Taking security seriously from the beginning is underrated by newbie web developers. This responsibility often belongs to DevOps developer in the team. If you're the solo web developer running serious web apps then you MUST take the responsibility to protect your users' data by applying best practices for following common web securities vulnerabilities.
Protecting The First Website is an original series where I explain what I've learnt to protect my first serious website from attackers.
- Protecting The First Website, Part 1: Common Threats (this post)
- Protecting The First Website, Part 2: Cross Site Scripting (upcoming)
- Protecting The First Website, Part 3: SQL Injection (upcoming)
- Protecting The First Website, Part 4: Server Side Request Forgery (upcoming)
- Protecting The First Website, Part 5: Sensitive Data Exposure (upcoming)
It's important to protect following data types: Name, Address, Date of Birth, Email, User Name, Password, Social Security Number, Credit Card or Debit Card Number, Medical Information, Financial Information, Account Information, Phone Numbers, Intellectual Property, etc.
Security is an ongoing, and ever-changing, practice that you must observe to ensure your project is never included in the companies that one hears about on the news after a huge data breach. Regardless of which programming paradigm, language or framework you wish to use, there are plenty of non-specific, terse security practices you should follow from the very start of the project.
In order to build a secure application, from an pragmatic point of view, it is important to identify the attacks which the application must defend against, according to its business and technical context:
- Server Security Misconfiguration - Server-Side Injection - Broken Authentication and Session Management - Sensitive Data Exposure - Broken Cryptography - Broken Access Control - Insecure OS/Firmware - Insecure Data Storage - Cross Site Scripting - Cross Site Request Forgery - Unvalidated Redirects and Forwards - Insufficient Security Configurability - Using Components with Known Vulnerabilities - Automotive Security Misconfiguration - Denial-of-Service (DoS)
Identify the high risk areas, focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access.
- Web forms, public facing code - Files from outside of the network - Anything to do with cryptography, - Authentication, authorization and session management - Backwards compatible interfaces with other systems
These are often where you are most exposed to attack. Then understand what compensating controls you have in place, operational controls like network firewalls and application firewalls, and intrusion detection or prevention systems to help protect your application.
Here's the list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important.
- Define Security Requirements - Leverage Security Frameworks and Libraries - Secure Database Access - Encode and Escape Data - Validate All Inputs - Implement Digital Identity - Enforce Access Controls - Protect Data Everywhere - Implement Security Logging and Monitoring - Handle All Errors and Exceptions