12 Tips For Web Application Security In 2021

What is web app security?

Web application security describes the measures used to protect any of your web-connected systems. According to web app security best practices you should be protecting:

• Your website and the content management system (CMS)
• Web applications
• Hosted email
• Social media services and accounts
• Web-based APIs
• Desktop or mobile apps that connect over the web to store and retrieve data

Ultimately any web-connected system needs to be protected against data theft, loss or leakage.

In this guide we cover our 12 top tips for web application security best practices.

1. Create a web security policy

Security must be a key consideration of your web application strategy. This is not always straightforward, so it may be worth investing in professional cyber security services. They can help you define and refine a strategy that allows you to get the best from your web assets and minimise security risks.

Your cyber security partner will likely deploy a custom set of web app security tools to help manage and maintain your defences. They can also help you build a web app security checklist to outline best practice guidelines for all employees to work with safely and securely.

2. Create a web asset inventory

It is impossible to properly protect your web assets without first knowing what is being used by your employees for company business. Conducting an audit will allow you to draw up an inventory of websites, mobile apps, email systems and software APIs.

This inventory will be extremely useful for your cyber security partner as they conduct initial discovery prior to starting a new project. To assist with this process – and to keep your own inventory records up to date – you may want to consider using web asset management software.

When you know what you have, you know your risks – and can better plan your defences.

3. Back-up your data

Because they are used to store data, your web apps are just as important as your on-premise systems. It is essential that you maintain a data backup for all of these hosted resources as part of your wider disaster recovery strategy.

Your hosting company probably already offers some basic backup functionality.

However, it is your responsibility to confirm that data is being backed up and can be recovered if required. If in doubt, you should hire a professional IT consultancy to check your online data backup meets your corporate requirements and data protection obligations.

4. Perform regular scans of your web apps

Web app security is not static. New exploits are uncovered almost every day placing any of your web-based at risk of compromise.

Using a web app security scanner to perform routine checks of your systems can identify vulnerabilities early. These regular scans are not intensive, but they can quickly expose basic issues that need to be addressed quickly to reduce the risk of being hacked.

5. Web Application Firewalls (WAFs)

Firewalls are an established technology for controlling network access. A web application firewall (WAF) offers similar protections for a specific application, monitoring and filtering incoming HTTP web traffic.

WAFs are designed to protect your web apps from common cyberattacks including SQL injection, XSS and cookie poisoning.

Web application firewalls all do roughly the same job but can be deployed in different ways:

• A standalone virtual appliance installed in the cloud
• An on-premise system located in your on-premise data centre
• A fully-managed cloud-based add-on service

Your web security partner will be able to help you identify the WAF best suited to your needs.

6. Data Sanitisation

Data sanitisation ensures that the information stored in your web app is properly fit for purpose and does not contain anything malicious. Your data sanitisation policy needs to assess information as it enters and exits the system or your application could be at risk of compromise or data loss.

Data sanitisation deliberately and permanently deletes unnecessary details so that they cannot be recovered.

Your data sanitisation policy increases the quality and value of the information you capture, reduces opportunities for hackers to break into web apps and helps to meet your data protection obligations by storing only the information you really need.

Input data sanitisation

Checking data as it enters your web apps will remove anything potentially malicious before it can be saved.

A common use for input sanitisation is checking form data as it is submitted – not only to confirm that details have been entered in the correct format, but to also catch any SQL injection attacks that could be used to compromise your database.

Output data sanitisation

Output sanitisation involves cleaning data as it is presented back to the web app user. This means removing unwanted data and code artifacts that may expose sensitive information that provides hackers with clues about how the system works – and how to break in using cross-site scripting (XSS) attacks.

7. Keep web apps up-to-date

New software vulnerabilities and flaws are being discovered and patched every day. To avoid being exploited, your web apps need to be regularly patched and upgraded

Many applications, like WordPress, will stop providing security updates for older versions; you must regularly upgrade to remain secure. This is also true of third-party apps installed on your computers and smartphones.

Users may complain about the inconvenience of regular updates, but this is preferable to dealing with the consequences of a cyberattack.

In addition to improved security, web app upgrades typically offer improved performance and new features that help your employees (and customers) achieve more.

8. Ensure adequate password management

Often the only defence between your web app data and disaster is your password. Choosing strong passwords is absolutely essential to minimise risk of being hacked with a brute force attack.

At the same time, your business needs a secure, central record of every password as part of your disaster recovery provisions. If you can’t recover your passwords, you will experience significant problems and delay recovering your data.

Enterprise password management software offers a secure “vault” in which you can store your passwords for future reference. This software encrypts the passwords so that even if they are stolen, the hackers cannot recover them.

There is a password management tool for every business from Dashlane (enterprise) to LastPass (SMB). Not only are your passwords better protected, but they are also easier to retrieve and use when required.

9. Use TLS encryption

Encryption is one of your most important defences against hackers. In the event that they do intercept and steal your data, they cannot do anything with it.

Transport Layer Security (TLS) encrypts data as it passes between a web application and the server. websites protected by the HTTPS typically rely on TLS to provide encryption. Security experts actually recommend that all websites are secured with TLS to protect businesses and customers.

TLS encryption email servers are also increasingly common, particularly for hosted services like Gmail and Outlook 365. By encrypting mail in transit between server and app, it is much harder to “steal” the contents.

Nothing less than TLS 1.2 is sufficient, use TLS 1.3 if available. Never ever, ever use SSL anymore.

10. DDoS Prevention

If you can’t break into a website, the next best thing is to break it.

A distributed denial of service (DDoS) attack does that by sending so many client requests that your application or server runs out of resources and crashes.

There are several DDoS prevention services to consider - speak to a cybersecurity specialist about which offers the best protections for your web apps. The process for detecting and mitigating DDoS attacks follows the same basic framework:

Identify normal traffic levels

Before you can detect a DDoS attack, you must first understand what ‘normal’ traffic looks like. Ideally you should analyse at least two years of previous web app activity so you can understand seasonal changes in demand.

With a baseline established you can build rules to mitigate DDoS attacks.

Identify incoming traffic

In the event of a suspected attack, web traffic is redirected for analysis to sort legitimate ‘human’ queries from malicious activity. By examining factors like:

• source IP address,
• HTTP headers and
• JavaScript footprints

you can quickly spot human activity - and drop everything else. Normally this analysis and filtering is completed automatically in a matter of milliseconds by software that does the hard work for you.

It is important to configure rules in such a way that they permit access by legitimate automated systems too, like APIs and the bots used by search engines for indexing.

Analysis

Blocking future DDoS attacks also requires some historical analysis. You must review the logs generated during an attack to identify new techniques and signatures that you can use to tune your defences for even better performance next time.

11. Bot Filtering

One estimate suggests that 50% of all web traffic is composed of bots, automated systems that crawl the web carrying out various legitimate and illegitimate activities.

Your web apps need to be protected from bots that scrape content, steal information, facilitate advertising, click fraud or slow your website down (like a DDoS attack).

Because WAFs are primarily concerned with SQL injections and cross site scripting (XSS), their bot attack prevention capabilities tend to be quite limited. Instead your business should be investing in a true spam bot prevention tool, called a Bot Manager.

Bot managers are specifically designed to identify and block bot-like behaviour. Importantly, they are less likely to accidentally block legitimate users than some other security protections. By accurately identifying and blocking bots, your web apps should be protected against content theft and perform better as they serve only human users.

12. Use Ethical Hacking

Automated tools are useful for detecting and protecting against web app vulnerabilities, but they are typically focused on a specific aspect of security. One of the best ways to test your security as a whole is by using an ethical hacker.

An ethical hacker will test all of your defences to identify potential weaknesses in exactly the same way a malicious hacker does. But rather than stealing data or damaging your apps, they will simply report their findings.

You can then use that report to prioritise corrective work to plug the gaps before being hacked for real.

Time to act

We hope you found these tips on strengthening your web app security useful. As hackers become ever more sophisticated, there is a lot to do to ensure your business is ready to face the challenges and avoid becoming a victim of cybercrime.

Not sure where to start?

Get in touch with one of our cyber security specialists today to arrange a 360º analysis of your web properties.

We’ll help you build a security framework that protects your business, users and clients while continuing to deliver an excellent web app experience. Tel: 01252 917000 or get in touch online