Since more and more applications are moving to the Web application platform, they are becoming the target of mischief and illegal attacks. You need to be able to defend and protect your application by arming yourself with the knowledge of how these attacks can occur as well as learn how to fix these problems when one is found. A secure Web application has three characteristics: accessibility, confidentiality, and integrity. It is ultimately the responsibility of the designer and programmer to think about security when designing their systems since we cannot rely on security analysis of the platform alone to keep things safe. In this article I will discuss these ideas of Web application security as well as what makes an application secure.
The system, application and data are available to legitimate users, but no one else. For developers this often means a user authentication process such as a user ID and password and possibly SSL if needed. It is also a good practice to require re-authentication for account management or other sensitive tasks, even if the user has a valid session token. This will provide an extra layer of security should the user get up from their computer and another person has access to a session that was left open.
Authentication allows us to control access to only those that need the data but authentication is only as good as the methods you are using. A strong two-part authentication such as a user ID and complex password can only work so far if the proper processes are in place. You should also include management tasks such as regular password changes, strong passwords, user information updates and other functions.
Access only to the data users need to see and no more. By using access control methods we can control how Web applications use the authentication processes that we have put in place. The concept of allowing or denying content based on that authentication is a staple of Web application security. There are two kinds of access control issues:
- Client-side caching: Most Web browsers cache Web pages by default. Attackers can access the cached information to gain access to a restricted part of your site. This is also a problem with public computers where users share access. This data is vulnerable when multiple users share a computer and Web applications can include ways to restrict the caching of sensitive information to prevent unauthorized access from other users.
- Path traversal: Attackers use the structure of your Web site to attempt to access information or areas where they should not be allowed access. Make sure that you are protecting sensitive areas from direct access as well as through normally traversed routes.
Where you store the sensitive data of your site can make a big difference in the security of your application. Avoid storing files that contain private information in your site’s directories unless you can secure the files with a file-system-level type of security. Unprotected data can be easily found through direct URLs.
Integrity means your data is tamper-proof. Input should be validated and stored or data should be protected from unauthorized tampering. This can take the form of cross-site scripting, buffer overflows, SQL injection and other forms of attack that are used to bypass a site’s security mechanisms. Most attackers can easily bypass client-side checking mechanisms, so be sure you are using all of the tools at your disposal. Server-side checks are necessary to defend your data’s integrity and protect your site from exploitation.
You also want to watch for uploaded files if your Web application allows for users to add files to your sites. Do not store user-uploaded information in your site’s directories. A common method of attack is to upload a file in the same language as your application, which is then stored in your site’s directories. The attacker can then create a URL that will allow the file to be run, giving them control of your website. Preferably, this information would be stored in a database or outside of your site. This way, a file that contains malicious content cannot compromise your site’s security by giving the attacker access to your application.
It’s important to keep updated on the new trends and methods you can use in computer security. Keeping your Web applications secure will keep your data secure and keep breaches at a minimum. Security should be a planned concern during the application build process and software development techniques such as code review and third-party evaluation are important to find flaws in the software. Every professional developer should keep security in mind when programming their applications so they are able to produce the best quality software.