With the prevalence of crypto-malware, ransomware, identity theft, and state-sponsored attacks, securing a web application has never been more important. This guide will provide a high level overview of steps System Admins and businesses can take to ensure that their web applications are secure against potential attackers. This guide isn't meant to be exhaustive, but more of a checklist and outline of steps to take for better web application security.
1. Infrastructure Security
Infrastructure security relates to the physical hardware which is serving your web application. This is typically a cloud hosting provider such as Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, Digital Ocean, Rackspace, or others. Some organizations may rely on one or more cloud hosting providers to fulfill their infrastructure needs and some may deploy a combination of cloud, co-located, or on-premises solutions to create a hybrid cloud environment. Regardless of your specific configuration, here are some important steps to follow for infrastructure security:
Choose a reliable hosting provider
Whether you're deploying a cloud hosted, co-located, or hybrid environment, one of the first steps is to pick a reliable hosting provider. The provider you choose should have an easily accessible security, compliance, or governance policy which specifically details steps their organization takes to ensure the security of their physical infrastructure as well as what compliance offerings are in place. Here's a list of common cloud vendors with links to their respective security policies:
- AWS Cloud Security
- Google Cloud Trust and Security
- Microsoft Azure Security
- Digital Ocean Trust Platform
- Rackspace Technology Compliance Certifications and Security Standards
Keep in mind that no single cloud provider is perfect and all the listed providers have suffered serious outages over the years. While outages tend to be rare, they do happen and will often affect a large portion of customers and the internet in general, so you usually won't be along during an incident. Depending on your organization's budget and risk tolerance, you may consider deploying your infrastructure with one or more cloud providers.
Deploy reusable infrastructure
A great way to coordinate server orchestration and to ensure uniformity across your infrastructure is to implement an Infrastructure as Code (IaC) framework such as Hashicorp's Terraform. Here's a few benefits of utilizing an IaC approach to your DevOps:
-
Setup consistency
With IaC, your infrastructure setup is completely standardized because it's defined in code. This allows DevOps engineers to easily spin up new server instances and apply changes to existing instances without the need of manual processes such as logging into individual servers. -
Reliable documentation
Your infrastructure is documented directly in the codebase. Gone are the days when only a single DevOps engineer understands how things are configured. This provides organizational security as well in the event that an engineer leaves the company, because another engineer will be able to understand the IaC and reliably make changes. -
Better software development efficiency
With IaC you can easily spin up QA, staging, or development environments which mimic production. This allows developers to focus on writing code instead wasting time playing DevOps. IaC also allows you to easily spin up and destroy infrastructure so that you don't need to pay for what isn't being used.
Apply regular server updates
Few things can be more anxiety inducing than logging into a system and being presented with the following message of the day:
127 packages can be updated.
54 updates are security updates.
Fortunately popular Linux distributions can be configured to install security and other updates automatically.
Always use a firewall
It's important to make sure your infrastructure is deployed with either a physical firewall on the network and/or a software firewall on each individual server instance. Firewalls are going to protect your servers from unauthorized access and will lock down any ports not being used.
Enable hosting provider backups
Most common cloud hosting providers offer a backup service at little extra cost. This can be a great way to ensure that your servers have a periodic snapshot which can be restored in the event of data loss or other compromise.
2. Application Security
Application security relates to the components built into the software of your app. It's the web framework, plugins, modules, and software written by developers.
Framework and platform software updates
If you're utilizing a framework or platform for your website, it's important to ensure that the underlying code is kept updated with the latest releases from the vendor.
SQL injection
If your website utilizes a database and includes custom code written by developers it's important to ensure you protect against SQL injection. Many popular platforms such as Drupal and WordPress have built-in sanitization with their codebase. You should take extra care if you're developing a custom app using a framework such as Laravel, Flask, Django, Express.js, Next.js, Symfony, and others.
Input sanitization
There's a common saying in web development and that's to "never trust the user's input," and it couldn't be more true when it comes to securing a web application. Always assume that data the user gives you are untrustworthy and deploy sanitization steps on your application's backend. It's a good practice to implement frontend validation for your input fields, but keep in mind that users can easily disable JavaScript and bypass any frontend validation, so it's paramount to make sure your backend also validates and sanitizes the data.
Cross-site scripting (XSS)
Cross-site scripting, also known as XSS occurs when a malicious third party is able to get an unsuspecting user to execute a bad frontend JavaScript file which can then be used to access frontend data of a website such as cookies, session information, and even rewrite a website's HTML.
Encrypting traffic
There's no reason not to encrypt all web traffic these days, and it's now considered best practice. You no longer are forced to pay for an SSL certificate from a certificate authority and services such as Let's Encrypt have made it easy and affordable to enable https on all websites.
Consider static websites
Dynamic websites are great and platforms such as WordPress and Drupal have made it easy to create content rich sites with an easy-to-use backend interface. However, having editing capabilities easily accessible via the web can present another attack vector. Consider deploying a static website without a web-facing backend component.
3. External API Security
External API security relates to keys and passwords used to access data resources around the web. Maintaining a solid policy for password and key management is critical to any web application security best practice.
Principle of least privilege
- The principle of least privilege is a concept where users or API keys are given the minimal level of access needed to perform their function.
API key protection and password management
- Always make sure your API keys are stored in a secure way and never in version control or passed around insecurely between developers.
- Utilize a password manager such as 1Password or LastPass to store unique passwords for all your logins.
4. Continuous Monitoring
While you can do your best to build a solid foundation for web application security, it's also important to continually monitor your web application for suspicious traffic and updates.
Infrastructure diagram and documentation
It's important to make sure you have documentation for your web application. A great way to document any sort of web setup is through a visual medium such as a flowchart or mind map. There's plenty of free to use diagramming tools out there such as Diagrams.net which include a library of commonly used resources, so you can map out your infrastructure. Having a visual map improves the understandability of your system, so you can visualize attack points and areas for improvement.
Threat assessments
Conducting a threat assessment is a useful way to determine where the most critical information lies within your system. Is it your user's information, private company data, or some combination of both? Thinking in the shoes of a bad actor can help you build a good defense to areas of your infrastructure which could become compromised.
Uptime monitors
No one should be online 24/7 checking to see if their infrastructure is still running. Fortunately the internet is always buzzing and there's a plethora of tools available which can monitor your web application and alert you if something is amiss. Here's a few common examples:
- Port Monitor
- Nginx Amplify
- New Relic
These services have both free and paid tiers depending on the amount of monitors you want to deploy.
Periodic penetration tests
Stay a step ahead of malicious actors by conducting periodic penetration tests of your infrastructure. If you don't have the resources to do this yourself there's a variety of "white-hat" ethical hackers you can hire who will scan your system for vulnerabilities and then provide you with a report of what needs to be fixed.
Security vulnerability newsletters
There's dedicated industry dedicated to cyber-security and new threats emerge every day. A good way keep updated on the latest security threat is to subscribe to cyber-security newsletters. Here's a few to consider: