Modern developers are caught between a rock and a hard place. On one hand, businesses are requiring faster application delivery from their development staff. As software plays an increasingly important role in the modern business, developers regularly face impossible deadlines.
On the other hand, web application development is becoming more complex. For instance, as outlined in this article, modern developers must create applications that adapt to any device, port to any platform, integrate with other services, and withstand increasingly sophisticated attacks. Whew!
The big problem: With these changing requirements and growing demands for faster development, developers struggle to keep up. Certain development aspects are bound to fall through the cracks.
As it turns out, that is exactly what’s happening…with security. Despite the growing importance of proper security, many developers aren’t following basic security principles. How bad is it? According to this study from last year, 99% of applications have one or more serious vulnerabilities.
Today, let’s examine this problem. While I know we can’t address every security mistake developers make, we can highlight the most important principles. What basic security guidelines should every modern web developer follow? How can you protect your web applications from being easy targets for an attack? While the list could be much larger, I’ve rounded up 7 of the most important security tips every developer must follow, and listed them below:
1. Understand what data you need to protect
One of the most important security principles a developer can practice: Only store the data you absolutely NEED to store. This starts with two questions: First, what data does your company need to store and protect? Second, if that data was compromised, how much could it harm the company or your customers?
For example, some companies put themselves (and their customers) at risk because they needlessly store sensitive customer data. Do you really need to store credit card numbers, addresses, or other sensitive information? Reducing the amount of sensitive data stored instantly makes your applications more secure.
2. Encrypt sensitive user data
What happens if you absolutely must store sensitive data in your database? If so, never store anything unencrypted. Ignoring this advice will likely land your company on the front page of the news–but not for good reasons. Do you really want to be the company that loses your customer’s sensitive data because it was all stored in plain text in your database?
“Encrypting sensitive user data, such as passwords, with one-way encryption — In case your server ever gets hacked, you want to make sure that no one gets hold of secure data,” explains Alex Zorach, Founder and Editor of RateTea.com. “In larger organizations or shared hosting environments, this becomes even more important because you may not be able to trust everyone with access to the data not to exploit user data.”
3. Keep software updated (or disabled)
Hackers look for the path of least resistance when trying to access your database. In many cases, this involves finding outdated or insecure software and working from there. To minimize this risk, you must follow two important guidelines. First–as explained below–you must rigorously patch and update your software.
“In web applications, similar to any other modern software, there are a large number of third party libraries used,” says Ehsan Foroughi, Director of Research of Security Compass. “An example is usage of OpenSSL library to facilitate HTTPS communication, or LDAP libraries to provide Single Sign-On support. Many of these libraries/packages are open source. Regardless, there are vulnerabilities discovered every day in these libraries, such as failure to properly validate input elements, or special boundary cases that can be exploited to gain privileged access to the server by remote users. The detail of these vulnerabilities gets published online and attackers start looking for software that use these libraries, either based on signs or by blindly testing against these weaknesses. The recommended best practice is to monitor common sources of vulnerability disclosures, such as the SecurityFocus email list and portal, and once there is a vulnerability disclosed and the patch becomes available, apply the patch to your environment as soon as possible. In rare cases where the patch is not immediately available, there might be other mitigation factors suggested by the vendor of the specified third party software.”
Secondly, you must disable unused software. It’s not uncommon for companies to have software connected to their systems that’s not in use. As explained below, this provides an excellent path for hackers if left unchecked.
“Many web hosting packages come with software enabled that is not used by the developer,” says Zorach. “Every service or piece of software installed or running on your server introduces an additional piece of software that can potentially be hacked. Common examples include Plesk or mail servers. By disabling or removing anything that you are not using, you decrease your risk of getting hacked.”
4. Limit user privileges
Sometimes, the biggest threat to your data isn’t an outside attacker at all. It’s an uneducated end user with too many system privileges. Limiting these privileges is best for all involved–it helps keep your applications secure while eliminating the risk of security mistakes from end users.
“In a web application or within a business’s IT systems, it’s a good idea to give each user only the privileges he or she really needs as opposed to giving everyone the same level of access,” explains Jason Swett, IT Consultant at Ben Franklin Labs. “This is called the Principle of Least Privilege. In addition to the obvious benefit of protecting the system from abuse by unqualified users, application of the Principle of Least Privilege also protects unprivileged users of accusation when an abuse occurs, since a properly privileged system makes it physically impossible for users to carry out tasks they’re not authorized to perform.”
5. Use both client-side and server-side validation
When accepting user input from a web application into your database, you must perform two forms of validation: Client-side and server-side. Client-side validation (using JavaScript) protects against user error, like incorrectly entering data or forgetting a field. Server-side validation protects against malicious input, like users trying to inject their own code into your database. The problems arise when developers make the mistake of using client-side validation as a security measure.
“Validating user input on the client side with JavaScript is a convenient way to give the user instant feedback, but server-side checking is still necessary for security,” explains Swett. “A user with malicious intent can bypass your client-side validation by either turning JavaScript off or manipulating your JavaScript code however he or she pleases. Since everything on the client side is manipulable, everything coming from the client side must be treated with suspicion. Client-side validation can provide an improved user experience but not meaningfully improved security.”
6. Sanitize user input
It should go without saying, but user input from a web application should never communicate directly with the database. It must be validated and sanitized to maintain data integrity, and avoid common attacks like SQL injection.
“User input – from forms, querystrings, and even cookies or other non-visible sources – are the number one vulnerability that lead to web applications being compromised,” says Jonathan Weber, Founder of Marathon Studios, Inc. “As a security-conscious developer, you have to understand the threats that can be posed by unsanitized input (such as SQL injection, XSS attacks) and make sure you make it an automatic habit to sanitize every input to your web apps. All it takes is one missed input to open a back-door for hackers to compromise your application.”
7. Secure all connections that contain cookie data
The common practice of “session hijacking” often occurs because only the login system of the application is secured–not the entire application. As a result, hackers can simply steal a user’s session ID, and gain complete access. As you might imagine, the results of this mistake can be disastrous.
“One important, but sometimes overlooked security issue (even for bigger players like Facebook) is securing *all* connections that contain cookie data,” says Tim Henrich, Founder of Task Science. “Many web applications will secure their login system, set a cookie, and then allow the user to continue interacting with the application over an insecure channel. While this can improve performance and save system resources on the server-side, the cookie sent with each request (to identify the user’s session) is now vulnerable. Anyone with network access to the many networks that user’s request will traverse can imitate that user within the web application.”
So, what do you think? Did I leave anything off of that list? Feel free to share your thoughts in the comments.
Pingback: 7 critical security tips for modern web develop...
Great stuff. Thanks for sharing a informative post.
Nice ideas and tips
Joe, Amazingly Great job. These two points are well covered; ” Keep software updated (or disabled)” and ” Understand what data you need to protect”. Thanks for sharing this info. The best part is the article has all the practical detailing! Keep sharing
You have provided some really very important and effective tips on improving and enhancing the security of the website. A website must always remain secure. I got a lot of knowledge from your article. I will surely follow all the 7 tips which you have provided in this article and I will also share this article as much as possible. Thank you.
Very Informative. While I know we can’t address every security mistake developers make, we can highlight the most important principles.