We are living in an age where we rely heavily on the Internet and Web Applications. It affects many aspects of our daily requirements including communication, banking, administration, entertainment, healthcare, education, and there are many more. The list will probably go on in the future. With the increasing use there comes the increasing security risks of losing confidentiality, money, client’s data, customer trust and the market goodwill for a Web Application Development Company. Despite unrecoverable risks, Software Security is one of the least discussed topics in a development team as it’s a time taking process and requires a lot of effort, skills to research various algorithms and the threats.
There is a fundamental difference between the thinking of a developer and the attacker. The developer approaches an application based on what it is intended to do. On the other hand, an attacker has a different perspective, what an application can be made to do. The principle is very clear to an attacker any action that is not denied is typically allowed.
Software Security vulnerabilities can have a scope that are beyond the application itself and can include compromises to the application server, the operating system, other applications in the shared environment etc but as a development team and also as a Web Application Development Company, we can include Secure Coding Practices to develop a comparatively more secure and challenging application for an attacker. There are a number of points to explore three of them are following:
- Input Validation: Client side validations are not often enough and we should create an extra layer of security to manage validations. All validations should be conducted on a trusted system (e.g., The server). Data should be validated for data length, range and expected data types. All clients should be validated before processing, including all parameters, URLs and HTTP header. Data from untrusted sources like Databases, file streams should be validated before processing.
- Authentication and Password Management: In every application there are public pages, except these pages authentication and authorization should be implemented and must be enforced on the server. If possible only authenticated services should be established. If the authentication is failed then the failure response should show a generic message like ‘Error in signing in’ instead of revealing which part of the data is incorrect like ‘Invalid Username’. Use of only HTTP POST requests is recommended to send credentials for authentication. In case of successive failed authentication the account should be disabled to prevent brute force for guessing username or password and it should be auto enabled to prevent denial of service attacks.
- Error Handling & Logging: Logging is very crucial and important especially in the case of application failure or in the cases of security breaches. It’s very important to log input validations, attempts to connect with invalid tokens, timestamp and other information related to authentication failure. But it should be ensured that sensitive information like complete Credit Card Number is not logged. Any sensitive information should not be disclosed in error responses to the end user which includes system details or account information, instead generic error messages and use of custom error pages should be implemented. Ensure logs contain important log event data and its access is restricted to only authorized individuals.
Conclusion: It’s very difficult to share all Secure Coding Practices in one article. But it’s something that should be discussed in development teams of all Web Application Development Companies, included in the development practices and code reviews. There are a number of fields in Software Security that can be explored and researched. Ensuring confidentiality, integrity, and availability for a Web Application is a right that should be given and also a responsibility that must be fulfilled.