Secure Web Application Development Best Practices

In an age of record data breaches and ransomware attacks, website and app security should be the number one concern for site designers and developers. Users have a right to expect that their apps are easy to use and protect their personal and financial information.

Rather than conducting a cleanup after the fact, putting security first at every level of the development and launch process will save time, money, and maybe more importantly, your reputation.

Top Security Concerns for Web App Developers

The year 2017 was dubbed the “Year of the Data Breach,” breaking records for both the number and severity of data leaks and hacks. Data breaches can cost millions of dollars to remedy and cause irreparable damage to your brand. Many smaller companies go out of business within six months of an attack, unable to withstand the financial strain.

Still, app development is big business, with more than 4 million apps on the market at any given time. Revenues are in the billions and rising. In such a competitive atmosphere, it’s tempting to sacrifice security for speed. More than 80 percent of CIOs list balancing security concerns with marketing deadlines as their main challenge. But, these issues aren’t mutually exclusive. Using app developer security best practices makes it easier to launch on time without some of the unintended consequences of rushing to market.

What are the main security issues for app developers? Here are the 10 most unwanted, according to research conducted by the Open Web Application Security Project (OWASP):

Injection flaws: Hackers break into the code at fragile areas and alter it or insert malicious coding.

Broken authentication: Happens when broken or weak authentication allows hackers to assume a user’s identity.

Data leaks/exposure: Intentional or accidental exposure of user data

XML External Entities (XEE): Illegitimate external identities are passed off as legit through weak, outdated, or badly configured XML documents

Broken/weak access control: Caused by a lack of restrictions on what users can do or what they can access.

Security misconfiguration: This can be caused by using default configurations, taking shortcuts, or simple forgetfulness.

Cross Site Scripting (XSS): Allows hackers to access code from the user side and hijack their session or identity.

Insecure deserialization: Allows hackers to inject malicious coding via serialized objects and execute code remotely, launching code injection attacks, privilege escalation attacks, or replay attacks.

Using vulnerable components: Usually obtained from open source libraries, modules, and frameworks

Insufficient log monitoring: Log monitoring is one of the easiest ways to catch suspicious behavior. Too many companies have a long lag time – sometimes months – before they detect penetration that could have been stopped by diligent log monitoring.

Knowing what you face is half the battle. Here’s a handy app security testing checklist for your convenience. Read on to learn some security best practices you should make a routine part of your app development.

5 Best Practices for Developer Security

 

With eCommerce becoming one of the main methods of conducting business, and more than two-thirds of it via mobile devices, these app security practices should be standard for any developer.

1. Write Secure Code

One of the biggest vulnerabilities of any web or mobile app is in the code. This is the source of everything from DDoS attacks to XSS injections. Writing secure code should be a given, but it’s surprising how often the basics are overlooked.

Proper coding should be hardened at vulnerable areas to ward off attacks and utilize security tools properly. Some suggestions include:

∙ Probe and evaluate sensitive points of entry like login fields

∙ Define required permissions, including how they will affect each part of the app

∙ Create a simple and repeatable process for coding

∙ Use reliable code analysis tools

∙ Establish parameters in separate files rather than hardening code at URLs and other common practices

∙ Write HTML in a way that’s designed to convert the harmful script into display strings

∙ Use only authorized APIs

2. Beware of Using Libraries

In 2015, one of the biggest encryption-related security fails happened when techs at AFNetworking broke the SSL seal, exposing a library of more than 100,000 apps – and their millions of users – to infiltration.

Open source availability has made creating and sharing apps and programs easy, but it’s fraught with danger. Libraries are notorious sources for insecure codes and programming modules. If it is necessary to use third-party libraries for code building, make sure to test them. Here are a few good resources to use: Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD)

3. Use State-of-the-Industry Encryption

Last year, Under Armour admitted that their MyFitnessPal app had been hacked, exposing the personal information of some 150 million users. The reason? Substandard encryption. Within hours of announcing the data breach, the company’s stock dropped by more than 4 percent.

Website owners and users are increasingly protecting themselves on the client side with anti-virus/malware software and use of a virtual private network (VPN), which encrypts each internet session. What kind of help are you getting from your web host to protect the server?

It makes a difference!

There are steps a diligent host should take at the server level to help secure your site:

  • A full security software suite
  • Free SSL certificates
  • Automatic upgrades and patches

If you haven’t noticed, the web host industry is packed with competitors and there is a race to see who can be the cheapest. There are even companies that will host your site for nothing, though you should probably educate yourself on how costly free web hosting can ultimately turn out to be. The reality is that you need a partner in the cybersecurity fight and a good web host fills the bill. Ask about the three items just mentioned before you sign up.

Back to the Under Armour case. The problem was uneven encryption. They used a cutting-edge, military-grade encryption protocol with some parts of their customer database and lower-level encryption with others. Don’t allow budget or expediency to cause you to use less than the best encryption available. The ROI is worth the initial investment in time and cost.

4. Test, Test, Test

One essential component of development is testing your app. This not only helps identify bugs and glitches, but it will also demonstrate issues with coding and expose hidden vulnerabilities. Stay on top of current security controls and issues, install patches with each new update or release, and use penetration testing at each stage of development.

5. Maintain Strict Access Controls

This practice involves everything from developing the habit of instituting a Policy of Least Privilege strategy to the type of authentication you use.

∙ Limit access to your code, notes, comments, etc. only to those who are authorized.

∙ Don’t allow storage of sensitive information in places that are accessible from browsers, like cookies or hidden fields

∙ Use high-level access features like two-factor authentication

∙ Enable hashed passwords

∙ Practice efficient sessions management like shortened timeouts and automatic remote wipe-off/log off to protect users whose devices are stolen and those using public access

The Bottom Line

Nothing is 100 percent fool-proof. However, if your goal is to design a top-rated app, security should be a major concern. Following developer best practices will help ensure that your app is not only well-designed but provides users with a high-quality, safe experience.

Michael Pignataro
co-CEO - Operations at 'corePHP'
Michael spearheads ‘corePHP’s software solutions and service offerings. Focus on sales and marketing for the organization. A huge believer in family and has an amazing wife and 4 beautiful children. Loves camping and hiking.

Michael's philosophy is simple: "If you can dream it, we can do it."