Ah, the intricate and relevant topic of Information Security in Web Application Development; it’s importance, adherence, implementation, and best practices during the development lifestyle and then thereafter. When considering an Information secure conscious strategy for your Web Application during its build, it’s important to identify; what is sensitive data, analyze potential risks, map steps to protect said data during development, and then devise a continuity plan to keep the data safe into the future. “For more than a decade, organisations have been dependent upon security measures on the perimeter of the network to protect their IT infrastructure. However, traditional network security measures and technologies may not be sufficient to safeguard web applications from new threats since attacks are now specifically targeting security flaws in the design of web applications.“ illustrates The Government of the Hong Kong Special Administrative Region in their report titled ‘Web Application Security’ published in February of 2008. Developing your web application or web property securely, especially when it contains sensitive data should be a top priority forethought, and is something that is far too often overlooked by many parties involved. The below delves into identifying, analyzing, implementing, and considering build strategies in some more detail.
What is a web application’s sensitive data? There are of course the obvious answers; if your web app has a user base and your users are inserting things like credit card data, social security numbers, or other private sensitive information it is your duty and responsibility to protect this data. Other scenarios beyond your user’s information include; protecting your company’s product information, functionalities, private documents, databases, and sometimes even source code. What is classified as ‘sensitive’ data versus non-sensitive data beyond adhering to laws of the country of origin (i.e. United States), complying to individual rights (ie. the apps users), and then of course your company or organization’s individual policies; which would be entirely to the discretion of your organization. Other specific areas to consider when assessing risks include; “Which applications are affected by the requested change? Who are the users? Where are the users physically located? Will the application attach to mission critical applications? Will it modify any confidential or critical data? Where should additional user authentication be built into the application? Where will the application be physically located in the network? In the DMZ, the internal network? Will it be installed on new equipment or share an existing server? Will it coexist well with existing applications? Will any data considered sensitive or confidential be transmitted over external communication links? If the system was compromised would it result in financial loss or the loss of reputation? Can you place a dollar amount on any loss? · What is the history of the OS platform with respect to security? What would motivate someone to break into the application? · Will the application have high external visibility, making it an obvious target to attackers?” reported SANS Institute in its detailed documented report titled “A Security Checklist for Web Application Design” released in 2004.
The process of developing a web application has many, sometimes fairly complex, moving parts (modestly); from planning, design, to user flow, to tech stack (technologies used), to servers and hosting, to build, to testing, and more. Being security conscious is something that should and can stretch throughout all stages. The design stage; for instance, may not only pertain to the actual aesthetic design but may also define secure coding standards, perform threat modelling, and develop a security architecture for the application design in it’s entirety. Within the build or development stage; one starter consideration is ‘technologies used’ and methods they are used or programed therein; there are many programming technologies, frameworks, libraries, CMSs (Content Management Systems), and tools available to choose from; with some, depending on use and implementation are much more susceptible to attacks and vulnerabilities than others. For instance, a website built with WordPress CMS has much more vulnerabilities, initially, then a CMS coded from scratch using the similar PHP/Lamp back-end; there are methods and steps to ‘harden’ the WordPress core system but this takes time and additional initial effort. “One of the observations in the HPE Cyber Risk Report 2016 is that attackers have shifted their focus from servers and operating systems directly to applications.” emphasizes the website techbeacon.com on it’s article ‘Third-party libraries are one of the most insecure parts of an application’. It’s very important to carefully screen any third party tool, library, or service rendered. Other areas to consider at the programming level include; web services, authentication, Authorization, session management, Interpreter Injection, Canonicalization, Locale and Unicode, Error Handling, Auditing and Logging, Distributed Computing, and more. Hiring professional developers as opposed to the oh so many “hack-jobs” or messy, hasteful coders available at lower costs. Unthoughtful, poorly written code, devoid of best practices, certainly increases chances of vulnerabilities and attacks. In addition to all the above; there are many quality tools and practices to test code flaws, bugs, errors, vulnerabilities, and many areas in between.
When considering a security strategy for your Web Application; there are several tiers that can be ascended to depending budget, timeframe, determination, effort, design, product, need or risk. In a hypothetical “unlimited resource and hyper secure scenario”; all content and data could require advanced authentications using the highest encryptions, the best mix of technologies and implementers, hosting could be taken in house with a trusted official to manage or with use of a premium highly secured cloud services, vulnerability testing could be done continuously, all involved personnel could be thoroughly screened, and efforts constantly progressing. Months could be spent “hardening” your code, and testing different technologies, patterns and outcomes. During the planning and design phases; a decision should be made in terms of budgets, and the lines between design, functionalities, user experience, other goals, and data protection.
“Security should be considered as early as possible in the project initiation phase. Security expectations and requirements — in particular, requirements on the authentication mechanisms, input validation and audit trails — must be communicated to development vendors.” stated confidently in the The Government of the Hong Kong Special Administrative Region in their report titled ‘Web Application Security’ published in February of 2008. Neglecting Information Security considerations, procedures, and planning is an enormous mistake; any time or money saved on short cuts to these efforts will cost much much more in the repair, recovery, or restoration after the inevitable issue – in many cases the application or data may not be recoverable after an attack at all. “For many organizations, this is a paradigm shift. Why is it worthwhile? Solving security vulnerabilities in production applications is expensive and difficult. “ empathized on the article titled ‘How to develop software the secure, Gary McGraw way’ found on http://searchsecurity.techtarget.com. While Information Security practices seem like something easy to skip, shortcut, or save money on, the consequences of doing so are potentially some of the worst imaginable to the health of your Web Application, Product, or company therein. In this ever growing internet information age; the importance of Information Security pertaining to Web Applications will only become more and more relevant; keep your web property safe by implementing and maintaining a security plan, you’ll be happy you did.
- Hong Kong, G. (2008, February). WEB APPLICATION SECURITY. Retrieved from https://www.infosec.gov.hk/english/technical/files/web_app.pdf
- ISTF, J. (2017, December 19). Secure Application Development. Retrieved November 12, 2017, from
The most trusted source for information security training, certification, and research. (n.d.). Retrieved October 08, 2017, from https://www.sans.org/
- OWASP the free and open software security community, (n.d.). Retrieved October 08, 2017, from https://www.owasp.org/
- SearchSecurity. (n.d.). Retrieved October 08, 2017, from http://searchsecurity.techtarget.com/
- Berkeley, Secure Coding Practice Guidelines, (n.d.). Retrieved October 08, 2017, from
- INFORMATION TECHNOLOGY. (n.d.). Retrieved October 22, 2017, from http://www.it.northwestern.edu/policies/webapps.html