Over the past several years, web application security has come to the forefront for software developers. Where in the past, terms such as “SQL injection” and “cross-site scripting” where completely foreign, most professional web developers now have at least a basic understanding of what these vulnerabilities are and the risks that they pose.
In addition, education and tools have become more readily available, along with techniques and best practices for developers of web applications.
However, in spite of the resources available and knowledge gained, adopting web application security best practices is still a difficult process. Here are a few reasons why:
- It’s a moving target – the bad guys continue to invent new techniques and technology continues to advance, providing new ways to attack web applications.
- Security increases costs – developer education, development & testing time, continuous testing, etc.
- Specialized knowledge and experience in web application security is sparse and, ultimately left to the individual software developer. Not many dev teams have dedicated security practitioners.
- Adoption of web application security is a mindset and culture, and it requires attention at all levels of software design and development.
- Smaller organizations don’t have the expertise or resources to address application security, or the ability to keep up with current trends.
With the list above, it may seem that the security challenge is insurmountable, particularly for resource constrained organizations. However, all is not lost, and there are a number of basic but effective techniques that can be utilized to reduce the vulnerabilities that are exposing your data. I would call this the “low hanging fruit” of web application security:
- Discuss & plan internal application security processes and best practices
- Review and remediate vulnerabilities for your server configuration
- Use reduced privilege accounts for authentication and database connections
- Adopt basic vulnerability testing
– Numerous free, open source and commercial tools are available
– Perform scanning on a recurring basis
– Remediate severe application vulnerabilities
- Scan your applications on a regular basis and remediate vulnerabilities