At the same time, web-application security has grown into a wide area of knowledge with lots of known (and unknown yet) attack vectors, special software for security analysis and experts in the field. Every single day web-application developers and system administrators fight against security analysts. One party refines their defense practices, while the other improves the existing inventory. From time to time they also invent new weapons, tactics and strategies.
Being part of the security industry, at SpamExperts we are dealing with security issues every day, and today we would like to share with you some of our observations and thoughts on this topic.
Data transfer security
Communication between the client and the backend service is a crucial factor in the whole application, as the data flow is significant and generally full of sensitive information. To protect it in real time, the application should have the data encryption/decryption module. Regardless of the application design for real time data transfer, the use of HTTPS protocol, instead of plaintext HTTP, is not something advanced, but it’s a must have for any serious application for all client-server communications.
With lots of wireless hotspots everywhere and countless amounts of mobile devices accessing the Internet via these hotspots, there is a significant chance to compromising some sensitive data using a public channel. SSL certificates are quite affordable nowadays, so this protection layer should be implemented by default for any modern web-application.
Likewise, the use of bidirectional communication (like WebSocket) grows and an attacker acting like the man-in-the-middle can theoretically receive a lot of private information. Therefore, data transfer protection should be considered one of the most important aspects of any web-application that cares about the privacy of their end-users.
Client software security
Another important client-side software is password managers. They provide an excellent ability to have unique strong passwords for each web-application, and it’s no longer a hassle for end-users! So it’s okay to require web-application users to set more complex passwords and worry less about user account security.
Application programming logic security
One of the most important features of such applications is that most of the programming logic is concentrated on the client-side, i.e. in the client’s Internet browser. This means that all clients download the application’s source codes and “interested users” (who want to investigate how the application works) can analyze the code and find logic flaws or even potential vulnerabilities. As a result, this makes the demand for code minification and obfuscation software very actual. On the other hand, code de-minification and de-obfuscation software also evolves, which makes it hard to say who is winning this battle at the moment.
Input data security
Plain text web-forms are almost in the past. End-users want web-applications to serve very advanced purposes, like making recommendations, tracking health status and even monitoring their mood. To satisfy clients’ needs modern web-application collect, recognize and process many kinds of data – text, images, audio, video, geographical coordinates, biometrics, current activity and many more. And all input data can be potentially dangerous! So input data validation algorithms should evolve to keep data secure for both the application vendor and end-users.
Persistent data storage security
To provide secure access to a protected storage it’s important to use a flexible but reliable authentication and authorization approach. In addition, the chosen authentication system should be multi-platform to support a variety of modern devices. The open standard for authentication, aka OAuth2, seems to be the leader in the area. Token-based access (like JSON Web Tokens) can also be considered a decent candidate – besides other advantages, it can implement protection against attacks like CSRF , as an authentication token can act as a security token, at the same time.
Output data security
As there are still enough possibilities for code injection, it’s still a very strict requirement to check output variables prior to templates rendering. Fortunately, many modern template engines provide output data protection by default (like Handlebars or Mustache). Turning this feature off would not be a good idea. Instead, developers ought to reconsider their habits and avoid using complex logic in the templates.
Human factor security
This is the most critical part of any security system. Unfortunately, humans tend to fail any protection system with unpredictable actions or odd decisions. It is crucial to constantly train your personnel to defend and closely monitor how they follow the rules. It would not hurt to even provoke your staff to break a rule and see their reaction – this can often be so much more insightful than many regular reports, and lead to some valuable conclusions.
To summarize the above – the area of web-application security is huge and versatile. As every single project has its own goals, reasons and approaches behind the scene, the developer must consider many possible real-use scenarios to make it secure. Reduce or exclude those that don’t seem to be secure enough for the parties involved. In conclusion, web-application security remains one of the most complex aspects of modern web-applications development.
What have you experienced so far in terms of web-application development and how do you deal with security issues on a daily basis? It would be great to hear some of your input in the comment section below.