Guest Post by Gilad David Maayan
Gone are the days when developers could code a web application, release it, and be done with the project. Agile methodologies are changing the way we work, the way we code, and the way we collaborate. The developers of 2019 are expected to ensure the web apps they deliver are secure. That means your work doesn’t end with quick delivery. You also need to secure the apps. Read on to learn how to do that.
1. Don’t Aim to Fix All Vulnerabilities: Prioritize Them
Common website platforms like WordPress, Drupal and Joomla are plagued with thousands of vulnerabilities. If you develop your own web applications you probably use open source components, which may also number in the hundreds or thousands for a complex app, and have their own vulnerabilities.
It’s downright impossible to fix all vulnerabilities. But you don’t really need to. The OWASP project has a smart framework for prioritizing vulnerabilities, which we can all adopt. It uses four dimensions to decide if a threat or vulnerability is really worth investing in:
- Ease of exploitability—if the vulnerability exists, how easy is it for an attacker to compromise your app? Does it require a sophisticated hacker or can any script kiddie break your site?
- Prevalence—what are the chances attackers would exploit this vulnerability?
- Detectability—how easy is it to detect an attack or an attempt to exploit the vulnerability? Some attacks are immediately obvious, while others can take years to discover, if at all.
- Business impact—what will happen if the attack hits you? For example, if your web application contains sensitive data, you will be more sensitive to breaches penetrating your systems and enabling data theft. If you run a huge-traffic website, you’ll be more sensitive to anything that causes downtime or modifies content on your site.
Try to find vulnerabilities that are especially concerning given these four dimensions, and focus your efforts on patching and fixing them.
2. Assign the Fewest Possible Privileges
Do an audit of privileges and permissions you grant your application’s users, and also within your infrastructure. For example, what user accounts exist on your database, how are they used, and what privileges do they provide?
A surefire way of reducing your risks is to ensure that all user accounts, whether public-facing or internal, provide the least possible privileges required by the user or the integrating system.
If a user creates an account to receive updates from your website, they should not have permission to change or write any data. If an app connects to a database to read and write information, it should not have permissions to delete tables or create new ones.
This has several benefits:
- Ensures that hackers who do compromise your systems have a much harder time causing damage.
- Minimizes the risk of insider threats, for example, a disgruntled employee or contractor using their credentials to attack your system.
- Avoids accidental disaster—for example, an internal user deleting an entire database by mistake.
3. Use a Reverse Proxy
Because web applications are accessible by the outside world, and most attackers will connect over the Internet, it is always healthy to have something sitting in between your app and the public network.
A reverse proxy server is a buffer of sorts that intercepts all outgoing communications from your systems to the Internet, and all incoming communication from the Internet into your app. A common type of proxy used by many web applications is a Content Delivery Network (CDN).
A reverse proxy can have several security advantages:
- Can prevent Distributed Denial of Service (DDoS) attacks, if you outsource your proxy server to a provider that provides DDoS mitigation services
- Can help you control browsing by users on the local network and outbound traffic from your application to external services
- With a proxy you never reveal the IP address of your origin server
4. Secure Your Cookies
Attackers can use your application’s cookies to steal user data, steal sessions and compromise accounts. Here are a few best practices to prevent malicious use of your cookies:
- Set relatively short expiration dates for cookies to ensure they don’t fall into the wrong hands
- Consider encrypting, obfuscating, or tokenizing the information stored in cookies, to ensure that if an attacker got hold of it, it would be useless to them.
5. Conduct Threat Hunting
There are many security tools and defenses you could put in place, beyond the simple best practices we listed above. But no set of defenses is perfect, and you should always assume that despite your best efforts, your web application has already been breached. This is called the “assumption of breach” mindset.
Threat hunting is when you, or a security expert working on your behalf, conduct scans and analyze relevant data, actively trying to find malicious activity in your systems. You’ll be surprised how much you can find, even in a small system of a few servers and endpoints, and especially in larger networks.
Because you build, or maintain, the web application, you are the one who is most familiar with its ins and outs, vulnerabilities, and weaknesses. Learn about common threat vectors, take an online course of some attack tools and techniques, and think like a hacker—where would you go first to compromise your application?
Conduct a threat hunting exercise every few weeks or months and you are very likely to find something that will improve your security posture, or even save you from a cybersecurity disaster.
The question is never “to secure or not to secure”. If you build, own, or maintain a web app, then you need to ensure it remains secure at all times. You can do that by yourself, using the tips provided above. Or you can delegate this task to a professional (of the human variety, the machine kind, or both). You can also turn to the OWASP community for help and advice. Just don’t leave your apps exposed. You might get hacked, and that’s never fun.
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.