Web Application Security

Web application security is a central part of any web-based business. It deals particularly with the security around:

• Websites
• Web applications
• APIs

A web application is any website that is interactive, even if all a website has is a way to login, it becomes an application because there is an element of logic and programming behind the scenes.

A web application can be subject to flaws, so web application security is the practice of discovering and patching those flaws.

How to stop web application attacks

Attacks against web applications are constant, using controls such as web application firewalls (WAFs) and distributed denial of service (DDoS) mitigators can be used to protect web applications from active threats. Strong authentication procedures, regularly checking for and patching vulnerabilities and having secure software development practices can also aid in threat prevention.

Web application vulnerabilities

Web applications typically have multiple layers where vulnerabilities can be introduced:

• Data layer
• Functionality layer (web app, API’s etc.)
• Hardware layer (servers, storage)

It is important to eventually, on every level, prevent the introduction of new vulnerabilities if possible and patching any existing ones.

Key web application threats

• Compromised credentials
• Cross-site scripting (XSS)
• Injection attacks
• Broken authentication and session management
• Cross-site request forgery (CSRF or XSRF)
• Security misconfiguration  (SOAP, XML-RPC, REST APIs)
• Secret exposure through data mining or data leakages

Web application security checklist – how to secure your applications

The World Wide Web Consortium (W3C) has created a list of items to consider when trying to secure an application. These items are:

• Have a threat model and use it
• Monitor your app’s traffic
• Check the software running on your servers
• Use TLS certificates with strong key sizes
• Alert on unusual behavior and intelligently log
• Allow only necessary user-agents through application firewalls
• Understand common web attacks
• Treat all inputs as hostile
• Refuse or sanitize HTML in untrusted content
• Don’t rely only on WAFs
• Harden session management
• Deploy HTTPS everywhere
• Make sure you have good backups

Frequently asked questions about web application security

How can I secure my web applications?

The best way to protect against web application attacks is through security testing, patching any vulnerabilities and keeping an eye on any threats.

Why is web application security important?

Web applications are among the most vulnerable types of software. Attacks against web applications can cause large data losses, revenue losses and can even cripple an entire business.

How does web application security work?

Most web attacks are carried out through the HTTP protocol. It is essential to monitor every part of the application layer, from the server all the way down to individual inputs and outputs.

What are some examples of web security threats?

Common threats include: SQL injection, XSS (cross-site scripting), CSRF (cross-site request forgery) and DDoS attacks.

How can I test for vulnerabilities in my web applications?

There are a number of tools available that will aid in finding vulnerabilities within an application such as scanners, firewalls and analysis software packages. However, it is best to manually check running instances for any vulnerable areas with known exploits or working on the assumption that there may be exploitable flaws in the code.

How are web applications attacked?

Web applications are attacked through known vulnerabilities in the software or protocols that they use. Often these attacks are carried out with malicious code written to exploit a flaw and cause damage to the application itself or the data it is protecting.

Why is web security testing important?

Testing an application for any vulnerabilities is a vital step in securing it and preventing attacks. Being aware of the software you are using gives you control over better protecting your applications against threats.

What should I do if my web app has been compromised?

If a website has been attacked then the most important thing to do is to patch any existing vulnerabilities as soon as possible, although many other measures can be taken such as changing access permission on the server and installing additional security measures such as intrusion-detection systems, firewalls or encryption.

How does application security testing reduce your organization’s risk?

In a nutshell, improved application security testing leads to better management of the risk your organization faces when it comes to securing web applications.

How does web security training help with application security?

Security awareness training will help employees understand how important web applications are within their organization and what measures they need to take in order to ensure that it is well protected and up-to-date.

What features should be reviewed during a web application security test?

The main features that should be checked when testing a website for security are the forms and cookies. These are the two areas most attacks to web apps will take place through, so it is important they are validated and secure.

When must a web application security scan be performed?

Web application security should be tested and monitored on a regular basis, ideally following a frequency that suits the needs of your organization. This may vary from once every few months to daily.