Web Application Security Practices Every Developer Must Know
How to secure your web application from cyber attacks
Nowadays, web applications are certainly a critical aspect of business and everyday life. As a result of this increased popularity, the security of these web applications is of great concern. However, while developing, developers often ignore or fail to take due account of the security risks of the web app. The “2020 SonicWall Cyber Threat Report” revealed that there was a 52 percent increase in cyber attacks on web applications in 2019. The report stated that by the end of the year, the number of web app attacks had reached more than 40 million.
So, developers should always try to make their app as secure as possible. In this article, I will discuss the major vulnerabilities that could be found in web apps and the best practices to avoid them.
The OWASP Top Ten
Developers are not security experts, which is why compilations such as the Open Web Application Security Project (OWASP) Top Ten list are here to help them. Every few years, OWASP publishes detailed analysis, guidance, and warnings on a wide range of networking, cloud, and security issues. Below is a chart of the most common OWASP Top Ten vulnerabilities that occurred in 2019.
From the chart, you can see that the most commonly encountered Web app vulnerabilities in 2019 were due to Security Misconfigurations. Cross-Site Scripting (XSS) and Broken Authentication are also very common vulnerabilities. Let’s see what actions developers should take to avoid and minimize these vulnerabilities.
Use SSL (HTTPS) Encryption
Secure Sockets Layer (SSL) is a technology used to establish an encrypted link between a web server and a web browser. This ensures that the information transmitted between the browser and the webserver remains private. You must always use SSL encryption when transferring sensitive information such as credit card information and personal data, as well as when using user authentication.
One out of every five tested applications contained vulnerabilities allowing the hackers to attack a user session, such as sensitive cookies without the HttpOnly and Secure flags.
Encode and Escape Untrusted Data
Untrusted data could be anything that the user inputs or controls the value of. Encoding and escaping are defensive techniques designed to stop injection attacks. Encoding, also known as Output Encoding, is done by translating special characters into a different form that would not be dangerous to our application. For example, when writing to an HTML page, translate the
< character into the
< string. Most of the web frameworks have an HTML escape method for some characters.
Developers must always validate user inputs so that only properly-formed data can pass through the web app workflow. You should always validate inputs on both the client and server sides, as the client-side validation can be easily bypassed by attackers. When validating, check whether the data is in the form expected and also within the acceptable range. Although input validation helps prevent some attacks, it does not always ensure that data is secure, as some inputs, such as an email address, may contain a SQL injection attack or a valid URL that may contain an XSS attack. That’s why we need to use methods such as encoding and escaping.
Use Secure Authentication Methods
Broken Authentication is ranked 2nd in the OWASP Top Ten. So, as developers, we need to take strong steps to prevent this. Many developers would agree that single-factor authentication is long dead. So always use multi-factor authentication when developing your web app. Always limit the number of authentication attempts the user gets. Otherwise, an attacker will be able to brute-force the credential and access the web application.
Finally, I suggest using tools like OWASP Dependency-Check and Retire. JS to identify project dependencies and check for any known, publicly disclosed vulnerabilities in any third-party code libraries. That’s all for this article. I hope that this will help you make your web app more secure.
Thank you for reading and happy coding!