP) releases its report on the Top 10 web application vulnerabilities. Organizations are encouraged to submit data to the project until July 20, 2016. The goal of this project is to create awareness and encourage you to take to improve the web application security within your SDLC.
Here are ten tips on how to improve your web application security.
Injection flaws like SQL or LDAP is a common form of a security breach in web application security. This type of attack tries to trick the input validation into disclosing the data or executing a command by the hacker without the authorization of the user.
To prevent this type of attack:
- Use a parameterized API
- Run the application with minimal privileges
- Whitelist only allowed characters but needs the parameterized API and application running with minimal privileges
- Sanitize your inputs. Use SQL parameters alongside appropriate permissions configured in the SQL server to prevent entries in input fields like 100 or 1=1.
Testing can be done to validate the parameters, cookies, headers, and path. Security issues want to be caught early in the SDLC to minimize costs.
Broken Authentication or Authorization
Allows a hacker to bypass the authentication or authorization of the web application. The most commonly used authorization is username and password. Once users enter their credentials a session ID is assigned to them.
To improve the authentication or authorization:
- Encrypt connections used to send passwords or session IDs
- Force users to use strong passwords
- Invalidate the session ID when users log out or the session times out
- Hash or encrypt stored usernames and passwords
Cross-Site Scripting (XSS)
This is the most prevalent vulnerability that hackers exploit. Users are exposed if their data is not properly validated or escaped. There are two types of XSS flaws. One type is where the injected code is stored on a server. The other, a reflected attack is delivered to the user via a malicious link in an email or embedded in a website.
Take a strategic approach to prevent XSS:
- Assume all data from external sources are malicious
- Ensure all data is properly escaped based on the HTML context
- Use an embedded library or framework
Insecure Direct Object References
The hacker obtains data from the server by modifying a parameter value that references one object to gain access to another.
To mitigate this vulnerability, you must use an associate array to map the objects. Also, checks need to be in place to validate that the user is authorized to have access to a particular object.
Security misconfigurations can occur on the server or the app itself.
Preventive measures include:
- A solid process to deploy in the development, QA, staging and production environments
- Strong passwords used in each environment
- A process to deploy software or patches
- Regular audits to ensure latest patches or detect misconfigurations
Sensitive Data Exposure
Sensitive data exposure is the lack of encryption used in transport or at rest. This includes weak techniques used in algorithms or hashing passwords.
Do the following:
- Encrypt all sensitive data during transport and at rest
- Secure information in transit via HTTPS
- Do not store sensitive data
- Ensure you are running a modern cypher
- Use strong algorithms
- Disable autocomplete on forms that collect data
- Disable caching on forms that collect data
Missing Function Level Access Control
A hacker with system access is able make changes to an URL to obtain a higher privilege functionality.
- Deny access by default
- Don’t rely on the user interface alone, make sure there is protection on the back end at the function level
- Check every URL for access control
Cross-Site Request Forgery (CSRF)
Hackers will combine CSRF with social engineering to get users to unknowingly perform actions. To prevent this occurrence, use a unique token in a hidden field or URL. Users can be required to re-authenticate or prove that they are a real user.
Using Components with Known Vulnerabilities
This refers specifically to unpatched third-party components. Hackers will take advantage of old tools that are not patched because the flaws were published. This includes open source libraries. The solution is to fix the software in the next release.
Also, this applies to popular CRMs like WordPress. Plug-ins are often prone to vulnerabilities and they will get patched frequently. To help keep your CRM-based site secure, ensure that you are up-to-date with the latest plug-in version.
Unvalidated Redirects and Forwards
Hackers will use phishing to trick users into going to a malicious site. To prevent this, use the user data to determine the redirect and that the destination parameter uses a mapping value.
Staying on top of web application security will be an ongoing challenge. Being aware and using the best practices will help mitigate attacks.