Web Application Security Best Practices

1. Always Check Your Policies & Processes

It’s crucial to have a proper web security strategy planned as a part of your wider cybersecurity strategy. This includes:

Adopting a cybersecurity framework.

While you can create a cybersecurity framework on your own, it’s a good idea to start with existing industry-standard frameworks such as:

• ISO 27001: Guidelines from ISO for information security management systems (ISMS).
• NIST: A standard by the US National Institute of Standards and Technology, at the moment the most widely adopted framework for cybersecurity planning in large organizations.
• CIS Controls: A framework by the Center of Internet Security (CIS) for Effective Cyber Defense, designed to protect websites and enterprises from common cybersecurity threats.
• ASVS: A basis for testing web application technical security controls and a list of requirements for secure development.

Auditing your web assets.

It’s very common, especially in large organizations, to forget legacy web assets. However, a neglected web asset can be a gateway for hackers to inject their code and access your whole database.
Audit your whole system, even if you only have a handful of applications at the moment. If there are unused web assets, consider deleting them altogether. If you can’t delete unused assets, ensure they are inaccessible by outside users.

2. Automate & Integrate Security Software & Tools

Cybersecurity threats are rapidly growing, but fortunately, we now have access to web application security programs: various automation tools and solutions to assist in keeping our web applications safe and secure. The key to stopping the most overwhelming, distributed threats to your web application is identifying bot traffic with an automated tool. Although manual tests still have their benefits, we no longer have to rely solely on manual scanning, penetration testing, etc.

Also, today’s cybersecurity solutions are designed for integrating with each other. For example, high-end automated vulnerability scanners can commonly integrate with other issue trackers and CI/CD solutions.

An advanced bot detection system like DataDome, for example, can automatically detect and block malicious bot activities and also integrate with your server logs, your SIEM/SOC tools, and any application that reads HTTP request headers.

Automating your web application security can provide several benefits:

• Manual processes translate into risk of human error. So, theoretically, if you can automate everything properly, your system is much more secure.
• Integration between security tools and other solutions means that both developers and IT security managers won’t have to spend time learning and using different solutions for web application security purposes.
• Automation and integration means that we can detect and eliminate issues earlier, preventing (permanent) damages and loss.

3. Update Software & Systems to Patch Vulnerabilities

No system or software is 100% perfect, and there will always be security vulnerabilities. So, whenever there’s an update for any software or system—especially a security-related patch—make sure to update right away.

Yes, updating your software to the latest version might break something every now and then, but the risk is justified compared to having a hacker attacking your system via a known vulnerability that has been addressed with a security patch.

When the software developer breaks something with a patch, they will most likely take responsibility and release a fix right away. When your system is breached because you leave software unpatched, it’s your risk alone.

4. Inspect Incoming Traffic in Real Time

Here are several common and effective ways to inspect and control incoming traffic to your web application:

• Monitor your system logs and alerts regularly (a manual approach) and check for suspicious activities.
• Set up a web application firewall (WAF) and configure the right policies according to the threats you are facing and what you need to allow (but beware of your WAF’s limitations).
• Use automated network monitoring and inspection tools to check what’s happening on your web application and what the traffic is composed of.
• Use an advanced bot detection solution like DataDome to detect and protect against sophisticated bots, which are a common source of various web application attacks.

5. Encrypt Data & Web Traffic Channels

It’s important to first embrace the fact that no matter the number of security solutions you’ve placed and whatever you do to protect the web app, it won’t be 100% safe. As an extra layer of security, it’s important to use strong encryption for all your data.

This way, even after an attacker has successfully stolen your data, they won’t be able to make use of this stolen information.

In addition, make sure all of your communication channels are encrypted properly, preferably by using an SSL certificate/HTTPS for your website. Also, avoid mixed content—when the initial HTML is using an HTTPS connection but the content of the page (images, videos, etc.) is using insecure HTTP. Not using HTTPS will also hurt your site’s ranking in search engines.

6. Prioritize Which Vulnerabilities to Focus On

Again, no web application security is perfect, and attempting to fix all vulnerabilities can be counterproductive due to the amount of time spent on fixes. Also, depending on your system, you might have more than one web application on your website. You simply won’t be able to maintain your web application security without actually knowing which web app(s) you are actually using and their respective vulnerabilities.

Audit your whole system, list all your web applications, their vulnerabilities, and then sort them based on priorities:

• Critically Vulnerable: Vulnerabilities that contain sensitive information and are external in nature (can be accessed by users) that are most likely to be targeted by hackers. These should be your main priorities.
• Serious Threats: Vulnerabilities that may also contain sensitive information, but may be internal or external.
• Normal: Applications or vulnerabilities that are less likely to be targeted by hackers, but should be monitored and tested regularly.

You can plan out extensive monitoring and testing for those on top of the priority list, and less extensive ones for normal vulnerabilities. This way, you can effectively use your time and resources to focus on the most critical threats.

7. Create a Threat Model to Identify Vulnerabilities

One of the key web application security practices is to create a threat model to identify incoming threats. You can use this cheat sheet to create your own threat models.

A proper threat model allows you to have a clearer picture of which information assets might be targeted, your vulnerabilities, and potential attack vectors. The threat model will evolve over time as your web application is used and as you gather more data.

There are three key steps in creating a threat model:

1. Identifying Your Information Assets

The first and the most crucial step is to audit your whole system and identify all the information assets, as we have discussed above. In particular, make sure to identify all sensitive data and categorize their types (and priorities, as discussed above). Knowing the proper data classification of your system can significantly help in ensuring that you are using the right measures to protect that data.

2. Identifying Incoming Threats

Once you’ve properly identified your information assets, you can consider the potential threats associated with each data. In general, you can use two possible approaches: bottom-up or top-down:

• Bottom-Up Approach: Consider how the actual hacker/attacker will work, position yourself as the attacker, scan the system and find potential vulnerabilities, pivot, and repeat.
• Top-Down Approach: Consider the target information asset first and then consider all potential ways to access it.

You can also use a combination of both approaches to get different perspectives on incoming threats. A good practice is to build a list or dictionary of potential threats using both these approaches.

3. Prioritizing Vulnerabilities/Risks

Now that you’ve properly assessed the vulnerabilities and potential threats (the threat models), you can assign priorities based on the probability and severity of potential attacks. As we’ve discussed above, remember that your resources and time are limited, so it’s important to get your priorities straight.

8. Escape, Validate, & Sanitize Incoming Inputs

An effective way to protect your web application especially from cross-site scripting (XSS) threats is to escape, validate, and sanitize all incoming user inputs.

Escaping Inputs

Escaping is a process of securing the data received by a web application before making it available to end-users. Escaping data is very important to prevent your web application from improperly interpreting malicious data.

If your web page doesn’t allow users to input their own code, then it’s fairly easy to escape data input. However, if your page has, for example, a comment section or a form field where users can potentially input HTML codes or JavaScript, then you should carefully escape it by allow-listing or validation, as we’ll discuss below.

Input Validation

Validation ensures that your web app is only providing trusted data while filtering out potentially malicious user inputs. This is also called “allow-listing”, which is particularly effective for SQL and XSS threats.

Sanitizing Input

Sanitizing your input involves the modification of input data to ensure that it is valid—for example by enclosing the input data in double-quotes (“). This is very important in web apps with HTML markups.

9. Educate Your Whole Team

With today’s cybersecurity threats, cybersecurity cannot be the responsibility of your IT security team alone. All IT security practices—including web application security— have to involve all those involved in the development, operations, and testing process.
To do this, companies should adopt the DevSecOps methodology, where security is considered between the development and operations aspects of the web application.

10. Manage Cookies & Authentication Tokens

Cookies or authentication tokens are used to help a user not have to re-verify themselves during a session, or potentially for later sessions. Cookies can be hijacked and forged by malicious actors, and if you store sensitive information like passwords in cookies, hackers will be able to steal credentials from your users. Additionally, cookies and authentication tokens should expire at some point (such as monthly) to ensure users re-authenticate regularly.

And as always, encrypt your data so that even if it’s intercepted, it cannot be read.

11. Have a Plan for Responding to Attacks & Breaches

The goal is always to secure your web application enough that attacks and breaches will not occur. But you need to be prepared if they do. Without a plan in place, responding to cyberattacks will be slow, leading to significant revenue losses as well as reputational damage.

There should be a separate plan for each category of attack (such as account takeover or DDoS) with simple steps to respond to and mitigate the attack. Ensure your employees are well-trained on these processes, and test the processes to identify any points that slow down your response to the threat.

Conclusion

Maintaining a secure web application should be a collective effort of your whole team. Start by defining a plan to find vulnerabilities, set your priorities, and fixing these vulnerabilities to stop attack attempts. Also, maintain a regular monitoring schedule by checking your security logs and activity patterns.

A real-time bot detection solution can also help in detecting hacking attempts as early as possible, which in turn can be very effective in preventing various web application attacks.