Conduct Web Application Security Awareness Training

If you run a company, chances are that only certain people within your organization have a decent grasp of the importance of web application security and how it works. The majority of users have only the most basic understanding of the issue, and this can make them careless. This is also problematic because uneducated users fail to identify security risks.

By educating employees, they will more readily spot vulnerabilities themselves. In essence, bringing everyone up to speed about web application security is a terrific way to get everyone in on the act of finding and eliminating vulnerabilities. With this in mind, consider bringing in a web application security specialist to conduct awareness training for your employees.

By bringing everyone on board and making sure that they know what to do if they encounter a vulnerability or other issue, you can strengthen your overall web application security process and maintain the best possible web application security best practices.

Implement the Following Web Security Suggestions

Besides what we’ve already outlined in this post, there are a few other more “immediate” web application security suggestions that you can implement as a website or business owner. To learn more about each suggestion below, read the dedicated article pertaining to that topic and see if implementing each security enhancement is beneficial for your particular use-case.

Implement HTTPS and redirect all HTTP traffic to HTTPS.

Help prevent cross-site scripting attacks by implementing the x-xss-protection security header.

Implement a content security policy.

Help prevent man in the middle attacks by enabling public key pins.

Apply subresource integrity to your resource’s <script> or <link> elements

Use an updated version of TLS. To learn more, read our TLS 1.2 vs TLS 1.1 article and avoid using SSL completely.

This goes without saying, use strong passwords that employ a combination of lowercase and uppercase letters, numbers, special symbols, etc. Use a program such as KeyPass to generate and store strong passwords.

Use Cookies Securely

Another area that many organizations don’t think about when addressing web application security best practices is the use of cookies. Cookies are incredibly convenient for businesses and users alike. They allow users to be remembered by sites that they visit so that future visits are faster and, in many cases, more personalized. However, cookies can also be manipulated by hackers to gain access to protected areas.

While you certainly don’t have to stop using cookies - indeed, to do so would be a major step backward in many ways - you should adjust the settings for yours to minimize the risk of attacks.

First, never use cookies to store highly sensitive or critical information. For example, don’t use cookies to remember users’ passwords, as this makes it incredibly easy for hackers to gain unauthorized access.

You should also be** conservative when setting expiration dates** for cookies. Sure, it’s nice to know that a cookie will remain valid for a user for months on end, but the reality is that each one presents a security risk.

Finally, consider encrypting the information that is stored in the cookies that you use.

Run Applications Using the Fewest Privileges Possible

Even after all of your web applications have been assessed, tested and purged of the most problematic vulnerabilities, you aren’t in the clear. Every web application has specific privileges on both local and remote computers. These privileges can and should be adjusted to enhance security.

Always use the least permissive settings for all web applications. This means that applications should be buttoned down. Only highly authorized people should be able to make system changes and the like. You might consider including this in your initial assessment. Otherwise, you will have to go back down the entire list adjusting settings again. For the vast majority of applications, only system administrators need complete access. Most other users can accomplish what they need with minimally permissive settings.

In the unlikely event that privileges are adjusted incorrectly for an application and certain users can’t access the features that they need, the problem can be handled when it occurs. It is far better to be too restrictive in this situation than to be too permissive.

Have Protection In Place During the Interim

Even if you run a small and fairly simple organization, it may take weeks - or even months - to get through the list of web applications and to make the necessary changes. During that time, your business may be more vulnerable to attacks. Therefore, it is crucial to have other protections in place in the meantime to avoid major problems. For this you have a couple of options:

Remove some functionality from certain applications. If the functionality makes the application more vulnerable to attacks then it may be worth it to remove said functionality in the meantime.

Use a web application firewall (WAF) to protect against the most troubling vulnerabilities.

web application firewall

A WAF filters and blocks unwanted HTTP traffic going to a web application and helps protect against XSS, SQL injection, and more.

Throughout the process, existing web applications should be continually monitored to ensure that they aren’t being breached by third parties. If your company or website suffers an attack during this time, identify the weak point and address it before continuing with the other work. You should get into the habit of carefully documenting such vulnerabilities and how they are handled so that future occurrences can be dealt with accordingly.

Prioritize Your Web Applications

After completing the inventory of your existing web applications, sorting them in order of priority is the logical next step. You may doubt it now, but your list is likely to be very long. Without prioritizing which applications to focus on first, you will struggle to make any meaningful progress.

Sort the applications into three categories:

Critical

Serious

Normal

Critical applications are primarily those that are externally facing and contain customer information. These are the applications that should be managed first, as they are the most likely to be targeted and exploited by hackers. Serious applications may be internal or external and may contain some sensitive information. Normal applications have far less exposure, but they should be included in tests down the road.

By categorizing your applications like this, you can reserve extensive testing for critical ones and use less intensive testing for less critical ones. This allows you to make the most effective use of your company’s resources and will help you achieve progress more quickly.

  1. Perform an Inventory of Your Web Applications
  2. Create a Web Application Security Blueprint