Nazar Tymoshyk is a Security Consultant at SoftServe Inc. He has 5 years experience and a Ph.D. in Information Security and over seven years in network infrastructure management, and specializes in Security Consulting, Enterprise IT Consulting, Application Security Assessments, Penetration Testing, Ruby, OWASP, Linux, Virtualization/Cloud, Automation, Networking, Forensics, and Reversing.
It doesn`t matter which framework you’ve selected for Web application development, you still need proper Web application and server maintenance to avoid security breaches. Learn seven simple tips to mitigate Web application security risks and ensure Web application security.
Web Application Security Risks
In my career, I have regularly seen cases when the lack of proper web server support and maintenance resulted in a company`s Web application being hacked and exploited by attackers. Even though more and more often companies host their web applications in the cloud and select a private cloud for the web applications that are critical to their business, it makes no difference from a hacker`s point of view. So when talking about web application security, it`s important to consider the infrastructure of wherever the web app is hosted (even if it`s hosted by one of the top cloud players).
Unfortunately, it’s not unusual for businesses to invest into Web application development only or store all their Web applications (as well as mail servers) on a single dedicated machine without an established and safe backup process and without considering the security of the infrastructure. Additionally, if a company lacks a comprehensive security strategy and prefers to overlook a well-known security principle of “better safe than sorry”, a Web application administrator may not be ready for real-time attacks, which can result in Web application being down and sensitive data compromised.
Sure, skimping on server and Web application maintenance, regular security check-ups and trainings will save you money in the short term, however, in the long run it`ll save you more if you invest into a secure server hosting provider and proper software architecture instead.
A simple truth is, it doesn`t matter which framework you selected for Web application development a couple of years ago – Joomla, WordPress, ASP .NET or Java – over time they all need to be patched for discovered vulnerabilities and require regular security check-ups. The frameworks provide a fast and cheap way to create great Web applications, so businesses large and small continue using them despite the security risks presented by possible vulnerabilities, but what`s important is to specifically focus (and many large brands do) on proper Web application security and maintenance.
Secure Software Development: Levels of Responsibility
Owning an internet Web application is similar to owning a car – both require upfront costs, a maintenance program to keep them running smoothly, ease of use and ultimately should attract people to purchase. To properly maintain your Web application:
- Check for vendor notifications about updates and patches or withdraws
- Buy insurance to protect yourself against risks.
Web application security starts with a developer who writes secure code. Then, a Quality Assurance expert tests the code for bugs and possible vulnerabilities. Next, the Development Operations (DevOps) team is tasked with automating build processes, patching application and server software as well as monitoring performance and log files. At the next stage, a Security expert should review the results with security in mind.
Any mid-size or large company has an individual responsible for IT, often the CIO but sometimes this role is combined with the CTO and even the CEO. This person is responsible for IT decisions on support and Web application operations, as well as for preventing Web application security breaches, as it is the IT staff’s responsibility to support the company`s servers. A part of this process is designing backup and recovery plans for "after-an-incident" cases. Continuing with the car analogy, it’s similar to ensuring your spare tyre is functional in the event of an emergency.
When IT engineers (or a software development vendor) develop software, the CTO/CIO should define where to deploy it (on separate servers in the Cloud or special containers, versus all sites on a single server) and how it should operate and be protected. Otherwise, ask your internal (or vendor`s) security consultants to design and implement a proper security strategy.
Seven Simple Tips to Ensure Web application Security
1. Educate your organization. Inform employees that Security experts need to ensure that an application is secure in code and design. Explain that DevOps experts are needed to implement monitoring and patch management as well as to secure support of your server and software. Security often goes hand in hand with DevOps, architecture assessment and business analysis.
2. Don’t put all of your eggs in one basket. Do not store all Web applications on a single server. It is architecturally incorrect and could negatively affect Web application performance. Using Microsoft Azure for your web apps has already proved to be an effective way to significantly decrease costs and create truly flexible and reliable solutions in the Cloud.
3. Patch your web apps and web server. Regardless of what framework is used, it’s important to remember that none are a safe haven for your Web application. All of them have some vulnerability that needs to be addressed.
4. Store your access keys and passwords securely. There have been far too many cases of hackers attacking developers and IT guys to steal ssh or cloud access keys to take it lightly.
5. Engage a DevOps and/or security service provider. All Web applications need regular check-ups for the code and server security reviews & assessments. If your organization does not have internal experts, you can ask a security vendor to help establish a comprehensive security strategy and develop a plan for regular security check-ups.
6. If you`re outsourcing Web application development, make sure that security is part of the deal. Discuss the security maintenance and check-up possibilities with your vendor. For long-term strategic partnerships, consider a shared responsibility model.
7. The greedy pay twice. It`s best not to skimp or cut corners on security, especially if you’re responsible for protecting the sensitive data of your Web application users. Security is a significant part of quality service and customer satisfaction. If you do not secure your Web application and data upfront, you can end up with additional unexpected costs.
This post was originally written for SoftServe
Do you have any tips to prevent website security breaches? Let us know in the comments section below, or via @TechNetUK