Building Secure Web Applications

When working on a new web application there are some crucial aspects to your application security that all developers should follow.

This applies to both a production and test environment. Just because an application is in-test or not production-ready does not excuse poor security. There are a few examples of where even ‘secure’ environments have been exploited through their test systems.

Secure Development Environments

  • Should not use real-world data and should rely on faker or placeholder data. This can be more time consuming for agile teams as the data may change over time, which is why your ORM models should migrate to support the latest faker schema.
  • Should be isolated entirely from the production environment and should not be placed in the same realm of systems. Your environment configuration should be independent from your secrets configuration and of course neither should be versioned. Whenever there is a need for an environment or secrets file to copy from, it should be made available in the documentation as an example and should not use real credentials.
  • Application code should be clear and understandable with well documented features, when you use a library for authentication it should be well-maintained and you should always use secure and up-to-date libraries for your application.
  • Your development and deployment pipeline should not have any secrets passed in via terminal command. Logging and event monitoring may inadvertently record these credentials, which is insecure as logging may not always be a privileged activity.
  • Your source code should not be considered a weakness if exposed, in your organisation (or outside it) you should practice an open source initiative. If your code base were to be exposed, it should not be too detrimental to your security. This principal doesn’t totally apply to blue team defence or anti-cheat because detection methods are hard to prevent exploitation, however this can be mitigated by having a narrow domain of allowed activity.
  • At all avenues, SSL and TLS should be used as well as encryption, both in transport and at rest.

How Do I Know If My Web Application Is Secure?

Determining if your web application is secure can be hard to do if you are not a developer for the application in question however, there are some basic techniques you can use.

  • Do not overly expose your application, if it is only used internally then make sure it only is available through the company intranet or local area.
  • Do not expose parts of the application that are internal only to the application itself, if the application uses a MYSQL database, there is no purpose in exposing the MYSQL database to the internet if the client only interacts with the webserver.
  • Do not expose APIs and application endpoints that are internal.
  • Do not allow anonymous authentication to applications or use shared credentials.
  • Log and monitor behaviours, especially database queries and crash behaviour.
  • Make sure your application is up to date and supports the latest version of your web-server and databases.
  • When using proxy technologies, make sure to follow the proper domain rules applied by the web server and make sure sessions are properly catered for when using load balancing.
  • Use trusted SSL technologies and transport.
  • Do not use credentials for the application that allow for lateral movement throughout your environment, isolate public services not only through networks but also by authentication.