11 Web Application Security Best Practices Checklists by Experts
- Carl Mimiosa
- Jan 26, 2024
- 5 min read
The Basic Hygiene
The best ROI for defenders is keeping good security hygiene. Using HTTPS, fixing known vulnerabilities in libraries you use, reducing employee access to customer data and deleting data you no longer use are not glamorous actions, but they’ll keep most attackers out - or send them to the next site.
Guy Podjarny
CEO and Co-founder
URL Sanitization
You should beware of passing important information, such as passwords, through the query string of the URL. Servers often log requests and they will then log people's passwords in a log file waiting to be found later. It's best to send them in the request body to the server over HTTPS.
Adam Amrine
Owner/Lead Consultant
Easy Way to Get Secured
1. Enable HTTPS. With free certificates easily now available through https://letsencrypt.org, there's no excuse not to set up HTTPS encryption, and more and more users know to look for the "lock" symbol next to the address of sites, especially before they enter credit card information. All major hosting providers support HTTPS; if yours doesn't, it's time to switch.
2. Run vulnerability scanners from OWASP: https://owasp.org/www-community/Vulnerability_Scanning_Tools. Protecting your site against the OWASP Top 10 vulnerability list is a solid starting point for securing a site, and these scanners can detect many such issues. Many of the scanning tools offer free trials, and at least one (https://webcookies.org) is completely free to use. Once you get a list of vulnerabilities, you can follow suggestions the tools provide, research how to mitigate them, or provide the results to a developer who can do what it takes to secure your site.
Aaron Yoshitake
Founder and Developer
OWASP Top 10
To ensure that this can be done in a safe and secure way we should follow the OWASP top 10. Following this framework is a great start in securing your Web Applications or Web Services. With this in mind it’s also important to prioritise your vulnerabilities and patch, patch patch. If you are not patching sufficiently it's not 'if you will have an incident but 'when'.
Grant Mossman
Technical Services Manager
Limit Privileges
Every single web application has its own set of permissions and privileges that are present on both the local computers and the remote servers.
These permissions are: read, write and execute.
Make sure to always use the least permissive settings for all of your web applications and that only people with the highest authority have access to make any changes.
Bram Jansen,
Co-Founder
Encryption First
The simplest thing all sites should have is a TLS certificate and server all content over HTTPS. Certificates are free today and take as little as 30 seconds to provision and apply to websites. Beyond secure transport
HTTPS also unlocks new modern web features like progressive web applications, notifications, geo-location and are an SEO ranking factor.
Chris Love
Planning Ahead
Even if you are a small business, web app security is an important factor in keeping your business safe. The first thing that you need to do to implement various measures of precaution is to create a plan of action. Once you have done this, then you can start to implement this plan and deal with all your vulnerabilities. While it is great to have a plan of action and to actually start implementing it across your different web applications, this can take time, so you need an “interim plan”. This interim plan is basically an extra precaution which can be put in place until your original idea has been implemented across all applications. An example of an interim plan would be to set up a firewall or remove functionality from some applications until the time that you can safely return that functionality. Although this may seem like a hassle, it is better to be safe than sorry when it comes to your web app security.
Will Ellis
Founder
More Than Compliance
Particularly for industries that require compliance, like healthcare and finance, for example, a big mistake is monitoring for compliance requirements versus monitoring for actual threat assessment. Oftentimes, the priority is checking the box to complete compliance requirements so the project can move forward. However, after a project is in production the DevOps teams will want to have more visibility and actually see threats that may not be visible by a limited security posture that only meets the minimum compliance requirements.
Marty Puranik
President and CEO
Securing the Source
There are a variety of stand-alone static code analyzers and IDE plugins available for free on the internet. Before you pay someone thousands of dollars to perform a penetration test, have one of your developers install and run some of these free tools on your source code. Ideally, you would integrate these tools into your build process so that you can catch vulnerabilities before they’re released. This doesn’t require any addition additional security budget, but provides a good deal of value.
Hans Petrich
Application Security Lead
Secure the Obvious
Injection attacks (SQL, Command). Validating ALL input against a whitelist and disabling dynamic queries (requiring parameterized queries or stored procedures)
Broken authentication: Ensuring that all secured pages require a unique token along with complete mediation, ensuring that each and every access to a secured object is checked for authorization can solve this issue
Sensitive data exposure: Encryption, Least privilege and least common mechanism can solve this issue
Dave Hatter
Cybersecurity Consultant
Follow the Best Practices
Everyone knows web application security is critical. Cybercriminals are great security threats. However, by following best practices, your organization can put in place a sound strategy for securing your web-based applications and to maintain the best possible security stance. It is said that there is no chance that a web app can be 100% secure as some unforeseen circumstances can happen but there are definitely certain security measures companies can implement to fight any chance of an attack on web applications. Below are some best practices
Create a security blueprint
Assign priority tags to your inventory list
Analyze and prioritize all app vulnerabilities
Deploy initial protection
Introduce a Web Application Firewall
Restrict app functionality
Use cookies securely
Manny Hernandez
Founder/CEO
Proper Authorizations
One of the best practices for creating a secure web application is to test run the application using as little privileges as possible and work your way up. Doing it this way can help you see kinks in your security’s armor as well as ensure that only the most authorized people can make important changes in your application.
Another tip I can give is to train your employees to follow basic security guidelines. This is very important if you run a company because most security breaches are caused by careless employees who make your application’s system vulnerable.
Anh Trinh
Managing Editor
Comments