We read about successful website hack attacks almost on a daily basis. Security companies claim that not enough is being done and more awareness is needed. Our article covering major security breaches in well—known companies, clearly shows that there are many gaps in web security, that are causing multi-million dollar damages to companies word-wide. A few years back web application security was a concept only security professionals thought of and understood, nowadays developers are being trained with the help of experienced programmers and 3rd party applications, to write more secure code.
Below are four principles that every web developer should follow throughout the software development lifecycle (SDLC) to help make the written code secure as possible, therefore creating secure web applications.
Principle 1: Apply Defense-in-depth
“Defense-in-depth”, also known as ‘Castle Approach’, can be described as multiple defense mechanisms. The web application is the front-end of a systems and network infrastructure, consisting of internal data, user information, systems, and networks. No single security check point is enough to protect all the different components that make up a web application. This is why multiple defenses are necessary: if one defense fails, the others will keep protecting the software and sensitive data.
For instance consider restricting access to an administrative interface to a specific IP if possible. This means attackers cannot gain access to the administrator panel, even if they know the credentials, thanks to the static IP restriction.
Principle 2: Use Whitelisting Approach
Whitelisting is a configuration that accepts defined inputs and leaves out the rest, or if you prefer: Everything that's not explicitly permitted is forbidden.This is a huge advantage when compared to blacklisting approach, where you leave everything open and block only known attacks.
Principle 3: Do Not Trust User Input
Web applications are used by end users, but they also can be targeted by the attackers. It is crucial, then, to never trust user input directly and to check data before it’s moved from an untrusted source, such as a parameter or a domain to another. And this does not just apply to development. You should always be careful what to click or access since attackers can fool even those who are well trained, as it happened when attackers gained access to the Apache Foundation servers by exploiting a cross-site scripting vulnerability.