How-to web application Security

Gespeichert von felix-steidler am So., 29.11.2020 - 21:42

In this article we want to take a closer look at how we can secure web applications. But let me tell you the good thing first: You don`t need to be a expert in IT-Security to get a "basic" protection for your web-app.

Frist: Think about your situation

However you should have a closer look at your circumstances. In generell you can say: The higher secure-level you want to reach the more expensive it will be. So fist thing you should do is a security/risk analysis. Therefor you can create a "risk-matrix" and take care on points like:

  • How important is the application for my business?
  • Does my application handle with important datasets for my business?
  • Does my application handle with private customer data?
  • etc...

Before you read any further: If your working in an enterprise environment and your application is essential for a "big business" maybe its better to request some professional it-security consulting. However you can become active yourself at short.

 

Second: Analyse your application

Take some time and ask your self some questions about your web application. You will need this deeper understanding of your application to introduce security measures later in this article. 

  • What have I already done for my application security?
  • Is my application based on a common framework and is this framework implementing security features?
  • Do I use OpenSource Software and when it was updated last?
  • What’s my application architecture, do I use virtualization e.g. docker or k8s, what’s my programming language e.g. php?
  • Where is my application hosted: onPrem or maybe cloud?
  • What’s my Webserver the application is running on?

 

Third: Common security solutions

Application security

In generell

Check your application for common web application vulnerabilities such as injections, XSS or data exposure. In most cases your application is build on top of a framework and will implement common security measures, e.g. protection for SQL-injection or dependencies injection. Inspect all of your application components such as client-side implementations.

Notice: Common web vulnerabilities like XSS, SQL-Injection, CSRF or filepath-traversal you will find here later.

Notice: Carefully check your self-written source code. Very often you will find unintended vulnerabilities such as bypassing security implementations or misconfiguration.

Security cheatsheets and top 10

Look at your application and try to identify core technologies you`re using there. You will find a lot of literature on the internet. Security organizations such as OWASP.org will publish best practices for everyone. For web applications you should can have a look at „Top 10 - Web Security“. It’s highly recommended to check your application for all security recommendations from there. If you`re looking for more detailed informations on a specific technology you can find this as cheatsheets, e.g. for „SSO with SAML2.0“ you can find additional "cheat sheets". It’s highly recommended to read those guidelines and think about what to apply for.

Open source security

Nearly every modern web application is using 3rd party dependencies. To exploit vulnerabilities in open source software is maybe one of the easiest and most frequently thing in hacking web apps. So it`s better to take care about this point. Common vulnerabilities on your software stack you can find in so called "vulnerability databases" such as CVE. There you can search for your dependencies and will maybe find a list of current vulnerabilities. Maybe then it`s better to update your dependencies to a newer version, including security patches or think about removing those software. Another way will be using tools for this. Here you can us enterprise products like NexusIQ or Artifactory often you can also find security features in your regular development stack such as the npm - Audit feature in context of node.js.

 

Web server security

When implementing web-applications a common security issue is not to configure your web application server. When running Apache HTTP, Nginx, Tomcat or something similar you can increase your server security be setting a few configurations and permissions, e. g. for the Apache http web server you will find some informations here.

Mostly recommended:

  • Settings security headers
  • Restrict permissions for your user running the webserver
  • Setting log levels and log rotate
  • Introduce a good monitoring such as efk stack (elastic search, fluentd, kibana)
  • Take care of directory listning
  • Setup a web application firewall

Runtime setup

Your application is either interpreted or compiled and running as a process on your web server. There for you can configure things such as logging and error levels by your runtime environment. You should do this e. g. to prevent debug informations or similar displayed on your website. E. g. for php you can look at the php recommendations.

HTTP Headers

Setting http headers allows you to add additional behavior for your communication between web server and browser client. This can be very helpful to protect you and your customers in web communication. On the www* you will find a lot of tools to test your application for this, e. g. Security Headers.

Security Headers

TLS (ssl-encryption)

This point can be quickly checked: Always secure your webserver connection using tls. This should be a quite basic think for you (e. g. nowadays you will not get a good google seo ranking without tls security). On the www* you will find a lot of tools for testing your ssl such as ssllabs. If you need support to get some free ssl certificates you can have a look at letsencrypt.org.

Notice: In past a lot of applications only run on tls until they do communication inside the company network. Nowadays its a good approach to secure all your connections (even inside company) with tls. Especially on modern infrastructor, using docker or kubernetes, you should do this to protected your customers private data. 

ssllabs

 

OS / Container Security

In this article we will only have a quite short look at this point, because operation system security such as linux security is really a large field so i will only give a short introduction:

  • Restrict your permission! Always know what your running as root and how to access root permissions and limit this as much as possible
  • Take care of your network traffic! Where is your machine accessible from? Limit your ports to whats really necessary.
  • Also keep your software running in your OS  
  • Again setup firewalls

Notice: In short some best practices for linux security you can finde here. If your using docker or/and kubernetes again you can have a look at some best practices from the owasp cheet sheet.

Infrastructure Security

This is again a really large point so we will not go into details here. However i want to name one very important thing in context of web applications here. You should use a web application firewall (WAF) in front of your web application. A WAF can be integrated in your current web application server or be a standalone system in your infrastructure. Important is that it act as a central reverse proxy for all your network traffic from the internet to your web application and back. A WAF is implementing additional features for network security such as blacklisting dangerous calls (e. g. XSS script code in http requests) or preventing your system from DoS attacks. Often you can find build in WAF security features for your web server such as modsecurity as part of your apache http webserver.

WAF Setup