Threat actors regularly try to find and exploit application security vulnerabilities in an effort to steal data, install malicious code, or disrupt key business services. The increased focus on targeting vulnerabilities in cloud and web applications reflects a shift from the predominantly device and network-based attacks of the past. The perception among cybercriminals is that developers prioritize functionality over security, which makes applications and the cloud infrastructure they are hosted on an easy target.
Adversaries exploit inadequate security controls, default configurations, and misconfigurations in applications and cloud infrastructures (such as AWS, Azure Cloud, etc). Developers have a crucial role to play in securing applications against today’s cyber threats, and it’s crucial for any developer to understand the latest practices in application security. This article provides an overview of the ten top things developers and businesses alike must know if they want to code secure applications and protect their vital information assets.
1. Follow the OWASP Top Ten
The OWASP Top Ten is a valuable resource that uses expert-driven insight to rank the top ten most critical web application security risks. In addition to the ranking of security risks, the OWASP Top Ten provides guidance and example attack scenarios to help you prevent these risks in your applications. As a global consensus towards coding more secure applications, this document serves as a strong starting point for your organization to adopt a security-first development culture.
2. Encrypt, Encrypt, Encrypt
Modern applications are touchpoints for sensitive data—you need to protect this data both for compliance and reputation purposes. Whether transmitted over a network to and from your application or stored in an application database, it’s a best security practice to encrypt this data at the application layer. Encryption encodes information so that it becomes unreadable to unauthorized parties. Opt for NIST-approved encryption algorithms for the best application security—AES or Triple DES.
3. Use Open-Source Libraries Cautiously
Third-party open-source libraries provide developers with precompiled routines that improve efficiency in today’s fast-paced development environment. The efficiency provided by open-source libraries can come with a security cost, though. In 2020 alone, the number of published open source vulnerabilities grew by 50 per cent.
Open-source libraries containing vulnerabilities or malicious code can compromise the security of your entire application. Exercise caution in your use of open-source libraries by keeping a clear inventory of open source components and avoiding open-source libraries that don’t have an active development community.
4. Stick to Authorized APIs Only
APIs provide developers with a way to connect different apps and services and let them share information with each other. From a business perspective, APIs provide opportunities to optimize application functionality, usability, and innovation. However, the nature of APIs is they can expose application logic and sensitive data to other applications and malicious threat actors. If your application connects to other services with APIs, make sure your APIs have authorization in place to verify that data access requests are secure.
5. Embrace Continued Security Training
It’s a mistake to view security training as a once-off activity in today’s dynamic threat landscape. A better approach that reinforces security concepts and lessons is to embrace ongoing security training. If you’re a developer, it’s crucial to realize that security knowledge forms an integral part of the value you can provide to the organization you work for and the apps you help to build.
Improved application security knowledge comes from repeated exposure to important concepts and lessons as part of a continuous training program. Organizations, in turn, need to understand that point-in-time security training is an outdated strategy that might tick internal compliance boxes but doesn’t achieve much in improving the security of your applications and IT infrastructure.
6. Integrate AppSec Tools in SDLC (DevSecOps)
Viewing security as an afterthought to the development process hinders your ability to build secure applications. Developers naturally want to concentrate on features and usability while shortening the development lifecycle through DevOps practices. It’s imperative to move into a DevSecOps approach that bakes application security tools into the development lifecycle from the start. DevSecOps requires workflows and automation to ensure security doesn’t slow down development or stifle innovation.
7. Update and Patch Regularly
In comparing 500 leading applications, one report found that the optimal update frequency is 20 to 40 days. One compelling reason among many to regularly update your applications is that updating makes them more secure. When you update your apps often, you can release patches that fix potential security vulnerabilities or bugs in a timely manner before malicious threat actors can find and exploit them.
8. Implement Auditing & Logging
Shifting security to the left and adhering to recommended best practices provides an excellent foundation for security. However, vulnerabilities can go undetected until release, which is why auditing your applications before releasing them is a critical final security step. Auditing examines your code for vulnerabilities using a range of automated static and dynamic tools to help detect previously unknown development or configuration errors that could compromise security.
You’re probably familiar with application logging for debugging purposes. It’s prudent to extend the implementation of logging to security because the data generated by security logs can help to unearth potentially malicious activity on your application. Furthermore, application security logs can help meet compliance requirements for regulations, such as HIPAA, ISO 27001, and PCI DSS.
9. Harden Input Validation
Users regularly input data in applications, such as when entering their names in a form. It’s important to validate these inputs and ensure they conform to expected syntax, values, and structure. Today’s threat actors often seek to exploit improperly validated application inputs and confuse applications with malicious commands or scripts. These input validation attacks result in applications performing unexpected activities, such as revealing sensitive information or allowing malicious file uploads.
To harden input validation, implement the following practices:
- Use data validators found in common web application frameworks, such as callable Django validators for form fields.
- Ensure numerical parameters and dates fall within a sensible minimum and maximum range.
- Validate that any entered strings are within a specified minimum and maximum length.
- Use validators for both XML and JSON schema.
10. Avoid Cloud Misconfigurations
Many modern apps are hosted in cloud environments and accessed by users as SaaS applications. Misconfigured cloud infrastructure poses significant security risks to cloud-based applications. These configuration errors can leave entire databases of sensitive information open to the public. As recently as June 2021, misconfigured Amazon S3 buckets used by a cloud-based information management application exposed 1,000 GB of data and over 1.6 million files belonging to numerous US municipalities.