試してみませんか?
Web Application Security Explained: Risks & Nine Best Practices
As convenience and remote access have become vital to employees and consumers across the globe, web applications have seen a similar increase in demand. Web apps deliver the same functionality as desktop or native applications, but with the convenience of browser accessibility. They are also easier to deliver across platforms, increasing an organization’s ability to build a larger user base. Unfortunately, web apps also introduce gateways for attackers to breach databases and client systems.
Because of the innate security risk that comes with browser-based apps — as well as advances in build and deploy methods — developers now carry greater responsibility for securing the code of the new web applications they release. Many developers have previously operated on a “security by obscurity” basis: They believed that hackers wouldn’t dig deep enough to exploit vulnerabilities in code. This has proven to be a mistake. It’s now essential that developers shift their thinking and take responsibility for securing applications before they release them, leveraging application security solutions to help them find and fix vulnerabilities.
The top web application security risks
The Open Web Application Security Project (OWASP) is an industry non-profit that is dedicated to promoting security across the web. Every few years, they create an updated list of the Top 10 Web Application Vulnerabilities.
In 2021, this list included:
Broken Access Control - Present in nearly one in 25 applications OWASP tested.
Cryptographic Failures- A root cause of sensitive data exposure.
Injection- Attackers inject malicious code into SQL queries or commands.
Insecure Design - Consists of poor or absent control design, such as generating error messages that contain sensitive data.
Security Misconfiguration - An increasing risk with the shift towards highly configurable software.
Vulnerable and Outdated Components - Require sophisticated tools and processes that are capable of scanning components in development and live environments.
Identification and Authentication Failures - Slid from the second position in the 2017 Top 10 list but remain a common vector for attacks.
Software and Data Integrity Failures - A new category on the 2021 list that relates to code or infrastructure that is introduced without checking it for integrity.
Security Logging and Monitoring Failures - These are difficult to test for but are key for detecting breaches.
Server-Side Request Forgery - A low-frequency but high-severity type of flaw where attackers hijack URL requests in a way that bypasses network access controls.
For an in-depth analysis of these vulnerabilities, and how to remediate them, check out our analysis of the OWASP Top 10
Nine best practices for securing your web app
1. Shift security left in the SDLC
Shift left security replaces legacy security processes and tools designed for the waterfall release methodology by moving security as early as possible in the software development lifecycle (SDLC). The following methods will facilitate this shift:
Using threat modelling
Incorporating security considerations into code design and architecture
Testing code while it is being written instead of waiting until applications are live in the production environment
2. Injection & input validation
Injection is a family of attack methods where malicious code is inserted into browsers or other entry forms. Two examples of injection are SQL injection and cross-site scripting, which use malicious SQL code and malicious scripts in website frontends, respectively. To protect against injection attacks, input validation methods should be used to ensure only properly formatted data can be inputted, thus blocking any malicious code from entering a system.
3. User authentication management
With “Identification and Authentication Failures” in the seventh position on the 2021 OWASP Top 10 list, user authentication is an important aspect of web-based security. User authentication management helps strengthen usernames and passwords and gives security admins many options to ensure only approved parties are accessing their apps. One such method is multi-factor authentication, which requires users to prove who they are by using at least two types of authentication.
4. Data encryption
Failures related to cryptography (or lack of it) can lead to breaches of sensitive information, making cryptography number two on the OWASP Top 10. Encrypting data, both at rest and in transit, is a key protection in the event of a breach. Encryption algorithms themselves typically come in open source packages and are already written by cryptography experts. In practice, encryption means enforcing controls and standards around encryption, such as encrypting all internal and external traffic, using updated encryption algorithms, and enforcing encryption.
5. Find and fix misconfigurations
Misconfigurations — like failing to implement the principle of least privilege access — make it easier for third parties to access sensitive data. Most misconfigurations are introduced by manual error, so using infrastructure as code (IaC) and automation can help prevent them. Additionally, scanning tools like Snyk IaC can detect and remediate misconfigurations before they reach production environments.
6. Logging & auditing
This addresses number nine on the OWASP Top 10 list: Security Logging and Monitoring Failures. There is little direct data to show how logs and audits can prevent breaches, but detecting and addressing breaches is still nonnegotiable. This category includes logging events like logins and noteworthy transactions, monitoring logs for unusual activity, and creating automatic alerts or automated remediation steps in case unusual behavior is detected.
7. Web application firewalls
A web application firewall (WAF) sits between clients and web servers and serves as a proxy for traffic between them. By setting up rules in a WAF, you can protect a web application or set of web applications against common attacks like injection.
8. Security testing within your CI/CD
Waiting to run security tests until the end of CI/CD pipelines, or worse, when web applications are running in a live environment, results in costly and time-consuming remediation. You’ll save your team time, money, and frustration by integrating security testing into your CI/CD. Automation tools make this possible with minimal disruption to developer workflows.
9. Authorization
Executing authorization processes prevents privilege escalation, an attack where a user gains access to an application then changes their privileges or role to expand access. Privilege escalation can be uncovered through penetration testing, mitigated by running applications with least privilege access, and prevented by properly configuring authentication keys.
Tools for Web Application Security Testing
Let’s briefly discuss the tools available to help developers with web application security assessment and remediation.
SAST
Static application security testing (SAST) tools such as Snyk Code scan code against predetermined best practices to identify problematic code patterns. SAST depends on the specific programming language you're using.
DAST
Dynamic application security testing (DAST) scans applications at runtime and is language-independent.
For more information about the differences between SAST and DAST, read our blog post.
SCA
Software composition analysis (SCA) tools, such as Snyk Open Source, scan third-party code dependencies in web applications. Since modern application development is characterized by heavy use of open-source libraries, SCA is an effective tool in a security team’s arsenal.
Pen-testing
Penetration testing, a function of the ethical hacker, seeks to uncover and address any attack vectors that can be used to breach a web application. Regular pen testing is a requirement for some regulations, including PCI DSS and is strongly recommended for all web apps.
RASP
Runtime application self-protection (RASP) is a technology that is built into applications and monitors their behavior against what the application should or shouldn’t be doing. It works as a complement to perimeter technologies like WAFs, but it can fail to detect certain authentication or authorization-based attack methods. RASP should be used along with other tools like SAST and SCA to be fully effective.
How Snyk can help you build secure web applications
Snyk’s developer security platform brings together its Snyk Open Source, Snyk Code, Snyk Container, and Snyk IaC tools in a single platform. Web application developers can use Snyk within their existing workflows to scan code and open source components for vulnerabilities or misconfigurations. Our comprehensive vulnerability intelligence database is curated by Snyk’s security experts and is the most comprehensive on the market.
To learn more about web appsec, check out these articles:
Application Security Explained - Tools & Trends for 2023
Application Security Testing - Top questions answered | Snyk
Application Security Assessment: 5 Key Steps | Snyk
Frequently asked questions on web application security
What is web application security?
Web application security is a set of tools and controls designed to protect web applications and associated assets. The concept includes a set of processes for uncovering and remediating vulnerabilities in web applications. It also includes secure development practices and incorporates security from design to implementation.
Why is web application security important?
Web application security is important for two reasons: One, web applications are a way for attackers to gain access to sensitive information within your databases. Two, they are also a way to stage attacks against users of the application.
What are the top three most common application security risks?
The top three most common application security risks are broken access control, cryptographic failures, and injection (including SQL injection and cross-site scripting), according to the 2021 OWASP Top 10.
How do you secure a web app?
Securing a web application starts at the earliest stages of development, where secure-by-design and threat modeling are used to ensure an application is built with security in mind. During the build process, developers should use scanning tools to detect any vulnerabilities and misconfigurations. Once a release cycle is complete, penetration testing should be conducted to uncover any vulnerabilities that were previously undetected.
Up Next
5 application security assessment steps
An application security assessment is the process of testing applications to find threats and determining the measures to put in place to defend against them.
続きを読む