Traditionally, when we talk about IT security, we tend to think of network security or operating system security. However, with the trend toward using web-based applications for … well, basically everything, more attention is being placed on "cybersecurity," a term we've come to know since the very early 1990s and the advent of the web.
Today, web applications are a critical aspect of business and everyday life. By using web applications, both businesses and individuals can simplify and get more things done with fewer resources, achieving objectives much faster than they could before.
- They no longer need a warehouse full of meticulously organized paperwork.
- There is little or no need to rely on actual physical mail now for communication.
- Most marketing efforts are now highly web-focused.
- Even customer service is now pointing you to websites instead of 1-800 phone numbers.
Web applications can help target a proliferating amount of clientele and customers in ways that were never available to before. Web apps can interact with your customers to communicate, offer product support and keep their business.
Because we are using web applications for so many things and passing so much sensitive information around via so many different types of online channels, we should next be obliged to also take a hard stance at protecting and securing that information.
To date, no web technology has proven itself invulnerable beyond all doubt. New threats pop up every single day that require at least some change or improvement in implementing countermeasures and general web-focused security.
Here are 11 tips developers should remember to protect and secure information:
1. MAINTAIN SECURITY DURING WEB APP DEVELOPMENT
Before you run out and hire a team of security consultants, realize that you can maintain security in your web applications during the actual development of those tools.
2. BE PARANOID: REQUIRE INJECTION & INPUT VALIDATION (USER INPUT IS NOT YOUR FRIEND)
A good rule of thumb is to consider all input to be hostile until proven otherwise. Input validation is done so that only properly-formed data passes through the workflow in a web application. This prevents bad or possibly corrupted data from being processed and possibly triggering the malfunction of downstream components.
Some types of input validation are as follows:
- Data type validation (ensures that parameters are of the correct type: numeric, text, et cetera).
- Data format validation (ensures data meets the proper format guidelines for schemas such as JSON or XML).
- Data value validation (ensures parameters meet expectations for accepted value ranges or lengths).
There is a whole lot more to input validation and injection prevention, however, the basic thing to keep in mind is that you want to validate inputs with both a syntactical as well as a semantic approach. Syntactic validation should enforce correct syntax of information (SSN, birth date, currency or whole numbers) while semantic validation should enforce the correctness of their values within a very specific business context (end date is greater than the start date, low price is less than high price).
Also See: 9 Must Web Application Development Decisions
3. ENCRYPT YOUR DATA
Encryption is the basic process of encoding information to protect it from anyone who is not authorized to access it. Encryption itself does not prevent interference in transmit of the data but obfuscates the intelligible content to those who are not authorized to access it.
Not only is encryption the most common form of protecting sensitive information across transit, but it can also be used to secure data “at rest” such as information that is stored in databases or other storage devices.
When using Web Services and APIs you should not only implement an authentication plan for entities accessing them, but the data across those services should be encrypted in some fashion. An open, unsecured web service is a hacker’s best friend (and they have shown increasingly smarter algorithms that can find these services rather painlessly).
4. USE EXCEPTION MANAGEMENT
Another development-focused security measure is proper exception management. You would never want to display anything more than just a generic error message in case of a failure. Including the actual system messages verbatim does not do the end-user any good, and instead works as valuable clues for potentially threatening entities.
When developing, consider that there are generally only three possible outcomes from a security standpoint:
- Allow the operation.
- Reject the operation.
- Handle an exception.
Usually, in the case of an exception or error, you will revert to rejecting the operation. An application that fails securely will prevent operations from unintentionally being allowed. For example, if an ATM failed you would prefer it to display a simple, friendly message to the user (not spill money out onto the ground).
5. APPLY AUTHENTICATION, ROLE MANAGEMENT & ACCESS CONTROL
Implementing effective account management practices such as strong password enforcement, secure password recovery mechanisms and multi-factor authentication are some strong steps to take when building a web application. You can even force re-authentication for users when accessing more sensitive features.
When designing a web application, one very basic goal should be to give each and every user as little privileges as possible for them to get what they need from the system. Using this principle of minimal privilege, you will vastly reduce the chance of an intruder performing operations that could crash the application or even the entire platform in some cases (thus adversely affecting other applications running on that same platform or system).
Other considerations for authentication and access control include things such as password expiration, account lock-outs where applicable, and of course SSL to prevent passwords and other account-related information being sent in plain view.
6. DON'T FORGET HOSTING/SERVICE-FOCUSED MEASURES
Equally important as development-focused security mechanisms, proper configuration management at the service level is necessary to keep your web applications safe.