Web applications are exposed. Unlike internal network applications, everyone can get to a web application; all they need is an internet connection. That includes hackers too. In fact, an automated tool may be attacking the web applications you depend on as you read this article.
But developers often overlook web application security. Teams frequently spend all their energy on the code, the visual design and the functionality of an app – and little to no time making sure their web apps are secure.
Simple but effective steps can help your organization improve security around the web apps it depends on – whether those apps are from third-party vendors or developed in-house. Here are our top ten suggestions.
[ Learn everything you need to know about web security. | Get a 30-day free trial. Contact one of our experienced Solution Engineers to find out how. ]
1. Create an inventory
You can’t protect what you don’t know about. We suggest you start making a list of web applications including proprietary and third-party applications.
Your company may develop and publish its own web apps, but also think about the intermediary apps your customers use to interact with your business. The web applications your company uses for its day to day operations must be included as well.
When you make this list, prioritize your web apps according to the amount of damage that could be done if something goes wrong. You don’t need to worry too much about the app you use to book Friday’s after-work drinks, but do take a close look at the app that processes your credit card transactions, for example.
A good vulnerability management system requires a good inventory system. If the systems to be scanned do not show up on the inventory management system then the system will not show up on the vulnerability scans and consequently will not be patched.
George Viegas, CSO
2. Develop cyber security best practices
You should develop cyber security best practices, or even good practices – meaning everything you know you should be doing, but probably forget to do.
Strong and unique passwords for every web application you use is a must. Consider enabling multi-factor authentication (MFA), if available – and definitely enable MFA on your most critical apps.
If you have development control over an app, make sure that you deploy HTTPS and the latest version of TLS. Web apps also benefit from security tweaks including the x-xss-protection security header and adding subresource integrity to <link> or <script> elements.
X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks, and this is compatible with IE 8+, Chrome, Opera, Safari & Android. Google, Facebook, Github use this header, and most of the penetration testing consultancy will ask you to implement this.
Chandan Kumar, Geekflare
3. Be meticulous with access rights and credentials
This is a tough one, particularly in fast-growing companies or where you may be dependent on temporary workers. However, it is critical that you use a database of user credentials for web applications and revoke credentials once an employee leaves or changes roles.
Whenever you allow access to an application, do so with the principle of least privilege (PoLP); only give users access to information and tools they need to do their jobs.
For example, don’t give full admin access when view or edit will do. It may seem time-consuming, but you’ll protect your web apps not only from hackers but also from potentially malicious employees.
Not applying the principle of least privilege is a fundamental security mistake that threatens your organization, encourages the propagation of insider threat, and puts your business’ data at high risk.
Bianca Soare, Heimdal Security
4. Employ professional (white hat) hackers
If your business revolves around a web app that your company has developed, you could consider hiring professional hackers to try to penetrate your app.
Yes, trying to get your app hacked by a friendly actor can be beneficial. Ethical hackers under contract can find vulnerabilities and allow you to fix issues before they’re uncovered by criminal hackers. Alternatively, think about a bounty program where you pay a reward to anyone who identifies vulnerabilities in your app.
These “white-hat hackers” differentiate themselves from criminal hackers in that they won’t do anything illegal. Many work for government agencies or corporations, while others operate out of home laboratories, preferring to just hack for fun…
This type of ethical hacking can have real implications for people’s safety. In 2015, hackers were able to remotely hijack a Jeep while someone was driving, prompting Chrysler to recall 1.4 million vehicles.
Zoe Schiffer, Vox
5. Backup, backup, backup
Think backups are old hat because it’s been years since you’ve heard a hard drive spin-up? Think again. Your web applications’ data is at constant risk and must be backed up outside of the application. Outside also means off-site; don’t back up your data on the same cloud infrastructure that hosts your app.
Consider deploying fallback applications as well – such as a fallback credit card processor. Where that’s not possible, make sure you have a disaster plan in place, so you know what to do if an app goes down.
Losing any amount of data can compromise your personal identity, erase your family history, and even bankrupt your entire company. No matter if you store years of highly sensitive customer data or just save a lot of photos of your dog, you never want to find out that a large chunk or even all of your data is gone.
Alexa Drake, G2
6. Review security measures regularly
Remember that list we said you should make? Well, web application security is not a set and forget measure; you need to constantly review your security measures. Regularly check whether a new critical but vulnerable app has been onboarded, and continuously review your security policies.
It’s worth setting up a review process – even if it’s as simple as a diary entry in a calendar. Yes, security leaders are paid to get security right but it’s too easy to verify that a technology estate is secure – and then neglect to run a regular review.
A McAfee report on data exfiltration, found that people inside organizations caused 43% of data loss, one-half of which was accidental. Improved cybersecurity policies can help employees and consultants better understand how to maintain the security of data and applications.
Staff, McAfee
7. Keep an eye on your vendors
Your security reviews should also involve your technology partners because a security chain is only as strong as its weakest link. Your web apps will likely depend on other vendors for critical functionality so regularly review the security policies and practices of your partner vendors.
We’ll go even further as to say that you might want to look at the companies your vendors depend on. There may be countless connected, background services; these may also be a weak link in the web security chain.
Monitoring your organization’s internal cybersecurity posture is a given, but companies often make the mistake of overlooking their vendors’ cybersecurity procedures. It’s important to identify your vendors’ potential vulnerabilities as your own.
Phoebe Fasulo, SecurityScorecard
8. Consider a web application firewall
For some reason or another, your app or website may be the target of hackers. Sustained, persistent hacking attempts are hard to stop. However, you could consider deploying a web application firewall (WAF) which filters inbound traffic, vetting web clients before sending the request through to your website.
A WAF behaves in a similar way to a traditional network firewall by checking against a watchlist and using AI to recognize suspicious behavior. WAFs are very effective but can be resource-intensive and block false positives.
A WAF has an advantage over traditional firewalls because it offers greater visibility into sensitive application data that is communicated using the HTTP application layer. It can prevent application layer attacks that normally bypass traditional network firewalls.
Margaret Rouse, TechTarget
9. Deploy a scanning tool
Scanning tools from a third-party security provider are usually the most effective way to check for security vulnerabilities. Security testing vendors stay on top of new vulnerabilities every day; it’s their job. A vulnerability assessment vendor can alert you if your web apps can be exploited by a new vulnerability or if a configuration issue allows attackers to get in.
Automated scanning tools such as black box fuzzers can simulate an actual hacking attack to let you know if there are any holes that can be successfully exploited. This proactive approach gives you the chance to step in and block an attack before it happens. Beware though, some scanning tools are intrusive and can break an app and won’t always find existing vulnerabilities, so choose your tool carefully.
Video: Security testing tools with Aviram Jenik
10. Partner with a security expert
Even the largest of enterprises with extensive internal IT teams hire outside help when it comes to cybersecurity. Cyber threats have simply become so broad, diverse and urgent that it is almost impossible for internal teams to possess all the knowledge to protect their employers against every threat, all the time.
Partnering with security experts will deepen your company’s web app security approach. It’s an opportunity to identify missed opportunities and glaring omission alike. Don’t try and go it alone in the fight against cybercrime.
The complexity of cyberattacks have made many organisations realise the advantages of outsourcing their IT security to expert partners. The reality of modern Web security and DDoS mitigation is that no one can ever know exactly what’s going to happen. So, when it’s time to evaluate and select a cybersecurity partner, you need to know as much as you can about the company.
Ben Rossi, InformationAge
Final Words: You can boost web app security – but you must act
Companies have become incredibly dependent on web applications; a modern cutting-edge business using the latest tech is more likely than not highly reliant on web apps.
It’s too easy to assume that these apps are secure. Likewise, vendors that develop and provision web apps can forget how exposed their apps are.
However, there are plenty of options to boost web app security. We’ve provided ten suggestions – but it is up to your company to take the necessary action.
Looking for a web application vulnerability scanner? Contact us to schedule a free demo of our products in action.