Most businesses today rely on web applications to deliver services to their customers like content and details of services offered, interaction with customers, and selling products and services online. Modern web development has many challenges, and of those security is both very important and often under-emphasized. However, web application security still poses challenge to businesses as it is the preferred method for attacking businesses’ online assets is via their Web applications.
According to Impervia 2015 Web Application Attack Report (WAAR) a typical application suffered 3 times more SQL Injection attacks and 2.5 times more Cross-Site Scripting attacks. Most vulnerabilities, quite simply, are the consequence of lousy programming in which exceptions, boundaries, credentials, etc., weren’t validated effectively. Sometimes administration issues such as a failure to configure or update components properly add to the danger of insecure web applications.
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more.
The current list is topped by Injection and Cross Site Scripting attacks commonly found in web applications. Moreover, zero day vulnerabilities should be checked by regular updation and patching.
Follow these rules to ensure basic security of web applications :
- Ensure that software development teams are following secure web application design, coding practices to combat vulnerabilities.
- Proper exception handling and handing of error messages should be included at development stage itself.
- Manage sensitive and user information in compliance with ISPs.
- A comprehensive IT security audit should be implemented before the deployment/launches of a web application.
- Inputs from user/client should be validated at sever level with preference to whitelists than blacklists.
- Avoid injection attacks by escaping special characters and use of proposed/parameterized statements in data base queries.
- Use of a hidden token in transaction requests, strong and random session tokens further strenghtens the security of the application
- Classified or Critical Information should never be stored in hidden fields/cookies. Further, use of cache-control directions and proper attribute for cookies should be there.
- Other options e.g. HTTP redirection during login, forcefully log out during a suspicious activity and invalidation of sessions after logout should be implemented during coding of the application.
- Logs should maintained and analysed properly
- All sensitive or critical information in code, database or logs should be encrypted/encoded.
- Vender security control mentioned in the guidelines should be followed and made part of organisation’s information security policy, in all such case where third party is involved.
- Secure Development Life Cycle (SDLC) should be followed in customized development of application.
- Web application firewall should be installed to filter and monitor in bound as well as out bound traffic