Web applications are very important to corporations as they provide quick access to corporate resources with user-friendly interfaces to remote users. Applications built without considering security can be a big risk to the organizations and the users. Applications must follow good security practices during the initial design and the development phases so that various security vulnerabilities are taken care at a platform level and not as an after the fact patch
This article mainly focuses on key security factors to be considered by the application design and development teams when developing a web application.
1. Authentication & Authorization:
This is always the first line of defense. The application must recognize the claimed user or entity (server or program). Authorization determines the access the user has, where a user can connect from, what time can they connect and the type of encryption required.
2. Session management:
A common vulnerability of web applications is caused by not protecting account credentials and session tokens. An unauthorized user can hijack a session and impersonate a valid user’s identity.
3. Input Validation and Cross Site Scripting (XSS):
The attacker bypasses security mechanisms by adding malicious code to open parameters in an application. An open parameter could be a URL, Query String, Header, Cookie, Form Field, or a Hidden Field. It is any parameter that does not assure that the data entered is data that would normally be expected.
4. SQL Injection:
SQL injection attaches specifically to a parameter that passes through to an SQL database allowing an attacker to modify, erase, copy or corrupt an entire database from the web application.
5. Buffer Overflows:
The buffer overflow attack involves sending large amounts of data that exceed the quantities expected by the application within a given field. Such attacks cause the application to abandon its normal behavior and begin executing commands on behalf of the attacker.
Data should be encrypted using encryption algorithms such as SHA-1, MD5 etc. Use secured transportation layer while data exchange in the application by installing SSL certificates from authorized vendor.
7. Error Handling:
Errors are inevitable. Though an effort is made to identify all potential errors and handle them appropriately, there might be some of them unanticipated. The application must have protocols for these errors as well.
It is crucial to an organization’s ability to track unauthorized access and to determine if any access attempt was successful. Logs are vital to reconstruction of events leading to a program failure. Log as much as possible.
9. Web Application and Server Configuration:
Out of the box, servers are laden with vulnerabilities. They must be patched before web services are installed. All default settings should be reviewed; and unnecessary services deleted or disabled.
Externally facing applications have provided corporations great flexibility and greater efficiency. What secured an application today may need to be changed tomorrow. Constant review and attention to the current security threat environment is necessary to maintain the application’s security.
Karthik Kulkarni | 15 June, 2016
Senior Engineer - Quality Assurance