Earlier this week, we introduced Part 1 of a two-part blog post series titled “7 Development AppSec Tricks to Keep the Hackers Away.” We now continue with Part 2 of this feature, highlighting additional application security tips:
4. Don’t neglect user input. Incorporate WAF security.
Most modern web and mobile applications are based on direct interaction with the users who typically use data entry fields in their browsers. This gives the hackers the opportunity to test the robustness of the application by using a wide range of techniques. The most popular ones include SQL injections, LDAP injections and Cross-site Scripting (XSS).
In a nutshell, developers should make sure the user input is sanitized to prevent illegal/unauthorized access to the servers, ideally with the help of whitelisting and blacklisting methodologies combined. Other security techniques include the minimizing of error messages displayed on the browser and pre-defined timing out of user sessions.
Integrating Web Application Firewalls (WAF) is an effective way to detect malicious user input and monitor irregular traffic patterns in and out of the servers/databases.
5. Make sure your application is compliant with the relevant security standards.
There are a couple of globally recognized security standards all organizations, regardless of their industrial sector type, should aspire to comply with. The OWASP Top-10 and SANS 25 are comprehensive application vulnerability lists created by non-profit organizations. The relevant information is contributed by leading security experts from all around the world.
Other leading industry-specific security standards include:
- PCI DSS – For companies that process, store or transmit credit card information.
- HIPPA – For companies providing health care plans and provisions.
- MISRA – A set of security standards for the C programming language.
- BSIMM – A measurement framework that helps gauge software security
6. Scrutinize third-party Open Source components before their implementation.
Open source components are an inseparable part of every application development process. Unfortunately, many developers implement open source components without really testing them or knowing their security implications. Proper management of open source components is of utmost importance to ensure optimal application development security.
7. Use Penetration Testing before release and preferably with each new version update.
While Pen Testing is not a comprehensive solution, it involves the mimicking of hackers to try and locate vulnerabilities in the application. A group of professional security experts conduct these real-time testing to try and expose loopholes in the application code. Despite the time and budget limitations, glaring vulnerabilities can be potentially located this way.
If the time and budget permits, adding Pen Testing to the security protocol of the organization can be an effective complimentary way to safeguard the application.
Traditional security solutions like the aforementioned Web Application Firewalls (WAFs) are helpful, but can only provide partial coverage in today’s dangerous cyberspace. Implementing the seven recommendations mentioned in this series can help you develop more secure application code, making life tougher for hackers and malicious attackers.
In other words, developing code with high integrity has become paramount. This is best achieved by scanning and testing as early as possible in the SDLC, eliminating the need for post-release damage control that typically includes the release of security and performance patches/updates. Application security starts from the foundation – the source code.
About the Author: Sharon Solomon (@checkmarx) is a Content Manager at Checkmarx, a leading provider of Source Code Analysis (SCA) solutions to identify security vulnerabilities in web and mobile applications. It provides an easy and effective way for organizations to introduce security into their Software Development Lifecycle (SDLC) which systematically eliminates software risks and coding flaws.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock