Websites and web applications are just as prone to security breaches as physical homes, stores, and government locations. Unfortunately, cybercrime happens every day, and great web security measures are needed to protect websites and web applications from becoming compromised.
What Is Cyber Security?
Cybersecurity is the set of “measures taken to protect a computer or computer system (as on the internet) against unauthorized access or attack.” This broad and all-encompassing cyber security definition poses a significant challenge for enterprises; therefore, it is highly critical for enterprises to have an in-depth cybersecurity strategy and plan in place in order to provide the maximum level of protection from cybersecurity risks at not just the network perimeter but also the application layer.
What Threats do you Need to be Concerned With?
cross-site scripting (XSS):
XSS is a class of attack that enables a malicious user to inject client-side scripts, using the website as a channel, into other users’ browsers.
Using the combination of an XSS attack and social engineering techniques, hackers can cause a lot more damage by stealing cookies, keylogging, and identity theft.
This also enables them to log in as the user and view information as the user would, allowing them full access to view credit card details, contact information, or even change passwords.
SQL injections are a real threat. These injections allow databases to be accessed, modified, or deleted regardless of the user’s permissions.
Consequences of a successful SQL injection include spoofing identities, the creation of new profiles with administrator rights, accessing all information on the server, or destroying any/all data to make it unusable. This vulnerability exists if user input passed on to an underlying SQL statement can change its meaning.
Cross-Site Request Forgery (CSRF):
This attack involves both the website as well as the web browser. More specifically, the browser’s authentication functionality.
Using the web browsing applications authentication vulnerabilities, users who are logged in to a particular site can fall prey to the attacker. Once logged in, it provides the attacker the ability to in a way “forge signatures” and perform actions which are not intended by the victim.
However, it should be noted that the users who are merely surfing through the site and not really logged in, would be safe from the attack.
Clickjacking is a threat that can quickly cause a system to spiral out of control. An attacker could either hack a legitimate website or trick a user to visit an infected site where certain actions are controlled by the attacker. For example, a “submit” button may not submit information to the intended destination, or a close button “X” may actually trigger certain unwanted actions such as activating your camera, microphone, etc.
What’s at Risk?
Whether it’s money, records, time, or even customers, a breach could impact many areas of your business. Data breaches have resulted in significant costs for impacted organizations, and it’s only getting worse, including loss in total revenues.
Designing Your Website With Security in Mind
Building your website to be secure from the ground up will save you a lot of hassle in the long run. Why risk vulnerabilities down the road when you can build your site to be inherently resilient to them in the first place? There are a few key ways you can design your site for security from the get-go.
Implement A Web Application Firewall
The more traffic and reputation that your site develops, the more hackers it is likely to attract. There are even automated bots that constantly scan for vulnerable sites, especially new ones. Adding a web application firewall (WAF) is one of the ways you can defend against these automated threats.
Encrypt Your Connections
If your website requires registration, or if there’s any form of a transaction, you absolutely need to encrypt those connections. By using Secure Sockets Layer (SSL) certificates, you can create a secure handshake between your site and your clients’ devices. This means that no third party can hijack that connection.
Start From The Beginning
There is no such thing as foolproof code that will protect against all vulnerabilities. However, you can ensure you have a competent coder and a penetration tester who can do thorough testing to ensure no vulnerabilities go unnoticed. Anyone of these vulnerabilities could result in a data breach, with the power to permanently cripple your business’ reputation.
Secure your database queries against SQL injections. Design it so that users cannot alter them, in any way, or you could risk massive issues down the line.
Keep Your Logins Secure
Make sure your login information is both robust, and unique. Password security requires that you change your password at regular intervals (30, 60, 90 days). Applications such as LastPass allow you to securely store and share login information without actually revealing your passwords. If required, use reCaptcha on certain webpages. Identity theft is one of the biggest threats, and shouldn’t be taken for granted.
Maintaining your website’s security is critical to the long-term success of your organization. If you suffer a breach, it could permanently harm your company’s reputation. In fact, some businesses have even closed as a result. Do everything possible to make your website secure. By staying aware of the vulnerabilities, as well as the methods of combating them, you’ll be well equipped with a secure website.
What every web app developer must know about security
Securing application/configuration secrets
Secrets in applications include admin passwords, long-lived tokens, API keys, and private keys. Storing secrets in initialization files, in the source code or in a configuration service must be avoided. Instead, developers should use enterprise-grade secret management solutions such as KeyWhiz, Vault, Knox, Confidant, etc. Secrets might even leak through log files and they should either not be written to log at all or masked where required.
Preventing account spoofing and take-over
Users perform operations using their authentication token which they obtain upon login. Applications should always extract the userId from the token and compare it with the userId of the account being operated upon. This ensures that you cannot use user A’s token — though valid — to perform operations on user B’s account.
Standardizing input validation and database queries
Attacks such as SQL-injection and buffer overflow can easily be prevented if both size and content of user input is validated properly. Validating against a whitelist(allowed characters) is preferable to validating against a blacklist(disallowed characters). I have seen developers invariably re-inventing these and missing out many corner cases. Hence, I recommend using a standard validation library such as ESAPI or Apache commons validator. For SQL, it is preferable to use parameterized statements and stored procedures instead of using dynamically generated queries. Parameterized statements safely treat all user-supplied input as the literal representation of those strings instead of treating them as part of a SQL query thus preventing injection attacks.