16 May 2018, 11:05 — 7 min read
Securing an organisation’s IT infrastructure is important. There are a number of hacks, threats and data breaches highlighted by the media that show us what’s at stake for all businesses. The web is the most common target for application-level attacks, it makes it quite critical to adopt web application security best practices.
Create a web application security plan
It is correctly said by Antoine de Saint-Exupéry that, “A goal without a plan is just a wish”. Most organisations have no idea of the quantity of their applications, their use, and when they were last updated. A well organised approach must be utmost priority towards web application security. A detailed, actionable web application security plan needs to be framed in line with the organisation’s goals.
Planning should start by doing an inventory of your web applications, creating a record of the number of applications, their use, last updated version, and plans to use them in future. Moreover, your plan can contain the name of personnel, teams who would be involved in the maintenance of security of web applications. Finally, make sure to incorporate the cost of these endeavours undertaken as a factor for creating your web application security plan.
Prioritise your web applications
Once you are done with creating the inventory list of your web applications, start with defining priorities. An inventory list of web applications is expected to be quite long and thus it makes it important to focus on the applications which require immediate attention. For having better control over progress, applications should be sorted into critical, serious and normal categories.
Critical applications are primarily those that are external-facing apps that deal with sensitive client information and financial transactions. These applications are at a higher risk of getting hacked. They require immediate attention. Serious applications are those that have sensitive information about company and client. Normal applications are least prone to the risk of getting hacked, yet need to be secured.
Analyse and classify app vulnerabilities
As you work through the process of testing, a long list of vulnerabilities will be in front of you. Not all of these vulnerabilities are worth investing time and resources over eliminating them. One needs to prioritise the vulnerabilities that need to be attended to before others. For example, a vulnerability like injection and cross-site scripting is far more severe and should be attended immediately over something like unvalidated redirects and forwards which are comparatively less severe.
Attend to critical vulnerabilities
Eliminating vulnerabilities is a huge task and require a lot of investment in terms of time and resources. All vulnerabilities from all web applications are not worth your time and resources. A smart move is to limit yourself to testing for only the most threatening vulnerabilities which have a greater impact on the organisation and its operations. Once the critical and high vulnerabilities are eliminated, one can proceed with the medium and low.
Minimise privileges to run applications
Once the required vulnerabilities are eliminated, you need to tighten the security for web applications within the organisation. This should be started by minimising the privileges to run applications. Every web application has specific privileges on both local and remote computers. These privileges can and should be adjusted to enhance security. Using a restrictive approach is always better than a permissible approach. People authorised to make changes in the system should be kept to a minimum.
Interim protection of web applications
Web application security process take a long time to get going. It is the most crucial time for the organisations as they are highly vulnerable during this stage. An organisation can protect itself from attacks during this phase by undertaking certain measures like:
Web Application Firewall (WAF), malicious traffic is blocked through a WAF. WAF helps to protect web applications from XSS, SQL injection, and more.
Restrict Functionality: If any functionality makes a web application more vulnerable to attacks then it is better to remove the functionality during the process. Restrictions like limited access to the user database, sessions timeout and others can help secure web applications.
During the process, continuous monitoring of web application can prevent third-party breaches. Weak points of a web application should be identified and attended first.
Incorporate the following web security suggestions
Apart from the security measures listed above here are some more suggestions that can be incorporated for web application security:
Encryption via https implementation
Secure Socket Layer (SSL) certificates for data encryption from users
Implementing multifactor authentication (MFA) with single sign-on (SSO)
Preventing cross-site scripting attacks by implementing the X-XSS-protection security header
Implementing a content security policy
Using cookies securely
Help prevent man in the middle attacks by installing security plug-ins.
Implementing backup and disaster recovery measures
Using strong passwords and employ implement password managers
Web application security awareness training programme
Every employee in a company may not have information about web application security and process. This makes it difficult for them to identify security risks. A formal web application security awareness and training programme can be conducted to educate employees about the same. This will make it easier to identify web application vulnerabilities and tackle them. This will strengthen the overall web application security process. Further, a feedback system should be in place to get feedback from the community regarding potential web application security issues
Web application security is something each business today needs to pay attention to. As the number of applications used in business processes grow, it becomes more and more complex to protect the business from cyber threats, hack and breaches.
To explore business opportunities, link with me by clicking on the 'Invite' button on my eBiz Card.
Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views, official policy or position of GlobalLinker.
Posted byKaran Aggarwal
I am looking to connect with other business professionals. I am keenly interested in digital marketing, business development, operations, strategy planning, etc. Invite me to...
4 Jul 2018, 10:17
26 Jun 2018, 09:49
22 Jun 2018, 09:30