7 Current Trends in Secure Web-Application Development

data thief

24 years ago, Tim Berners-Lee introduced the first toolset for web-development. It involved 18 HTML tags and no technologies like CSS or JavaScript.  Back then, the issue of application security was not truly existing. Today, in order to build even a basic website, a web-developer or a team have to consider many technologies, frameworks and approaches, and select those suitable for each particular project.

At the same time, web-application security has grown into a wide area of knowledge with lots of known (and unknown yet) attack vectors, special software for security analysis and experts in the field. Every single day web-application developers and system administrators fight against security analysts. One party refines their defense practices, while the other improves the existing inventory. From time to time they also invent new weapons, tactics and strategies.

Being part of the security industry, at SpamExperts we are dealing with security issues every day, and today we would like to share with you some of our observations and thoughts on this topic.

Data transfer security

Communication between the client and the backend service is a crucial factor in the whole application, as the data flow is significant and generally full of sensitive information. To protect it in real time, the application should have the data encryption/decryption module. Regardless of the application design for real time data transfer, the use of HTTPS protocol, instead of plaintext HTTP, is not something advanced, but it’s a must have for any serious application for all client-server communications.

With lots of wireless hotspots everywhere and countless amounts of mobile devices accessing the Internet via these hotspots, there is a significant chance to compromising some sensitive data using a public channel. SSL certificates are quite affordable nowadays, so this protection layer should be implemented by default for any modern web-application.

Likewise, the use of bidirectional communication (like WebSocket) grows and an attacker acting like the man-in-the-middle can theoretically receive a lot of private information. Therefore, data transfer protection should be considered one of the most important aspects of any web-application that cares about the privacy of their end-users.

Client software security

Modern Internet browsers can be an ally of web-application developers, if used right. For instance, it’s possible to enable protection against attacks like XSS by sending a special header. In turn, tune advanced policies on potentially dangerous resources (like external JavaScript) by implementing Content Security Policy. So before blaming some particular browser, it’s worth figuring out why it doesn’t work in the expected way – perhaps it’s some security mechanism in action.

Another important client-side software is password managers. They provide an excellent ability to have unique strong passwords for each web-application, and it’s no longer a hassle for end-users! So it’s okay to require web-application users to set more complex passwords and worry  less about user account security.

Application programming logic security

Nowadays, with modern Internet browser abilities, HTML5 APIs and JavaScript frameworks like Angular, React or Meteor, it’s possible to create very advanced applications which work practically everywhere – on desktop and laptop computers, tablets, mobile devices, TVs and even on a screen embedded into a fridge!

One of the most important features of such applications is that most of the programming logic is concentrated on the client-side, i.e. in the client’s Internet browser. This means that all clients download the application’s source codes and “interested users” (who want to investigate how the application works) can analyze the code and find logic flaws or even potential vulnerabilities. As a result, this makes the demand for code minification and obfuscation software very actual. On the other hand, code de-minification and de-obfuscation software also evolves, which makes it hard to say who is winning this battle at the moment.

Input data security

Plain text web-forms are almost in the past. End-users want web-applications to serve very advanced purposes, like making recommendations, tracking health status and even monitoring their mood. To satisfy clients’ needs modern web-application collect, recognize and process many kinds of data – text, images, audio, video, geographical coordinates, biometrics, current activity and many more. And all input data can be potentially dangerous! So input data validation algorithms should evolve to keep data secure for both the application vendor and end-users.

Persistent data storage security

Personal data privacy is the key for a trusted web-application. No one will use a web-application which cannot guarantee a high level of user data protection. This raises the bar for backend security.  For instance, such a common and simple data transfer format as JSON can be vulnerable – as it has JavaScript syntax, some eval()-based parser can execute potentially dangerous code. So even simple and well-known technologies cannot be considered 100% safe.

To provide secure access to a protected storage it’s important to use a flexible but reliable authentication and authorization approach. In addition, the chosen authentication system should be multi-platform to support a variety of modern devices. The open standard for authentication, aka OAuth2, seems to be the leader in the area. Token-based access (like JSON Web Tokens) can also be considered a decent candidate – besides other advantages, it can implement protection against attacks like CSRF , as an authentication token can act as a security token, at the same time.

Output data security

As there are still enough possibilities for code injection, it’s still a very strict requirement to check output variables prior to templates rendering. Fortunately, many modern template engines provide output data protection by default (like Handlebars or Mustache). Turning this feature off would not be a good idea. Instead, developers ought to reconsider their habits and avoid using complex logic in the templates.

Human factor security

This is the most critical part of any security system. Unfortunately, humans tend to fail any protection system with unpredictable actions or odd decisions. It is crucial to constantly train your personnel to defend and closely monitor how they follow the rules. It would not hurt to even provoke your staff to break a rule and see their reaction – this can often be so much more insightful than many regular reports, and lead to some valuable conclusions.

To summarize the above – the area of web-application security is huge and versatile. As every single project has its own goals, reasons and approaches behind the scene,  the developer must consider many possible real-use scenarios  to make it secure. Reduce or exclude those that don’t seem to be secure enough for the parties involved. In conclusion, web-application security remains one of the most complex aspects of modern web-applications development.

What have you experienced so far in terms of web-application development and how do you deal with security issues on a daily basis? It would be great to hear some of your input in the comment section below.

One thought on “7 Current Trends in Secure Web-Application Development

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s