5 Steps Towards Developing a Secure Web Application
Developing a web application is no more a tricky task but developing a secure application has become a cumbersome task. Yes, you have to be very very paranoid if you want to develop a safe and secure channel for your clients. No information entered by the user can be trusted. I am not saying that all your visitors are dubious but to maintain the security of your users you have to doubt each and everyone. Especially with ecommerce stores, where a visitor trust you and provide his personal information including his banking details. You cannot break their trust, so let’s talk about a few measures that can be easily adopted for safe platform.
Every transaction that is taking place on the server pose the risk of the threat. So you must use single encoding scheme to interpret every request made by client to the server. You must make sure that every encoded request is understood without any ambiguity. Second thing, obscurity is always important when it comes to the security of the system. So try to conceal things, e.g. you can use POST method instead of GET method. Always remember that an attacker is much smarter than we think and can easily manipulate the parameters. So, it has become mandatory to check the maximum number of characters on the server side before using any parameter. As far as parameters in dynamic websites are concerned, no parameters should be passed using client’s input. The input should be verified to be script free by removing any suspicious characters.
This is the most vulnerable stage for security attacks. you must make sure that you are passing all the information through SSL authentication and removing all the default users like administrator. It’s good to have multi-level authentication process for critical transactions like banking. A cryptographically strong session identifier is very crucial for authentication process. Try to use tried and tested algorithms for this, new algorithms can be buggy and prone to attacks. Deploying a session identifier on public areas will make attacker slow or leave the website.
Last but not the least, always terminate the sessions. Unattended sessions have big time security threats.
The first step in maintaining the application security is to identify the areas which can be accessed without any session information. If possible, separate such public areas from directory where private data is stored. Identify the entry points of the application and minimise them and implement security measures. Some common entry points could be search engine access, bookmark access, user access etc. And, most importantly, never put any part of crucial content on external caching servers. As they could be responsible for transferring part of logic outside the safe zone.
Every application that you develop is prone to security attacks, so first thing you do during production is separate the server that is having production version of application. Do not allow production servers administered by outside servers. Never ever use production serve for any other software development, testing and hosting. Maintain a sterile environment. It is mandatory to maintain a network level security. If it is breached by outsider, you have no other way to protect it. So deploy DMZ component for network defence that separates external environment from private data.
3rd Party Tools
If you are using any third party tools like ecommerce software, application server etc. you must make sure that you are removing all the default accounts. However, all the notable third party tool vendors have the instructions of maintaining security but you cannot take chances when it comes to your web application. Second, remove all the unwanted or out-of-use third party applications from the servers.
In case a third party tool is buggy, a patch is released by the vendor to debug the program. However, there is ample of time for the hacker to discover vulnerabilities in your application. So, whenever you rely on such tools, always assure security at your end.
Whenever a web application is developed, a developer must assume that his application might get attacked by the hackers out there. So if you have even a tiny application, you must take care of its security loopholes. With these hierarchy based security tips you can take at least one step towards creating a secure web application.