When getting a web application developed one of the most important aspects is the security of the application. All too often this slips through the net, as a deficiency is not apparent initially.
If your application holds information which could be used for fraudulent purposes then you have to assume that your site will be hacked. Each application, and the data it holds, is different so you need to review it and see whether your site could be targeted. It is a case of planning for the worst, but hoping for the best. The good news is that there are guidelines, which if followed, should give you some peace of mind.
From the latest Top 10 Web Application Security Risks from OWASP when it comes to securing a web application the approach needs to encompass a broad range of measures to combat all the threats. Threats like Injection, XSS, Broken Authentication and Session Management and CSRF need to be handled in the application code itself. Insecure Direct Object References and Insecure Cryptographic Storage are things that are more server specific. While Insufficient Transport Layer Protection could be result in the web application being targeted on both fronts.
With this in mind, security is something that needs to be included in the design phase of an application and not something that should be bolted on as an afterthought. If you are getting a web application developed you need to make sure your development partner is security conscious.
How much you lock down or secure a web application is dependent on a few factors. Key considerations are how sensitive the information you are transmitting and storing is and reputation damage that would occur from a security breach (i.e. if your site was hacked and defaced).
I’ve included a check list of questions you should be asking your development partner and also the sorts of responses you should be looking for. This is not an exhaustive list but should give you peace of mind that your development partner has security on their mind. These should be asked both before and after the application is developed.
Q: Is Web Application Security an important consideration in the design and implementation of the application?
A: Yes, you want to hear that security is being catered for in the application from the “ground up”.
Q: What measures do you implement at a code level to secure the application?
A: As mentioned above the OWASP site is a great resource for application security. This goes into a lot of detail. When getting an answer to this question you want to be hearing about the following:
- For the most important issue of injection you need to make sure all input into the application is sanitised.
- The application protects against Cross Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)
- And that the site is using a solid Authentication and Session Management system.
Q: What sort of hosting environment do you use?
A: For less sensitive data a shared hosting environment is ok but for more security you are going to need your own server. This can be in the form of physical or virtual (cloud based) (e.g. Amazon’s EC2 hosting)
Q: Does the server use a firewall to limit access?
A: Yes. For a web server the firewall should limit the open ports to only the ones absolutely required. These are usually HTTP/HTTPS for web traffic. SSH is usually required to access the server. If this is the case it should only be access with the use SSH cryptographic keys. This will ensure that only authorised people can access the server.
Q: Do you backup data on a regular basis?
A: The usage of the system will determine how often is “regular” but data should be backed up at least once a day.
Q: How do you secure sensitive data passing between the application and the users browser?
A: SSL. Minimum level 128 bit encryption.
Q: Do you encrypt the data you store?
A: You only need to do this for sensitive data i.e. credit card details, personal details.
This is not an exhaustive list as it is an extremely technical area, but it should set you down the right path if you are in the middle of a project or considering engaging a web developer to build your application.