Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Web Application Security Testing
software development for startups

Cybersecurity for startups – develop with modern frameworks

Writing secure code is challenging, especially when there is hardly any guidance for developers, especially new ones, on how to code securely. It is evident when many Computer Science programs at universities do not offer a course on application security or secure coding practices, which explains why many developers have to “figure it out” and seek training from alternative options like OWASP and coding mentors.

The secure coding problem is why modern frameworks and libraries that implement security mechanisms by default are instrumental to developers who need to secure their applications’ code. As innovation continues to make the world go ’round and cybersecurity threats continue to increase and are here to stay, startups will face issues such as how they will secure their applications while quickly creating apps, meeting deadlines, and boosting productivity.

!This is the third out of eleven articles in the series “Cybersecurity for startups”. If you haven’t read the previous one you can find it by the title: Cybersecurity for startups – use a password manager and two-factor authentication.

In our digital age and modern world filled with innovation, developers will continue to build web applications for enterprises and startups. Because startups are not as established nor have as much financial resources as a successful large corporation that has been around for decades, cybersecurity for startups is critical. 

Software development security is vital for any startup to thrive that develops web applications, especially when the web application is the number one attack vector, according to Verizon’s 2022 Data Breach Investigations Report (DBIR). Ignoring it can lead to detrimental results.

Luckily, secure software development for startups is now more convenient and possible with modern software frameworks that implement security such as:

  • Spring Security
  • Django
  • CakePHP
  • Angular
  • React
  • Laravel
  • .NET

Before diving into these modern software frameworks and how they work and implement security, I will cover secure code best practices, the OWASP Top 10, training developers on how to write secure code, and the software development lifecycle (SDLC). 

Secure Coding Practices

Application security requires secure coding practices for implementation into the software development life cycle of SDLC. Following the best secure coding practices reduces security risks of threats and vulnerabilities, especially when done in the early stages of the SDLC rather than after a software package is completed. 

The OWASP Secure Coding Practices offers a checklist for developers to follow to maintain the confidentiality, integrity, and availability (CIA triad) of information resources. You can check out a more detailed overview of this checklist here

OWASP Secure Coding Practices Checklist covers:

  • Input Validation 
  • Output Encoding 
  • Authentication and Password Management
  • Session Management 
  • Access Control 
  • Cryptographic Practices 
  • Error Handling and Logging 
  • Data Protection
  • Communication Security
  • System Configuration
  • Database Security 
  • File Management
  • Memory Management
  • General Coding Practices

Most importantly, follow the regularly updated OWASP Top 10 guidelines to prevent critical security risks in web applications.

cybersecurity for startups develop with modern framework

OWASP Top 10

The top 10 most critical risks in web applications are outlined by the OWASP Top 10, which provides remediation guidance. It is an excellent step for incorporating software development security for any organization or startup, and stays up-to-date with changes in the cyber landscape of threats and vulnerabilities.

As of July 2022, the OWASP Top 10 are:

Education

Training new developers to write secure code is challenging and begins with covering the basics, such as understanding threat modeling and the STRIDE threat model. Application security engineer Jet “Code Doctor” Anderson taught software developers to write secure code and has once advised me (and in his blog) to begin with “lite” threat modeling when learning secure coding.

Three questions to ask for light threat modeling:

  1. What could go wrong?
  2. What will happen if it does?
  3. How can I avoid this?

Next, know what the STRIDE threat model is. It can help you identify known threats to be aware of when writing secure code.

STRIDE stands for:

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of Service
  • Elevation of Privilege

Learn about the OWASP Application Security Verification Standard (ASVS) that you can download here, which provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.

Software Development Life Cycle (SDLC) and Secure SDLC (SSDLC)

The software development life cycle (SDLC) contains seven stages developers follow for software design, development, and testing. It is a model that covers the life cycle of software from its beginning to completion. A secure SDLC or SSDLC helps developers adhere to secure code practices in every development stage from start to finish. Security risks and threats can be minimized or reduced when developers follow the SSDLC, especially when implementing it during the early stages of software development rather than after software has been released.

software development best practices

The 7 stages of the software development life cycle (SDLC) are:

  1. Planning
  2. Systems Analysis & Requirements
  3. Design & Prototyping
  4. Development
  5. Testing
  6. Implementation & Integration
  7. Operations & Maintenance

A “Shift-Left” Approach

Shift-left is a concept or approach that derives from the idea that software testing in the early stages of software development rather than in the later stages can eliminate insecure code and vulnerabilities more effectively. If you view the SDLC as a spectrum, the early stages are on the left-hand side, and the later stages are on the right-hand side. Thus, it is ideal to have a “shift-left” approach in the SSDLC.

Develop Securely with Modern Software Frameworks

Develop web applications securely with modern software frameworks and libraries. An overview of the most popular and secure modern software frameworks and libraries can help determine which fits the best approach in software development for startups. These modern software frameworks listed below are Spring Security, Django, CakePHP, Angular, React, Laravel, and .NET.

software development security

Java Spring Security

Java Spring Security or Spring Security is a reliable, extensively-tested, open-source Java/Java EE framework founded in late 2003 by software engineer Dr. Ben Alex initially as Acegi Security before being renamed Spring Security. Its core features focus on adding authentication and authorization securely to your web application, including other security features that offer protection from common exploits for enterprise applications. 

Whether for an enterprise or cybersecurity for startups, Spring Security is the primary choice for implementing application-layer security in Spring applications and is notably reliable and fast. Google, Amazon, and Netflix, as well as many governments, banking, and military installations, utilize the framework for that reason. 

Robust Authentication and Authorization

Spring Security is a highly customizable authentication and access-control framework out-of-the-box that has all the tools you need to develop rapidly and focus on your application logic. It has multiple authentication and authorization strategies offering flexible options to select from that may fit any enterprise or startup’s needs.

Spring Security leverages these robust authentication and authorization strategies:

  • Basic and Form Authentication
  • OAuth2 and OpenID Connect
  • LDAP (Lightweight Directory Access Protocol)
  • JWT (JSON Web Tokens)

Protects against cross-site scripting (XSS) and other threats

Aside from implementing secure authentication and authorization, Spring Security protects your web applications from common threats such as cross-site scripting (XSS) and cross-site request forgery (CSRF).

Spring Security offers protection against these common threats: 

  • Session fixation
  • Clickjacking
  • Cross-site request forgery (CSRF)
  • Cross-site scripting (XSS)

Spring Security also includes other security features, such as a sign-up feature that securely encrypts passwords using BCrypt rather than saving user passwords in cleartext without any hashing. 

Django

Django is an open-source Python full-stack web framework first released in 2005 that follows the model-template-view (MVT) architectural pattern. It offers features by default that enable the rapid development of secure websites due to its speedy performance and extreme scalability, along with an emphasis on software development security which assists developers in avoiding common security mistakes. 

Django handles user authentication, content administration, site maps, RSS feeds, and many more tasks out-of-the-box. Giant companies such as YouTube, Instagram, Robinhood, Spotify, NASA, Dropbox, and Udemy are among many companies that use Django due to its simplicity, security, and scalability.

Django offers protection against these common threats and vulnerabilities: 

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection
  • Clickjacking
  • Session fixation and hacking
  • Mass assignment

For vulnerabilities such as mass assignment, a web application’s object-relational mapping (ORM) interface is exploited by a threat actor who changes information (e.g., passwords, session keys, cookie data, permissions, and admin access) that shouldn’t be changed in a database.

A typical request or functionality like this (see code example below) becomes exploitable when a threat actor can guess or brute force common yet sensitive fields, has access to source code and can review its models for sensitive fields (via a bot scanner that finds sensitive fields on GitHub for example), and when an object with sensitive fields has an empty constructor or setter.

POST /addUser HTTP/1.1userid=hashedtables&password=hashedpass&email=user@zigrin.com

And, here is the exploit(isAdmin=true):

POST /addUser HTTP/1.1userid=hashtables&password=hashedpass&email=user@zigrin.com&isAdmin=true

Django can offer protection and block threats like this by using Forms and whitelisting the fields that auser can modify and blacklisting the fields that cannot be modified.

from Django import formsfrom myapp.models import Whatzit
class UserForm(forms.ModelForm):   class Meta(object):       model = User       fields = ('username', 'password', 'email')

CakePHP

CakePHP is an open-source rapid development PHP web framework created in April 2005 that follows the model-view-controller (MVC) pattern. CakePHP is the most appropriate choice for building big-scale websites and web applications simply, rapidly, and securely while requiring less code. It contains general-purpose utility libraries and core components that handle access control lists (ACLs), authentication, cookies, email, request handling, sessions, and security. 

CakePHP is well known for its software engineering concepts and design patterns: convention over configuration (works from any website directory and requires little to no configuration of Apache or other web server), MVC, active record, association data mapping, and front controller. Although it has a steep learning curve compared to other frameworks, CakePHP is as robust as Ruby on Rails, adopting many of its concepts. Since it uses an MVC pattern, the CakePHP framework can easily craft application tasks into separate models, views, and controllers, which makes your application very light and easy to add features. Additionally, it offers customization and modularity, including the reuse of code.

Most secure PHP framework

CakePHP has multiple security mechanisms implemented in web applications. They include built-in validation, data sanitization, CSRF and form tampering protection. CakePHP also contains general-purpose utility libraries like HttpSocket, router, and XML, to name a few, and a security library that handles basic security measures for hashing and encrypting data. CakePHP is highly efficient as it reduces the time it takes for development and prototyping, increases productivity on your web applications, and protects web apps against security threats.

List of common threats CakePHP protects against out-of-the-box:

  • Form tampering
  • Cross-site request forgery (CSRF)
  • SQL injection
  • Cross-site scripting (XSS)

Aside from protecting against these common threats, CakePHP provides more security by restricting what HTTP methods your application can accept and requires the usage of SSL. Additionally, it limits cross-controller communication in web applications and performs input validation. CakePHP has many advantages, including its security features, which is why it is a favorite choice of many PHP developers.

Angular

Angular is a free, open-source JavaScript web application framework created by Google and released in 2016, written in TypeScript as a complete rewrite of AngularJS, and contains built-in protections against common web application vulnerabilities and attacks. Angular uses a full-fledged model-view-controller (MVC) pattern. Its primary purpose is to develop single-page applications (SPAs) for mobile and desktop devices and solve Google-scale problems while offering code reusability and enabling faster development, easy testing, and lighter, faster apps.

JavaScript is not ideal for developing single-page applications requiring modularity, testability, and developer productivity. Because of this, TypeScript was the programming language used to rewrite AngularJS since it defines a set of types to the JavaScript programming language, helping users write JavaScript code that is easier to understand and is ideal for single-page applications. TypeScript code compiles with JavaScript and runs smoothly on any platform. Gmail, PayPal, Forbes, Microsoft Office, and UpWork use the Angular framework in their web app development pipeline.

In April 2020, Forbes used Angular for its website and achieved 173.5 million page visits due to its fast page loading time and responsive user experience. PayPal used Angular to architect dynamic web pages that support real-time feeds of PayPal transaction data. These are a couple of examples that prove how successful Angular is when used for single-page web applications.

Built-in Security Protects Against Two Common HTTP Vulnerabilities

Angular has built-in protection from two common HTTP vulnerabilities, 1) cross-site request forgery (CSRF) and 2) cross-site script inclusion (XSSI), which are critical to mitigate primarily on the server side, while Angular makes integration on the client side easier. 

A cross-site script inclusion (XSSI), also known as JSON vulnerability, allows an attacker’s website to read data from a JSON API. XSSI attacks work on older browsers by overriding built-in JavaScript object constructors and including an API URL using a <script> tag.

Angular protects against an XSSI attack by letting its servers prefix all JSON responses to make them non-executable using the well-known string “)]}’,\n” which its HttpClient library recognizes and automatically strips it from all responses before further parsing.

The top 6 best security practices for Angular are:

  1. Use interpolation to encode dangerous characters and escape untrusted HTML or CSS expressions within a template expression.
  2. Use innerHTML with caution.
  3. Never use templates generated by concatenating user input.
  4. Never use native DOM APIs to interact with HTML elements.
  5. Avoid template engines on server-side templates.
  6. Scan your Angular project for components that introduce security vulnerabilities.

For #3, sanitizing input to the fullest extent is necessary if templates are concatenated rather than using string interpolation in an Angular application. Concatenated user input and templates can introduce values that are malicious expressions of unknown or untrusted origin.

Below is an example of bad code practice that you must look out for and avoid.

example of bad code practice

To prevent this, Angular offers its offline template compiler, Ahead of Time, which compiles templates offline to prevent template injection vulnerabilities as seen below.

preventing template injection vulnerabilities Angu

For startups that want to use a framework vetted by Google for developing single-page web apps that contain highly dynamic content where search engine optimization (SEO) matters and no page reload time while implementing security, Angular makes a great choice.

React

ReactJS, also known as React, is an open-source front-end JavaScript library for building user interfaces (UIs) that lets you build fast and versatile UIs from components. Meta (formerly Facebook) released it in 2013 under an open-source license after being created by one of its engineers, Jordan Walke. Its single focus is to let developers create React components for web applications such as a button, text, label, or grid. React combines both basic HTML and JavaScript (JS) concepts. 

React is one of the most popular frameworks because of its ease of use, scalability, security, performance, and a simple learning curve. It even offers modularity and reusability. As a result, React requires less coding and more functionality for creating dynamic web applications. React is a fan favorite of many companies and is currently used by Meta (formerly Facebook), Airbnb, Uber, Netflix, and the New York Times. Startups can utilize React too and benefit from its advantages for building complex UIs.

Best Security Practices in React

React also incorporates security into its framework with best security practices that are applicable to its interfaces. For example, it bakes an understanding of markup and content into JavaScript, allowing no manual string concatenation (see example under Angular section), which results in less surface area for XSS attacks. There are numerous best security practices that are applicable to React. These are the top 10 listed.

The top 10 best security practices for React are:

  • Use default data binding with curly braces {} to escape values and protect against XSS attacks.
  • Use validation to avoid injection of dangerous URLs.
  • Insert HTML directly into rendered DOM nodes using dangerouslySetInnerHTML and sanitize content beforehand with dompurify.
  • Do not access DOM with findDomNode() to inject content via innerHTML into DOM nodes directly. dangerouslySetInnerHTML must be used instead to inject HTML and sanitize with dompurify.
  • When using server-side rendering functions, do not concatenate unsanitized data with the output of renderToStaticMarkup() to avoid XSS attacks.
  • Update the version of your dependencies and watch out for versions of third-party components that contain vulnerabilities.
  • Always escape < characters with a benign value to avoid injection attacks such as with JSON e.g.,
    window.__PRELOADED_STATE__ =   ${JSON.stringify(preloadedState).replace( /</g, '\\u003c')}
  • Verify you are on the latest version of React using npm outdated and update if needed. Avoid using vulnerable versions.
  • Install Linter configurations and plugins that will automatically detect security issues in your code and offer remediation advice.
  • Avoid dangerous library code that insert HTML into the DOM and use unvalidated URLs or unsafe patterns. Review library code manually or with linters.

Let’s use #2 as an example of how we can apply best security practices. For dangerous URLs where URLs can contain dynamic script content via javascript: protocol URLs, use validation to assure your links are http: or https: to avoid javascript: URL based script injection. You can achieve URL validation using a native URL parsing function then match the parsed protocol property to an allow list by doing this (see code below).

achieving URL validation example

Avoid doing this.

example of bad code practice in react

Laravel

Laravel is an open-source backend PHP web application framework that makes developing web apps quick and easy through built-in features. It was created by Taylor Otwell and released in June 2011 as an advanced alternative to the CodeIgniter framework, which lacked user authentication and authorization built-in support. Laravel has a complete authentication system as a result, including the handling of routing, sessions, caching, and templating HTML. It also has robust tools.

Laravel takes the pain out of development by relieving developers from the burden of developing menial tasks. It is incredibly scalable and uses the model-view-controller (MVC) pattern. Laravel facilitates rapid web app development with its advanced features and development tools. Because it has a plethora of built-in tools, Laravel can handle anything from single-page websites to full-fledged social networks. Companies like BBC, Pfizer, 9GAG, Liberty Mutual Insurance, and Crowdcube use it.

Security is a Key Feature in Laravel

One of Laravel’s highlights is its robust built-in security features. There are over several security mechanisms that the Laravel framework uses to implement security and protect apps from threats and reduce vulnerabilities. For example, the Eloquent ORM included with Laravel uses PDO binding that protects from SQL injections ensuring that no one can modify the intent of the SQL queries.

Security Threats and Vulnerabilities Laravel Protects From:

  • SQL injection
  • Cross-site scripting (XSS) 
  • Cross-site request forgery (CSRF)
  • URL redirection
  • Insecure HTTP websites
  • DOS attacks
  • Weak login implementation
  • Password vulnerabilities

Moreover, Laravel has security mechanisms for implementing authentication, configuration, and more out-of-the-box. And it comes with Monolog out-of-the-box for logging everything, such as failed login attempts and password resets.

Laravel implements security mechanisms for the following:

  1. Configuration
  2. Storing passwords
  3. Authenticating users
  4. Manually logging in users
  5. Protecting routes
  6. HTTP basic authentication
  7. Password reminders and reset
  8. Encryption
  9. Authentication drivers

Let’s use #8 as an example of how Laravel implements security for encryption. Laravel facilitates strong encryption via OpenSSL and the AES-256-CBC cipher using the ‘encryptString’ method provided by the ‘Crypt’ facade. All encrypted values get signed with a message authentication code (MAC) which prevents the decryption of tampered values that malicious users created. 

Code example of implementing encryption.

code example of implementing encryption

Security Tools

Laravel also has advanced security tools that ensure your applications or dependencies are free of vulnerabilities, such as Enlightn and Enlightn Security Checker. The security tool Enlightn is used for scanning your application code, web server configurations, and more for security vulnerabilities and code reliability issues. The Enlightn Security Checker is also used for scanning dependencies to find vulnerabilities.

.NET

.NET Framework is a software development framework for building and running applications only on Windows. It is part of the .NET platform, a collection of technologies for building apps for Linux, macOS, Windows, iOS, and more. Developed by Microsoft and first released on February 13, 2002. Its final release was on May 1, 2021. .NET Framework is the original implementation of the open-source .NET, and it provides a variety of classes and services that enable developers to write code securely, use cryptography, and implement role-based security. 

.NET consists of two major components:

  • Common language runtime (CLR): CLR is an execution engine that handles running applications. It also provides services like security, memory management, and exception handling.
  • .NET Framework Class Library (FCL): FCL is a massive library of tested, reusable code developers can call from their own apps. It also provides language interoperability across several programming languages. 

Role-Based Security, Cryptography, and Application Security

.NET offers role-based security to help address security concerns regarding mobile code and to provide support that enables components to determine what users are authorized to do. .NET also follows an extensible cryptography model and implements many standard cryptographic algorithms. Additionally, application code follows secure coding guidelines to enforce application security.

Role-based Security

.NET role-based security supports authorization by making information about the principal (associated identity) based on a Windows account or a custom identity unrelated to a Windows account. .NET apps can make authorization decisions based on the principal’s identity or role, or both.

A principal can be a member of one or more roles, and .NET apps can use role membership to determine whether a principal is authorized to perform a requested action.

Cryptography Model

The .NET cryptography model is extensible and provides implementations for many standard cryptographic symmetric and asymmetric algorithms, such as AES, RSA, or ECDiffieHellman, also known as Elliptic Curve Diffie-Hellman (ECDH). 

.NET has implementations for the generation of symmetric and asymmetric keys, encryption and decryption of data, cryptographic digital signatures, XML encryption with cryptographic keys or X.509 certificates, and more to ensure secure communications are intended for the sender and recipient only rather than threat actors.

Application Security and Secure Coding Guidelines

.NET offers secure coding guidelines that ensure the application code is highly secure, eliminating vulnerabilities and preventing threat actors from exploiting the application code. Those vulnerabilities include improper input validation or a race condition when threads use the same shared memory to update the values of variables.

These are the following techniques to abide by for secure code:

  • Do not use Code Access Security (CAS)
  • Do not use partially trusted code
  • Do not use the ‘AllowPartiallyTrusted’ attribute (APTCA)
  • Do not use .NET Remoting
  • Do not use Distributed Component Object Model (DCOM)
  • Do not use binary formatters

Per the secure coding guidelines, CAS and Security-Transparent Code are both not supported with partially trusted code. Loading and executing code of unknown origins without putting alternative security measures in place is strongly not advised. 

Alternative security measures:

  • Virtualization
  • Hyper-V containers
  • Operating system (OS) users and permissions
  • AppContainers

The .NET framework implements various security mechanisms with updated secure coding guidelines to help developers build Windows applications that are more secure. It is an option for startups focusing on software development for Windows apps.

!The next article in the series will describe our third security recommendation for startups – configure the edge security service.

Summary

Developing web applications with secure modern software frameworks and libraries is critical for cybersecurity for startups when web applications are the number one attack vector for cyber attacks. These frameworks and libraries include Spring Security, Django, CakePHP, Angular, React, Laravel, and .NET. They all serve unique purposes; some are more compatible than others for your startup’s needs depending on your startup’s software development goals. Understanding secure code practices, threat modeling, STRIDE, OWASP Top 10, OWASP ASVS, and the secure software development life cycle (SSDLC) can put your startup and its developers ahead of the AppSec game.

Resources:

  1. https://auth0.com/blog/hashing-in-action-understanding-bcrypt/
  2. https://careerkarma.com/blog/companies-that-use-django/
  3. https://www.marcobehler.com/guides/spring-security
  4. https://book.cakephp.org/4/en/controllers/components/security.html
  5. https://djangostars.com/blog/why-we-use-django-framework/
  6. https://docs.djangoproject.com/en/4.0/topics/security/
  7. https://medium.com/@hashedin/protect-your-django-web-application-from-security-threats-9ebafbabbadd
    https://www.trio.dev/blog/companies-use-angular
  8. https://snyk.io/blog/angular-security-best-practices/
    https://snyk.io/blog/10-react-security-best-practices/ 
  9. https://www.cloudways.com/blog/laravel-security/
    https://adevait.com/laravel/security-in-laravel
  10. https://laravel.com/docs/9.x/encryption
  11. https://docs.microsoft.com/en-us/dotnet/standard/security/
  12. https://laravel.com/docs/4.2/security

Let’s talk about securing your startup

Book a chat with a cybersecurity expert

    Is this article helpful to you? Share it with your friends.

    Author

    Mars Groves