What Is Secure Web Development?
Secure web development is a process that starts at the early design stage of the web application and continues throughout the development stages right through to the completed product and beyond with the ultimate goal of making, and keeping, the web application as secure as possible while still being able to perform its desired function.
The steps include choosing the correct programming language, exercising best practices in coding, deciding on how and where the application will be hosted, ongoing testing and updates.
Securing data on a public facing web application is a much more complicated process than securing internal data. Internal data can be protected very effectively by limiting access to the server to certain individuals and machines protected behind a combination of firewalls and physical barriers that would make it difficult for an outsider to penetrate. Basically you put your server in a safe and shut the door to everybody, but a few authorised personnel.
A web application or website is public in nature and is required to be accessible to everybody in order for it to perform its desired function. This requires a completely different level of security, we have to open the front door to everybody letting anyone enter, but ensure that those entering are not “up to no good”.
Your internal data is like your store room. It can easily be kept under lock and key away from public access.
However a web app is more like a busy shop front. You have to allow people in, but also make sure they don’t break or steal your products, or steal from other shoppers while they are in your shop. We do this by monitoring and studying behaviour and then taking precautions to deter certain malicious behaviour.
What Are Some Of The Malicious Behaviours Hackers Perform?
1: Cross Site Scripting: This is where code is injected client side into a legitimate website which allows the hacker to execute malicious code on unsuspecting end users. This can be done by File Upload, Stored XSS or Reflected XSS.
2: Client Side Manipulation: Such a vulnerability occurs when the application employs user controlled URLs for referencing external/internal resources. In these circumstances it is possible to interfere with the expected application’s behavior in the sense of making it load and render malicious objects.
3: Cross Site Request Forgery: An attacker uses an HTTP request to access user information from another site on which they are authenticated, can use this to change Login Details or make a purchase.
4: SQL Injection: A technique used to inject code into database type applications which can result in data tampering, destruction or disclosure, voiding of transactions or spoofing of identities.
5: DDoS: Distributed Denial of Service, is an attack in which multiple compromised computer systems attack a target, such as a server. The flood of incoming message connection requests or malformed packets cause the target system to slow down or shut down, thereby denying service to legitimate users or systems.
The Open Web Application Security Project publishes the OWASP Top 10 which incorporates the broad consensus about the most critical security risks to web applications.
How Do We Keep A Web App Secure?
1: SSL: An SSL Certificate is the difference in a website that appears as http and https. This certificate loads a software key on the server that encrypts communications between the server and your computer browser to prevent hackers from “listening in”.
2: WAF: Web Application Firewall, controls access to web applications using rules designed to recognise common attacks such as cross-site scripting and SQL injection.
3: Secure Server: Websites can be hosted in a range of server configurations from sharing a hard drive with other websites on the same server to hosting your website on a dedicated secure server. The more you share resources the more accessible your web application may be to hackers who can gain access to your website via vulnerabilities on other websites hosted on the same server. Sharing resources can also affect the performance of your website if you are sharing processing power with a busy website it can slow yours down.
5: Limit access: Only give access to required personnel and limit each login to the maximum permissions required to perform their function, in other words don’t just give everybody full admin rights. It is also good practice to provide an individual person with multiple logins with different levels of access depending on specific duties required, this way if one password is compromised the hacker only has access to specific functions, thus limiting the potential damage the hacker can cause.
6: Separate the Dev site from the live site: Perform all development work on a separate Dev environment and only upload to the live site when security vulnerabilities have been rectified.
7: Have a robust password policy: Ensure that passwords are good quality, encrypted and changed on a regular basis.
8: Multiple Layers of Security: Never rely on just one form of protection, each layer of protection makes it exponentially more difficult for a hacker to breach your website.