Security is one of the most important things to consider in today’s business world.
This is especially true when you consider the significant security breaches, which had happened over the past two years, and beyond.
Given all this, it’s important to take business application security extremely seriously at all times.
Now, in keeping with this, we’d like to present you with application security best practices which are designed to help your team develop and maintain secure applications easily.
Bonus: Download a free pdf version of this blog post for your further reference. This includes 1 bonus application security automation tool not found in this post.
9 Application security best practices:
1. Implement web security best practices – OWASP:
The web security best practices in the OWASP top 10 is a great place to start, and it typically contains a comprehensive list of the most critical web application security vulnerabilities – as identified by experts across the world.
The vulnerabilities listed by OWASP focuses on the integrity, confidentiality and availability of an application, as well as its developers and users.
As such, it is known to list attack vectors ranging from security misconfiguration, authentication and session management, sensitive data exposure, and even injection attacks.
Staying aware of these vulnerabilities, observing how they typically operate, and then using this knowledge to code in a secure manner can help you create applications that stand ahead of attacks.
2. Have a proper application security audit:
Another one of the web application best practices to take note of, as far as security is concerned, is to carry out regular application security audits.
Now, this step is necessary if you and your developers pay close attention to the OWASP top ten list of vulnerabilities, even if you have a security evangelist in your organization, and even though your developers self-test regularly.
This is because while the measures mentioned above are necessary and excellent, they are not very comprehensive, as they suffer from preconceived biases and filters.
As such, your team will be unable to critique the applications in an objective manner.
Now, this is why it’s important to get independent opinions – ones that aren’t guided by preconceived biases and notions, and also ones from those who have never seen the applications before.
These independent persons won’t make assumptions about the code, and will not run the risk of being biased by the company, or by any one in the company.
Additionally, this type of security audits can give you some ideas on which you can proceed further, and build secure applications faster.
3. Implement proper logging:
After you have suitably altered your code based on the findings of the security audit, it’s time to take a step back and look at the bigger picture. Now, pause to look at the factors that are often external which can still heavily influence the security of the application.
The practice and measure we are referring to in this section is what the industry commonly refers to as ‘logging’. As you might well know from experience, there are always things that don’t quite go as planned in the development process.
For instance, there might be a bug which was considered insignificant, but in fact, opened up your application to attack. When this occurs, you will be unable to respond to this situation in a swift enough manner – unless you have implemented proper logging.
Logging can provide you with knowledge about what exactly happened, what caused the situation, and what else was going on at the time.
To carry out proper logging, first you have to ensure that you’ve sufficiently instrumented your application. For this, there are a whole range of tools and services depending on your software language or languages, these services and tools include – NewRelic, Tideways, Blackfire and others.
After this, the information must be stored away in a manner that allows for swift and efficient parsing. This can be done in several ways, including a Linux syslog, open source solutions like the ELK stack, and even SaaS services which include PaperTrail, Loggly and Splunk.
4. Real-time security monitoring and protection:
Every application security plan must suitably include firewalls and web application firewalls as well. However, firewalls can be effective only in certain situations, and still may not offer comprehensive security as required.
As such, a firewall cannot be considered to be the most comprehensive application security tool for various reasons – this includes the fact that they can generate false positives and negatives.
That said, they do offer a certain level of protection to your applications.
Therefore, it is a good practice to deploy them in addition to Runtime Application Self-Protection (RASP), and services which include Sqreen – which allows real-time protection and monitoring.
By doing this, you can safely secure your application from both external and internal perspectives.
5. Don’t forget to encrypt everything:
Go ahead and encrypt everything, and by that we simply do not only mean HTTPS and HSTS, we mean the encryption of all things and absolutely everything!
It is always critical and important to use holistic encryption, so as to secure and protect applications.
Therefore, it’s also important to consider encryption from all angles and simply not limit it to the obvious perspectives or angles.
While HTTPS makes it extremely difficult for Man In The Middle (MITM) attacks to take place, it’s still important to ensure that all of your data at rest is suitably encrypted as well.
This is because elements such as a dubious systems admin, a government employee or operative, or even an ex-staffer can get through to your server by cloning or even removing the drives.
Now, that’s exactly why it’s important not to only consider security in isolation. Instead, take a holistic view, and consider data in transit, as well as data at rest.
6. Harden everything:
After you have encrypted all the data and traffic, it’s time to go one step further and harden everything as part of your application security best practices.
This exercise means the hardening of everything from operating systems and even software development frameworks. As this step includes a whole host of complex measures, here is a quick guide on application hardening best practices.
7. Keep your servers up to date:
After you have suitably gone about ensuring that your operating system is hardened, it’s now time to make sure that your servers are indeed up to date as well.
Now, it may be that they are hardened against the current version, but the packages may still be out of date, and could contain vulnerabilities – therefore posing a problem.
You can ensure that your servers are set up to automatically update to the latest security releases as and when they are made available.
Now, while you may not allow automatic updating privileges for every package, please at least prioritise the ones that pertain to security.
If you do not choose to do this automatically (depending on the nature of your enterprise, or your organization’s specific view in this regard) you can choose to approve updates on an individual basis.
8. Keep your software up to date:
In addition to keeping the operating system up to date, you will have to go a couple of steps further and keep application framework and even third-party libraries up to date as well.
Software libraries and frameworks can possess vulnerabilities just as operating systems can.
What’s more, if they are updated to the latest stable version (if possible and properly supported) they can then be swiftly patched up and improved.
Many languages (dynamic and static) have package managers, and these tools ensure that the process of maintaining and managing external dependencies is quite easy.
In addition, they do also offer the option of being automated during deployment. Therefore, take advantage of them, and stay with as recent a release as possible.
9. Follow the latest vulnerabilities:
Considering that there are many attack vectors in action, including insecure direct object references, cross-site scripting, SQL injection, code injection, not to mention cross-site request forgery as well, it’s increasingly difficult to keep up to date with the all of them, all of the time.
However, in order to build secure applications we need to be able to do this. Thankfully, there are a number of ways in which we can get this information in a concise, precise and easy to consume form.
Here is one of the websites that you can refer to stay updated with the latest vulnerabilities.
Your next step is here:
Hope you found this blog on application security best practices helpful.
We have prepared a PDF copy of this blog which you can use for your quick reference. It includes 1 bonus tool that helps you to automate the application security process.
To download the PDF version – Click here