Most businesses today rely on web applications to deliver services to their customers like content and details of services offered, interaction with customers, and selling products and services online.
Modern web development has many challenges, and of those security is both very important and often under-emphasized.
The preferred method for attacking businesses’ online assets is via their Web applications. According to Impervia 2015 Web Application Attack Report (WAAR) a typical application suffered 3 times more SQL Injection attacks and 2.5 times more Cross-Site Scripting attacks
Most vulnerabilities, quite simply, are the consequence of lousy programming in which exceptions, boundaries, credentials, etc., weren’t validated effectively. Sometimes administration issues such as a failure to configure or update components properly add to the danger of insecure web applications.
- Ensure that software development teams are following secure web application design, coding practices to combat vulnerabilities.
- Proper exception handling and handing of error messages should be included at development stage itself.
- Manage sensitive and user information in compliance with ISPs.
- A comprehensive IT security audit should be implemented before the deployment/launches of a web application.
- Inputs from user/client should be validated at sever level with preference to whitelists than blacklists.
- Avoid injection attacks by escaping special characters and use of proposed/parameterized statements in data base queries.
- Use of a hidden token in transaction requests, strong and random session tokens further strenghtens the security of the application
- Classified or Critical Information should never be stored in hidden fields/cookies. Further, use of cache-control directions and proper attribute for cookies should be there.
- Other options e.g. HTTP redirection during login, forcefully log out during a suspicious activity and invalidation of sessions after logout should be implemented during coding of the application.
- Logs should maintained and analysed properly
- All sensitive or critical information in code, database or logs should be encrypted/encoded.
- Vender security control mentioned in the guidelines should be followed and made part of organisation’s information security policy, in all such case where third party is involved.
- Secure Development Life Cycle (SDLC) should be followed in customized development of application.
- Web application firewall should be installed to filter and monitor in bound as well as out bound traffic