Better Late Than Never – Securing Your Web App in the Production Phase
Securing a web application already in production can seem daunting for organizations. However, it’s still possible to apply security measures while it’s in the critical production phase of the software development process, just before it is launched. Ideally, organizations should secure an application from the beginning and throughout each stage of the Secure Software Development Life Cycle (SSDLC), but drawbacks can happen, like budget constraints or other unforeseen circumstances that can lead to a last-minute call to secure a web application that’s almost ready for release. Fortunately, several practical steps can be taken to secure a web app.
Read on for tips on real-world solutions organizations can apply to enhance their web application security and safeguard their valuable data and assets from cybercriminals.
Perform regular backups
Performing regular backups of code, data, and other valuable assets is vital to securing your organization against potential data loss and enhancing web application security. By creating copies of this data, you can rapidly recover in the event of a data breach, hardware failure, software bugs, human error, or malicious attacks by cybercriminals. Having a backup provides a safety net, allowing you to restore your systems to their previous state before the data loss or breach occurred, reducing downtime and minimizing financial losses. It’s also important to secure your backups, such as by encrypting them, especially if they will be moved from location to location. There are several backup solutions, but which one you choose will depend on your organization’s budget and needs. Backups are indispensable for business continuity, disaster recovery, and incident response planning against the threat of cybercrime.
Implement HTTPS
An organization should implement HTTPS (HyperText Transfer Protocol Secure) to secure a web app because it encrypts nearly all data transmitted between the user’s browser and the web server. For example, implementing HTTPS in a web app encrypts communication data and prevents it from being readable, which is very important for protecting sensitive information like passwords and credit card numbers. HTTPS also makes it much more difficult for the data to be decrypted, but that doesn’t guarantee it’s impossible to happen. In addition, HTTPS helps prevent attackers from sniffing or intercepting the data, such as in the case of a man-in-the-middle attack. It does this with an encryption protocol called Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL). HTTP, on the other hand, does not provide the same level of security as HTTPS since it doesn’t encrypt data, which can be intercepted and viewed in plaintext.
Aside from encryption, there are numerous security benefits that HTTPS provides.
- Authentication: HTTPS provides authentication to verify the identity of the website, ensuring that users are communicating with the intended website. As a result, phishing websites and other online fraud schemes are less likely to try to steal their information.
- Data integrity: HTTPS helps to ensure that data transmitted between the user and server is not tampered with or altered in transit.
- Search engine optimization: Implementing HTTPS can increase your web app’s visibility and ranking in search engine results pages. For example, Google has indicated that HTTPS is a ranking signal in their search engine results.
- User trust: Users are more likely to trust and use a website that has HTTPS enabled because HTTPS is widely recognized as a sign of a secure website.
Implementing HTTPS and Digital Certificates for Your Web App
To secure a web app with HTTPS and a digital certificate, follow these steps:
- Obtain a digital certificate and install it on your web server: Obtain a digital SSL certificate from a trusted certificate authority (CA) like Let’s Encrypt, DigiCert, or GlobalSign and install it on your web server.
There are three main types of SSL certificates:
- Domain Validation (DV): These certificates are the most basic and cheapest type of SSL certificates that offer industry-standard encryption and are suitable for small personal websites or blogs.
- Organization Validation (OV): OV certificates provide a higher level of validation and add a layer of trust to public-facing websites, making them suitable for small and medium-sized businesses.
- Extended Validation (EV): EV certificates are the most secure and expensive type of SSL certificate, requiring an extensive verification process and providing the highest level of trust for large enterprises, financial institutions, and e-commerce websites.
- Configure HTTPS on your web server: This allows your web server to use the installed digital certificate to redirect HTTP traffic to HTTPS.
- Update your website’s links: It is important to change any hard-coded HTTP links on your website to HTTPS to prevent visitors from encountering broken links or security warnings.
- Test and verify: After setting up HTTPS, test your website and verify it is working correctly with online tools like SSL Labs.
Depending on the certificate and CA, HTTPS can cost anywhere from free to hundreds of dollars per year. Additionally, configuring your web server to use HTTPS can be complicated and require professional help, which can increase costs. However, implementing HTTPS is relatively inexpensive compared to the security benefits it provides. To learn other ways to secure HTTP, read our article on how to enable HTTPS security headers.
Enforce strong password policies & 2FA
To improve security for a web application, it is advisable to establish strict password requirements that follow the National Institute of Standards and Technology (NIST) SP 800-63B guidelines. In cases where the web application holds sensitive or critical information, using two-factor authentication (2FA) can further minimize the risk of unauthorized access. Using a password manager with 2FA can also be useful.
Per NIST SP 800-63B guidelines, a strong password should meet the following criteria:
- Must be at least 8 characters in length and up to 64 characters long.
- Must be complex and contains a mix of uppercase and lowercase letters, numbers, and special characters.
- Does not contain commonly used and easily guessed passwords, repetitive numbers or letters, or dictionary words.
- Must be unique. In other words, do not reuse or recycle your passwords with other accounts.
Use strong password hashing
Strong password hashing is an important part of web application security. It is a cryptographic process that transforms an original plaintext password (input) into a unique, fixed-length string of characters known as a hash (output). The hash or hash value is not meant to be reversed or decrypted, and any changes to the input message or plaintext data will result in a different hash value or output. A strong password hash is unreadable and secure, making it very difficult, if not impossible, for cybercriminals to obtain the original password.
Hashing is a secure way to store a password in a database or transmit it over a network. For example, when a user logs in, the entered password is hashed and compared to the stored hash. This lets the system check the password and verify that it’s correct without having to store it in plaintext, which helps protect sensitive data and minimize the risk of data breaches.
The process of hashing works by using an algorithm, also known as a hash function, to transform plaintext data into a hash value. To make a hash function secure, a strong hashing algorithm should be used that is resistant to pre-image and second pre-image attacks and includes salt values to make it even more difficult to crack.
Recommended password hashing algorithms for web application security
Web apps can protect their users’ passwords and prevent unauthorized access by using the recommended strong password hashing algorithms listed below.
- Bcrypt: A popular and widely used encryption algorithm based on the Blowfish cipher that is designed to be extremely secure. It is purposely slow and computationally expensive and is intended to make it challenging for cybercriminals to crack passwords by brute-force methods. It also always hashes passwords with a salt for enhanced security.
- Scrypt: A newer algorithm that increases the amount of memory required to generate a hash, making it more difficult for attackers to use hardware acceleration to crack passwords. Generally considered more secure than Bcrypt.
- Argon2: Winner of the 2015 Password Hashing Competition, it is an advanced password-hashing algorithm that is widely considered as more secure than both BCrypt and Scrypt. It has the unique ability to customize time, memory, and threads to generate hashes. Additionally, there are three types of Argon. They include Argon2i that is resistant to side-channel attacks, Argon2d that is resistant to GPU attacks, and Argon2id that is a hybrid of both. Moreover, it is resistant to attackers that utilize large amounts of computing power and memory and protects against brute-force attacks.
In contrast, using weak algorithms, such as MD5 or SHA-1, is not recommended because they can leave a web application vulnerable to attack and compromise user security. In fact, NIST announced on December 15, 2022, that it has retired the 27-year-old SHA-1 cryptographic hash algorithm. Despite MD5 not being recommended, it is sometimes used for file verification, hash tables, fingerprinting, or indexing. Also, PBKDF2 (Password-Based Key Derivation Function 2) is no longer thought of as a secure hashing algorithm by modern standards due to its slow performance and vulnerability to precomputation attacks, such as rainbow tables.
Keep your application updated
Ensuring that your application uses the latest versions of libraries, frameworks, components, and other dependencies can help eliminate known web application vulnerabilities. This can be done in-house or outsourced through third-party providers that specialize in dynamic application security testing (DAST) and/or web application penetration testing services. By keeping your app up-to-date, you reduce the chance of exploitable bugs and make sure you’re using the latest security patches. Although updating your dependencies can reduce the number of web application vulnerabilities, it does not guarantee complete protection from them because new security issues can get discovered, like a 0-day vulnerability, for example. Additionally, be aware when updating to ensure compatibility and avoid introducing new vulnerabilities.
Put your application behind a WAF
A Web Application Firewall (WAF) is one of the most efficient methods to secure your web app. A WAF works by filtering incoming requests for malicious activities and monitoring HTTP traffic between a web application and the Internet. It is effective at blocking most malicious traffic. Common web-based attacks that a WAF provides protection against include cross-site scripting (XSS), SQL injection (SQLi), cross-site request forgery (CSRF), and brute force attacks.
Placing a web application behind a WAF can be done in-house. You can install and configure a WAF on your own infrastructure, which provides you with more control over the configuration and management of the WAF. By placing the web application behind a WAF, organizations can reduce the risk of their application being compromised.
Run dynamic scans (DAST)
During the production phase of a web application, an organization can run a DAST (Dynamic Application Security Testing) scan in real time to quickly find web application vulnerabilities and security risks before attackers can exploit them. A DAST scan is an automated security test of a web app that works by sending malicious requests to the application and assessing the responses to determine if there are any vulnerabilities present. By running a DAST scan, an organization can fix security flaws that may arise in the web application. It can also be used to make sure that security compliance is met.
DAST scans help secure a web application by testing for common security risks such as:
- SQL injection (SQLi)
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Weak passwords
The pros and cons of running a DAST scan include the following:
Pros | Cons |
– Fewer false positives – Identifies configuration issues – Can be automated on a schedule to find vulnerabilities – Not dependent on a specific programming language – Covers a wide range of vulnerabilities | – Has limitations, can only assess the web application layer for vulnerabilities – Produces large amount of data that can be time consuming and hard to interpret – Doesn’t have code visibility – Not highly scalable – Scanning is slow, even with automation – May require manual testing when automation can’t be done |
Conduct source code scans (SAST)
Conducting a Static Application Security Testing (SAST) scan, also called a “static analysis,” of your web app’s source code can help identify vulnerabilities that can be exploited by attackers. It is especially important to scan for these issues while your web application is in the development phase before the app is released to the public because it usually requires more resources to fix vulnerabilities once the app has gone live. Moreover, the vulnerabilities in production applications can be exploited by malicious users. A SAST scan will usually report any issues and suggest possible solutions. After any issues are addressed, the SAST scan should be repeated to ensure all vulnerabilities have been eliminated to help secure your web app from cybercriminals.
Some pros and cons of conducting SAST scans include:
Pros | Cons |
– Scans source code to detect risk and vulnerabilities early in the software development lifecycle – Provides a comprehensive view of an application’s security posture, helpful for decision making – Cost-effective saving time and money | – Can produce a high number of false positives – Difficult to accurately interpret its results, requires a security expert – Report is static, gets outdated fast – Incapable of finding vulnerabilities in dynamic environment – Requires source code to work – Strong code dependency |
Conduct a penetration test
Conducting a penetration test, also known as a “pentest” on a web application while it is in the production phase is an important step in ensuring the security of an organization’s information and data. A penetration test is a simulated attack that can be done on your web application to identify its existing vulnerabilities and security flaws. This type of testing is important because it can uncover any potential weaknesses in the web app that need to be addressed and fixed before any data can be compromised. Pentesting should be outsourced to security experts, and its cost can depend on several factors, such as the type of pentest requested, the scope of practice, the experience and reputation of the security expert, the length of engagement, and more.
Provide security training
Providing security training is another important step in the process of securing a web application while it is in the production phase. Security training helps to ensure that all team members, especially developers and administrators, understand the importance of secure coding practices, such as input validation, authentication and authorization, and secure session management, for example. Additionally, it can educate them about potential threats and vulnerabilities that a web application may be exposed to, as well as how to properly respond and secure them. By providing security training to your team, you can ensure that they are equipped to implement and maintain secure web applications.
Bottom Line
Securing a web application already in production may seem daunting, but with the proper steps and resources, it is possible to protect against cybercriminals. These important steps include performing regular backups, enforcing strong password policies and two-factor authentication (2FA), implementing HTTPS, placing your web app behind a web application firewall (WAF), and providing security training. Additionally, running a penetration test and conducting dynamic application security testing (DAST) and static application security testing (SAST) scans can provide further insights into any existing vulnerabilities. Even though many of these solutions can be done in-house, sometimes it is necessary and recommended for an organization to seek help from experienced security experts to ensure their web applications are secure and up-to-date, which is vital to protect sensitive data, avoid financial losses, and maintain optimal operations. With that in mind, Zigrin offers cutting-edge solutions and services to help protect your valuable assets and data. If your organization needs more resources or security expertise to secure your web app, Zigrin is here to help.
Sources:
- https://www.cloudflare.com/learning/ssl/what-is-https/
- https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/
- https://www.rapid7.com/fundamentals/dast/
- https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm
- https://zigrin.com/cybersecurity-for-startups-backup-user-data-and-source-code/
- https://zigrin.com/services/web-application-security-testing/
- https://zigrin.com/cybersecurity-for-startups-use-a-password-manager-and-two-factor-authentication/
- https://zigrin.com/cybersecurity-for-startups-enable-http-security-headers/
- https://www.comparitech.com/blog/information-security/what-is-preimage-attack/
- https://developers.google.com/search/blog/2014/08/https-as-ranking-signal
- https://www.ssllabs.com/ssltest/
- https://sectigo.com/resource-library/different-types-of-ssl-certificates-explained
- https://letsencrypt.org/
- https://www.digicert.com/
- https://www.globalsign.com/en
- https://zigrin.com/secure-software-frameworks-for-mature-organizations/
- https://www.boldare.com/blog/how-to-improve-user-password-security-with-argon2/
- https://www.microfocus.com/en-us/what-is/sast
- https://www.mend.io/resources/blog/sast-static-application-security-testing/
- https://snyk.io/learn/application-security/dast-dynamic-application-security-testing/
- https://www.boldare.com/blog/how-to-improve-user-password-security-with-argon2/
Let’s talk about securing your startup
Book a chat with a cybersecurity expert
Is this article helpful to you? Share it with your friends.