The threats to your organization’s web applications are rarely simple to identify and mitigate. SQL injections, cross-site scripting errors, broken authentication, misconfigured web servers — these are just some of the threats your developers and security managers need to understand as software is written, tested, and deployed. With most organizations under intense pressure to deliver finished code faster than ever, errors and vulnerabilities can easily fall through the cracks.
That’s why it’s so important to have a solid grasp of the basics of web application security. Even if your organization already has an application security program in place, it’s a good idea to periodically review the elements of the program to make sure it’s still effective. This is particularly true if your development team is growing, and as the team takes on new and more ambitious projects.
Here are some of the fundamentals of an effective application security program:
- Conducting periodic maturity assessments of your software security processes. Tools offered by OWASP, including its Software Assurance Maturity Model and the OSAWP Top 10, help make these assessments much easier.
- Implementing “defense-in-depth” practices. With defense-in-depth, you build in multiple layers of security to your code and systems. Deploying overlapping security tools and processes such as input validation, server configuration, database layer abstraction, WAFs, proxies, and encryption, significantly bolsters your applications’ defenses.
- Training developers on security issues. If your developers believe app security lies primarily on the network side, in firewalls and SSL, this is a problem. Ongoing application security training for developers is a crucial part of your organization’s security program.
- Verifying security during development. Having another set of eyes on your code during development, in the form of a code review, is very important to keeping applications secure. Automated tools are available to scan source code during development, to mitigate issues as early as possible in the SDLC.
- Monitoring the security of apps in production. The process doesn’t end once your apps go into production. Monitor the behavior of your application to establish good baselines for normal traffic levels and patterns. If you see sharp increases or decreases this could be due to malicious activity. Instrument your application to track significant events (signups, sales, posts, etc.) and investigate any significant changes. If your application generates exceptions or logs errors, these could be indicators that someone is attempting an attack. Invest in systems to help you monitor this type of activity so attacks don’t go by unnoticed.
- Ensuring you’re not using components with known vulnerabilities. This is a risk that’s familiar to most, but it’s worth repeating: vulnerabilities in third-party open source components can remain unaddressed for months or even years! It’s tempting to save time by skipping the step of checking for known vulnerabilities, but do yourself a favor and don’t take the risk.
By implementing these approaches in your organization, and by repeating them periodically and iterating your methods as needs evolve, you’ll go a long way towards securing your web applications.