Do you know how to develop web applications that bring unparalleled success?
Your web apps should provide a rich and consistent user experience while being flawless and fault-free, regardless of being open source or paid. At the same time, web security is of key importance. Use this extended checklist to focus more on the web application security regardless of your development stage as it is suitable for both before the launch period and during the very first stages of software development.
Before we go further, please note: this web app security checklist is a good starting point and inspiration for your work and you can save it for later, so it’s always at hand the moment you might need it. Plus, you can use it to control things at the development stage upon outsourcing. That will minimize risks while choosing the needed vendor for your web app.
Anyway, to deliver a truly great product, ensure you deal with secure web development. And now, let’s take a closer look at key recommendations on how to secure your web product.
So, let’s get started. We will divide our web application security list into 4 main groups:
And now let’s examine every of this group in details.
Application security testing and development
During the software development processes, a lot of attention should be paid to web app security. Whether you are developing on your own, or prefer outsourcing/outstaffing services, make sure the developers make strict use of canonicalization and know what the server is expecting in every field.
- Scan for web application vulnerabilities: all components of your software (from each pushed version up to production should be scanned. Your product should not contain any format string vulnerabilities. Improve the security when some weak points are detected.
- Start with secure coding. Develop each piece of software using both secured and separate dev systems. It’s crucial to set both development systems and production systems with equal security vigilance.
- Upgrade without downtime in a fully automated manner.
- Avoid SSHing into services (except for one-off diagnosis).
- Decommission the app in case its maintenance and support are no longer available.
- Set TLS for the whole web resource, not just login forms and responses.
- Set HSTS responses to force TLS only access. HTTP requests should be redirected to HTTPS on the server as backup.
- Ensure that users using your APIs are authenticated and authorized in the right way.
- Set canary checks in APIs that would detect illegal or abnormal requests, therefore, preventing attacks.
- Assure the developer’s choice of randomness and algorithm is always of top-notch quality.
- Consider creating a practiced security incident plan. Who knows when you might need it.
Being a first line of defense, authentication should be really securely and carefully crafted. Below are the key secure web applications authentication things to keep in mind upon creating any software:
- Ensure that all your passwords used are hashed with the proper crypto, for instance, bcrypt. Creating your own crypto is not recommended.
- Don’t invent your own login, forgot password and other password reset functionality — you might not get it right in all scenarios, instead, use industry-standard best-practices and proven components.
- Set clear but adequate password rules encouraging your users to create long passwords.
- Set CAPTCHA on front-end APIs to safeguard back-end services against DOS.
- Don’t forget to set several-factor authentication for your logins to all service vendors you deal with.
The way your data is stored and handled is of vital importance. When you develop or outsource, these are the key web development database aspects to take into consideration:
Fully encrypt all of your data, including private data such as name billing details or access tokens.
- Store all of your backups in an encrypted manner.
- Ensure that all your backend database and services are stored on private VPCs, which are not open to the public.
- Put strong passwords and use minimal privilege for the database access user account.
- Keep and share sensitive data via a key store created for this purpose. It’s not recommended hard-coding in your products or storing valuable data in GitHub.
- Prevent SQL injection by using SQL prepared statements. For instance, when you use NPM, use npm-mysql2 that supports prepared statements rather than npm-mysql.
Cloud Configuration and network security
If you take security very seriously, cloud configuration issues should be handled in a proper way:
- Your services should offer minimum open ports. Of course, security via obscurity is in no way a protection, still, non-standard ports can make it a more difficult for hackers.
- For inter-service communication, divide logical services in separate VPCs and peer VPCs.
- Minimize IPs and “botification”; use min. access privilege for your ops and developer team.
- Set IAM roles rather than root credentials.
- Rotate passwords and access keys on a regular basis.
During every stage of the development processes, a lot of attention should be paid to security. All of your sensitive information should be encrypted. Start with secure code and make sure every aspect of your web app remains secure. Don’t forget to take strict use of canonicalization and ensure you know what the server is expecting in every field.
Never forget a step in your website development again, use the checklist, which includes many straightforward vulnerabilities. However, pay attention to the fact that checking all items off the list is by no means a guarantee that your web app is secure. Nevertheless, it’s still a good starting point.