Advertisment

Tech for Hack Proofing Web Apps

author-image
PCQ Bureau
New Update

Incorporating Notice that the world has moved to web apps for everything. As a result, credit card and other personal info are all easily available in cyberspace these days. This has made web apps THE MOST targeted elements in the world. In fact, 70% of the web apps are vulnerable to attacks by hackers, because they're easy pickings for them. The problem is that it's getting worse, because Web 2.0 and RIA (Rich Internet Apps) present a greater attack surface.

Advertisment

The unfortunate part is that there's a lack of awareness amongst both, developers as well as the management of an organization about the importance of web application security. Little do they realize that the attack vectors have become widespread with the use of social networks and URL shortening services.

Click on the image to enlarge

Advertisment

Implications of not understanding web app security can be devastating for an organization-financial loss, loss of credibility in the market, loss of clients if you don't follow compliance and regulation guidelines, etc. On top of all this, there's this comforting factor (pun intended) that the entire practice of hacking web apps is performed by an organized crime network spread across the world!

Most common hacks on the Web

Advertisment

While there are plenty of security threats on the web, the three key ones that are of relevance for web application security are XSS (Cross Site Scripting), SQL injection, and authentication bypass. None of these requires an introduction to any web master today.

Formula for securing Web apps

The security of web apps can be ensured by looking into six aspects-having a secure SDLC, ensuring secure authentication, authorization and sessions, using data protection techniques, logging, secure coding, and lastly, security testing.

Advertisment

1. Have a secure SDLC: This is the unifying step in secure application development. It's required so that security is treated as a priority right from the application's inception. In a nutshell, the S in SSDLC is meant to indicate that you've done a thorough risk assessment while building the web app.

2. Ensuring secure authentication: When implementing authentication mechanisms into your web app, you have to factor in the strength, complexity, history, and expiration of passwords. Please do throw in a question for password resetting, put in measures to validate the authentication parameters.

3. Ensuring secure authorization: A few things to take into account here are role based access control, server driven centralized authorization routines, resource and function driven authorization. Lastly, you must also protect your static website content through authorization.

Advertisment

4. Ensuring secure sessions: Don't override existing session token implementation. Ensure that you validate all your session IDs, especially while doing URL re-writing. If you're building an application for a high-risk site, then ensure that the session idle time out is lower. You also have to ensure that you incorporate re-authentication and regeneration of privileged functions, such as while transferring high-value transactions.

5. Data protection techniques: The core principles of data protection say that you should store only as much as you need, and to protect all that you store. There are various data protection techniques that you can utilize to store different types of sensitive data (credit card info, personal user data, passwords and password answers, health records, etc). The governing principles for the level of data protection required come from the various compliance/regulatory requirements.

Advertisment

Cryptography: If you haven't learnt cryptography so far, then please do so, as that's a fundamental requirement for learning how to secure web apps. There are strong algorithms available for encryption, which include AES, 3DES (128-bit and above, RSA (1024-bit and above).

Hashing: This is a one way street, making it a very strong method to secure your applications. Some very strong hashing algorithms are available today (SH-1 and upwards).

Other techniques: Other techniques you can use include truncation for data that is partially required and tokenization for a unique number substitute

Advertisment

6. Logging: In a web application transaction, there's a lot of data being used from various places. You're transporting keys across encrypted channels, changing keys, changing security questions, and much more. Under such a situation, logging what you do should no longer be an after thought. It's an essential part of the security requirements, and should not be ignored. A few things that must be logged include password lockouts, changes and resets, privileged functions or transactions, admin access to critical information assets, creation/deletion of users & user privileges, etc. You also have to take care of what should and should not be logged. You should log user and user names, timestamps, accessed resource and functions, referred, success or failure indicators. Likewise, what you should not be logging include full HTTP request payloads, passwords, credit card numbers, and other transaction information.

7. Secure coding: If you can put in measures to validate all inputs, then that's the remedy for several evils. Put in measures to identify and characterize all types of inputs. Likewise, identify all outputs-user, web services, sockets, command line, etc. This defangs injection attacks.

8. Security testing: Testing an application for security is as important as testing it for functionality. There are two approaches to this-black box testing (for vulnerability assessment and penetration tests), and white box testing (for code review and walkthroughs).

Advertisment