Recent and continuous website security breaches on large organizations, federal government agencies, banks and thousands of companies world-wide, has once again verified the importance of website and web application security to prevent hackers from gaining access to sensitive data while keeping corporate websites as safe as possible. Though many encounter a lot of problems when it comes to web application security; it is a pretty heavy filed to dig into.
Some security professionals would not be able to provide all the necessary steps and precautions to deter malicious users from abusing your web application. Many web developers will encounter some form of difficulty while attempting to secure their website, which is understandable since web application security is a multi-faceted concept, where an attacker could make use of thousands of different exploits that could be present on your website.
Although no single list of web security tips and tricks can be considered as complete (in fact, one of the tips is that the amount of knowledge, information and precautions that you can implement is never enough), the following is as close as you can get. We have listed six concepts or practices to aid you in securing your website which, as we already mentioned, is anything but straightforward. These points will get you started and nudge you in the right direction, where some factors in web application security are considered to be higher priority to be secured than others.
1. Hosting Options
Without web hosting services most websites would not exist. The most popular methods to host web applications are:regular hosting, where your web application is hosted on a dedicated server that is intended for your website only, and shared hosting, where you share a web server with other users who will in turn run their own web application on the same server.
There are multiple benefits to using shared hosting. Mainly this option is cheaper than having your own dedicated server which, therefore, generally attracts smaller companies preferring to share hosting space. The difference between shared and dedicated hosting will seem irrelevant when looking at this from a functionality point of view, since the website will still run, however, when discussing security we will need to look at it from a completely different perspective.
The downside of shared hosting trumps any advantages that it may offer. Since the web server is being shared between multiple web applications, any attacks will also be shared between them. For example, if you share your web server with an organisation that has been targeted by attackers who have launched Denial of Service attacks on its website, your web application will also be affected since it is being hosted on the same server while using resources from the same resource pool. Meanwhile, the absence of complete control over the web server itself will allow the provider to take certain decisions that may place your web application at risk of being exploited. If one of the websites being hosted on the shared server is vulnerable, there is a chance that all the other websites and the web server itself could be exploited. Read more about web server security.
2. Performing Code Reviews
Most successful attacks against web applications are due to insecure code and not the underlying platform itself. Case in point, SQL Injection attacks are still the most common type of attack even though the vulnerability itself has been around for over 14 years. This vulnerability does not occur due to incorrect input handling by the database system itself, it is entirely related to the fact that input sanitization is not implemented by the developer, which leads to untrusted input being processed without any filtering.
This approach only applies for injection attacks and, normally, inspecting code would not be this straightforward. If you are making use of a pre-built application, updating to the latest version would ensure that your web application does not contain insecure code, although if you are using custom built apps, an in depth code review by your development team will be required. Whichever application type you are using, securing your code is a critical step or else the very base of the web application will be flawed and therefore vulnerable.
3. Keeping Software Up to Date
When using software that has been developed by a third party, the best way to ensure that the code is secure would be to apply the latest updates. A simple web application will make use of numerous components that can lead to successful attacks if left unpatched. For example, both PHP and MySQL were vulnerable to exploits at a point in time but were later patched, and a default Linux webserver installation will include multiple services all of which need to be updated regularly to avoid vulnerable builds of software being exploited.
The importance of updating can be seen from the HEARTBLEED exploit discovered in OpenSSL, which is used by most web applications that serve their content via HTTPS. That being said, patching these vulnerabilities is an easy task once the appropriate patch has been released, you will simply need to update your software. This process will be different for every operating system or service although, just as an example to see how easy it is, updating services in Debian based servers will only require you to run a couple of commands.
4. Defending from Unauthorised Intrusions
While updating software will ensure that no known vulnerabilities are present on your system, there may still be entry points where an attacker can access your system that have been missed in our previous tips. This is where firewalls come into play. A firewall is necessary as it will limit traffic depending on your configuration and can also be found on most operating systems by default.
That being said, a firewall will only be able to analyse network traffic, which is why implementing a Web Application Firewall is a must if you are hosting a web application. WAFs are best suited to identifying malicious requests that are being sent to a web server. If the WAF identifies an SQL Injection payload in a request it will drop that request before it reaches the web server. Meanwhile if a WAF is not able to intercept these requests, you may also set up custom rules depending on the requests that need to be blocked. If you are wondering which requests you can block even before your WAF can, take a look at our next tip.
5. Performing Web Vulnerability Scans
No amount of code reviews and updates can ensure that the end product is not vulnerable and cannot be exploited. Code reviews are limited since the executed code is not being analysed, which is why web vulnerability scanning is essential. Web scanners will view the web application as a black box, where they will be analysing the finished product, which is not possible with white box scanning or code reviews. Meanwhile, some scanners will also provide you with the option to perform grey box scanning, by combining website scans and a backend agent that can analyse code.
As complex and large as web applications are nowadays, it would be easy to miss certain vulnerabilities while performing a manual penetration test. Web vulnerability scanners will automate this process for you, thereby being able to cover a larger website in less time, while being able to detect most known vulnerabilities. One notorious vulnerability that is difficult to identify is DOM-based XSS, although web scanners are still able to identify such vulnerabilities. Web vulnerability scanners will also provide you with requests that you need to block on your Web Application Firewall (WAF), while you are working to fix these vulnerabilities.
6. Importance of Monitoring
It is imperative to know if your web application has been subjected to an attack. Monitoring the web application, and the server hosting it, would be the best way to ensure that even if an attacker gets past your defence systems, at least you will know how, when and from where it happened. There may be cases when a website is brought offline due to an attack and the owner would not even know about the incident but will find out after precious time has passed.
To avoid this you can monitor server logs, for example enabling notifications to be triggered when a file is deleted or modified. This way, if you had not modified that particular file, you will know that someone else has unauthorised access to your server. You can also monitor uptime which comes in handy when the attack is not as stealthy as modifying files, such as when your web server is subject to a Denial of Service attack. Such utilities will notify you as soon as your website is down, without having to discover the incident from users of your website.
The worst thing you can do when implementing monitoring services would be to base them on the same web server that is to be monitored. If this server was knocked down, the monitoring service will not be available to notify you.
7. Never Stop Learning
Finally, whatever you currently know about web security it’s never enough. Never stop learning about improving your web application’s security because literally every day brings a new exploit that may be used against your website. Zero day attacks happen out of the blue, which is why keeping yourself updated with any new security measures that you can implement is imperative. You can find such information from multiple web security blogs that detail how a website administrator should enforce their website’s security.