Web applications play a key role in determining the success of a business. Many companies solely depend on web applications for their business, offering a SaaS product for other customers and also building web apps for internal use.
Yet it’s a fact that many companies don’t know how to keep track of their web application security and improve it.
Content management systems (CMS) like WordPress, Joomla and website builders have made it easy for everyone to create a website. Most of the website owners forget the fact that the attack surface of internet-facing web applications is much wider and that they need adequate security.
Whenever a customer or visitor is on your website you have to make sure that their data is safe.
If you fail to keep your customers’ data safe, you could be at the receiving end of a cyber attack which can lead to huge business loss and it can also get you sued. You have to keep in mind that no methods can guarantee your web application will be safe from attackers forever.
In this article, we’ll be looking into certain best practices that will help you improve web application security and prevent being an easy target for cyber attackers.
Choose A Secure Host
Even if your website has top of the line security it won’t do you any good if you are not using a secure host.
Do some research and choose a hosting company which has a good reputation and does not have much downtime issues. It is also recommended to check whether they meet your other unique requirements depending on your business needs.
Some of the key points to consider while choosing a hosting server is:
Does the web host offer a Secure File Transfer Protocol (SFTP)?
Is FTP used by Unknown User disabled?
Does it use a Rootkit Scanner?
Does it offer file backup to a remote server?
How well do they keep up to date on security upgrades?
Whether they provide technical support whenever necessary.
Know Your Web Applications And Prioritize Them
It’s quite surprising that most organizations are still unaware of how many web applications they have or where they are hosted.
It is important to have a list of web applications including your organization’s and other third-party applications and prioritize it according to the amount of damage that could be done if something goes wrong.
Secure Your Login Pages Using SSL (HTTPS) Encryption
To keep your website safe, you need a URL with SSL (or even better TLS) encryption enabled.
HTTPS encrypts data sent from your browser to the web server and prevents a 3rd party from reading it while in transit. So, even if an attacker tries to intercept the data (manipulator-in-the-middle attacks), it will be useless.
If your website doesn’t have a valid SSL certificate, it is often flagged by most of the popular browsers as insecure. Browsers warn users not to send any personal, payment or password information in such cases.
Always Sanitize And Validate User Input
Never trust any user input. This is a very common security mistake found on many websites.
If the user input data is not properly sanitized and validated, your website has a high risk of being targeted by attacks like XSS, SQL injection and other types of injection attacks. Sanitizing a user input may include the elimination of unwanted characters by removing, replacing, encoding, or escaping the characters.
Eg:
<script>alert("XSS:);</script>
Html encoded <script>alert("XSS:);</script>
Validation is the process of ensuring that the user input data falls within the expected characters. You can create a whitelist or a blacklist to achieve this. In whitelisting, only the approved characters will be allowed and the rest of the characters will be rejected.
For example, if your website has a field for accepting phone numbers, you could whitelist numbers from 0 to 9. If the user tries to input any other character it won’t be accepted. On the contrary, in blacklisting, the list of defined characters will not be accepted as a valid input.
If possible, use whitelisting rather than blacklisting. When using a blacklist, you have to consider all the possible invalid options and if you miss something, you could expose your web application to hackers. This is why it’s much better to simply whitelist what is valid.
Have A Good Password Policy
Whenever there is a talk about web application security, good passwords policies are always part of it.
Most companies nowadays have standard password policies to improve their online security. Even with these password policies, there are so many websites, databases, and programs, an admin or website owner has to keep password protected.
As a result, a lot of people end up using the same password in almost all places in order to remember their login information. But it’s a significant security mistake.
Nowadays, attackers use automated brute-forcing softwares to check whether sites are vulnerable. To protect against brute force, always use unique and complex passwords containing both uppercase, lowercase, numbers and special characters.
Use hard to guess passwords and also try not to use any personal information as passwords. If you try to keep a password in your memory, it is almost always an easy one. So, it is recommended to use a password manager for storing your passwords.
Also, if two-factor authentication (2FA) is available, always opt-in for it. Besides password, this will add an extra layer of security for your accounts.
For the detailed version with more best practices to improve web application security, check out this blog
Top comments (1)
Thanks for this article. This video is also a great introduction : youtube.com/watch?v=8DJjIV6BBL8