5/5/2020 Essential Tips to Secure Web Applications | Indusface Blog

Tips to Protect Web Applications

From 200 million in the year 2000 to 3.5 billion users in 2019, the staggerin
testimony of the internet’s all-pervasive nature. It has transformed itself from
necessity indispensable for any entity.

As the world and its economy is fully internet-dependent now, it is fully expo
threats of online attacks from malicious hackers, syndicate gangs, spy agen
hostile governments. Earlier, most of the online attacks ended up defacing
thefts, and DoS. More recently, cyber-attacks are more of ransomware
nature. Ransomware attacks hijack operations for an exorbitant cost.

In a study report conducted by Sonicwall, 2019 saw a 52% increase in attac

applications. Some of the organizations and products which have been con
impregnable viz Apple iPhones or some US defence sites were breached in
with minimal impact. This leads us to conclude that no application or device
internet is ever secured permanently. A foolproof design based on threat m
threat profiles, and secured design patterns are the building blocks of imple
applications security.

Most companies invest heavily in network security and firewalls to ensure b

kept at bay. Secured networks are undoubtedly a very important and critica
application security apparatus and should be done with cautious planning.
most important aspect of any web application security is its overall design a
implementation. In 2019, of all the successful attacks, 82% of vulnerabilities
application code. The focus of this write-up is more design, development, a
of web applications. No network security and firewall can safeguard against
application.

Web application security eco-system encompasses the following technolog

1. Secured design patterns using prominent programming languages.

2. Robust design framework based on OWASP top 10 list of risks. (https://ow
project-top-ten/)
https://www.indusface.com/blog/tips-to-protect-web-applications/ 1/5
5/5/2020 Essential Tips to Secure Web Applications | Indusface Blog

3. Secure coding practices. This includes automated code analysis and vulne
scanners.
4. Thorough security testing at multiple levels. A few testing strategies:
Input testing.
White box testing. Employing source code analyzers.
Black box testing using security scanners for vulnerabilities and pene
Brute force attacks testing.
DoS attacks testing.
5. Compartmentalized and isolated deployment.
6. Web Application firewalls. (WAF).

As most vulnerabilities are found in application codes, more emphasis on th

applications is never a redundant exercise. Web application security can be
on the security framework, which can be broken down into the following seg

Contents [hide]

Secured and validated Inputs:

Authentication
Authorization
Data protection
Failure handling
Audit and logging
Top Web Application Security Issues
Server security

Secured and validated Inputs:

The city of Troy was impregnable until the incoming traffic was sanitized. Th
was an unverified input which eventually allowed intruders in. Users interac
mobile application through the interfaces that ask for inputs. This is also the
which a known hacker breaches the security by the well-known vulnerability
scripting or XSS. 54% of vulnerabilities are attributed to cross-scripting.

Some of the guidelines in this category are:

All inputs, including form fields, cookies, query strings, HTTP headers, sho
strong validations and trust factor authentication.
Centralised input validation should be the preferred method to validate inp
Client-side validations should be completely avoided.
Validate for type, length, format, and range
Validate, Filter, scrub, constrain, reject and sanitise the input data.

A very nice explanation of XSS and steps to prevent it is provided in Google

documentation, which can be found at Google’s Application Security guidel

https://www.indusface.com/blog/tips-to-protect-web-applications/ 2/5
5/5/2020 Essential Tips to Secure Web Applications | Indusface Blog

Authentication
If a web application is a vault, authentication is its lock and key. Only autho
have the key to the lock can only enter the vault. Managing authentication u
passwords, 2-way authentication, and/or digital tokens should be securely i
Many applications allow the transit of passwords in plaintext. This is a recip
Many applications allow SSOs for organization-wide integration. Ensure the
policy of ADS, LDAP, or any other directory services have a strong authenti
mechanism.

Important guidelines in this category are:

Create DMZs and partitions between authenticated and identified areas.

Use strong passwords and implement strong password policies.
Do not store credentials in plaintext
Store credentials in one-way hashes with salt.
Authentication tokens only through encrypted communication channels.
Authentication cookies should transfer only over HTTPS connections
Continuous testing with password hacking tools to eliminate weak passwo
SSL, IPSec, DPAPI are used to transmit and secure passwords as far as p

Authorization
Authentication and authorization always go hand-in-hand. While authentica
who can log in to the application, authorization is about what one can do aft
Can a user start or stop a service? Can a user rename, delete, suspend or
passwords of other users and many other levels of permissions? Can a use
database directly? Can a user access an API.

Authorization is not just limited to just users, but execution permissions to s

integration with other applications, exposure to APIs, and databases also a
aspect of authorization.

Important guidelines to follow:

Use the principle of least privilege.

Provide granular, role-based access.
Do not expose system-level resources to users.
Use strong encryption keys to access system resources.
Use secured tools, and encrypted if possible, for remote administration.
Prevent access to session states.

Data protection
https://www.indusface.com/blog/tips-to-protect-web-applications/ 3/5
5/5/2020 Essential Tips to Secure Web Applications | Indusface Blog

A web application’s main objective is to access, store, and present data. Ac

databases and data storage is vital. Applications store data on primary and
storage. Primary storage, like memory and secondary storage, like disks, a
vulnerable to security breaches. If an intruder gains access to memory add
access the vital data that the application is processing. When it comes to se
encryption of data while in transit and at rest becomes absolutely necessary

Few guidelines in the category are:

Use persistent cookies for non-sensitive ephemeral data.

RESTful APIs over HTTP should not be used to transfer sensitive data.
Separate data storage from the application engine with strong access cont
encrypted keys.
Ensure caches are also on encrypted storage.

Failure handling
Usually, when attacks happen, especially the DOS type of attacks, services
stop functioning as expected. In case of a function failure, exception handlin
ensure graceful failures and swift garbage cleaning to prevent leakages.

Sensitive application implementation details, objects, and methods should

in the event of failures.
Ensure memory and core dumps are stored in a secured location – encryp

Audit and logging

Applications should have fully equipped logging and audit functionality to m
trace, and audit all activities.

Monitor, identify, and document malicious behaviour. Create triggers accor

Every component and tier must be logged.
Ensure strict authorization to access log files
Backup log files regularly in secured locations.

Top Web Application Security Issues

https://www.indusface.com/blog/tips-to-protect-web-applications/ 4/5
5/5/2020 Essential Tips to Secure Web Applications | Indusface Blog

Server security
Having looked at the design of web applications, let us also look at another
aspect of web applications security – Servers on which the web application
Servers are important as they house the web applications. If not configured
are the first defence which falls apart, leaving the application exposed to th
Guidelines to secure application servers are as below:

Hardening, patching, and updating the server. OS is patched regularly with

patches.
Strong passwords and login audit policies implemented. PAM, NIS, and/or
provide a robust login framework for SSOs. Least access privileges are th
followed.
Logging and audit of login attempts, successful and unsuccessful.
Strong, robust and secured filesystems, volume managers, and drivers. Al
components are patched and updated regularly.
Regular screening of open ports, services, processes and unused protoco
Removal of redundant kernel modules.
All protocol communications are secured and encrypted.
ACLs, Registry, and Policies are preserved and protected with adequate b

Testing

Even though one may secure the applications and servers at a point in time
software stack is updated, new vulnerabilities still creep in. That’s why frequ
depth testing is important. Here’s a guideline from OWASP (https://owasp.o
web-security-testing-
guide/assets/archive/OWASP_Web_Application_Penetration_Checklist_v1_
https://www.indusface.com/blog/tips-to-protect-web-applications/ 5/5