Over a million developers have joined DZone.

The Basics of Application Security

App security isn't black magic — developers just need to take the time to understand what's involved in attacks and how to protect from them.

· Security Zone

Download the Account Takeover: How Hacking Happens in 2016 ebook to learn common techniques used to hack your site and what you can do to reduce the likelihood of a breach, brought to you in partnership with Immunio.

App-protection.png

The threats to your organization’s web applications are rarely simple to identify and mitigate. SQL injections, cross-site scripting errors, broken authentication, misconfigured web servers — these are just some of the threats your developers and security managers need to understand as software is written, tested, and deployed. With most organizations under intense pressure to deliver finished code faster than ever, errors and vulnerabilities can easily fall through the cracks.

That’s why it’s so important to have a solid grasp of the basics of web application security. Even if your organization already has an application security program in place, it’s a good idea to periodically review the elements of the program to make sure it’s still effective. This is particularly true if your development team is growing, and as the team takes on new and more ambitious projects.

Here are some of the fundamentals of an effective application security program:

  • Conducting periodic maturity assessments of your software security processes. Tools offered by OWASP, including its Software Assurance Maturity Model and the OSAWP Top 10, help make these assessments much easier.
  • Implementing “defense-in-depth” practices. With defense-in-depth, you build in multiple layers of security to your code and systems. Deploying overlapping security tools and processes such as input validation, server configuration, database layer abstraction, WAFs, proxies, and encryption, significantly bolsters your applications’ defenses.
  • Training developers on security issues. If your developers believe app security lies primarily on the network side, in firewalls and SSL, this is a problem. Ongoing application security training for developers is a crucial part of your organization’s security program.
  • Verifying security during development. Having another set of eyes on your code during development, in the form of a code review, is very important to keeping applications secure. Automated tools are available to scan source code during development, to mitigate issues as early as possible in the SDLC.
  • Monitoring the security of apps in production. The process doesn’t end once your apps go into production. Monitor the behavior of your application to establish good baselines for normal traffic levels and patterns. If you see sharp increases or decreases this could be due to malicious activity. Instrument your application to track significant events (signups, sales, posts, etc.) and investigate any significant changes. If your application generates exceptions or logs errors, these could be indicators that someone is attempting an attack. Invest in systems to help you monitor this type of activity so attacks don’t go by unnoticed.
  • Ensuring you’re not using components with known vulnerabilities. This is a risk that’s familiar to most, but it’s worth repeating: vulnerabilities in third-party open source components can remain unaddressed for months or even years! It’s tempting to save time by skipping the step of checking for known vulnerabilities, but do yourself a favor and don’t take the risk.

By implementing these approaches in your organization, and by repeating them periodically and iterating your methods as needs evolve, you’ll go a long way towards securing your web applications.

Discover how to prevent Account Takeover Attacks, brought to you in partnership with Immunio.

Topics:
security ,software ,web application security

Published at DZone with permission of Mike Milner, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}