I am still routinely shocked by the lack of concern for security best practices exhibited by some developers and we’re not just talking about small, bespoke applications. I was recently working with an off the shelf web application and discovered it was storing passwords in plain text in the database and configuration files on the file system, along with storing unencrypted user data and generally showing absolutely no regard for security or the vulnerability of users’ data.
Due to the sensitive nature of the data processed by some applications, additional security measures may need to be considered to ensure Personally Identifiable Information (PII) and Payment Card Industry Data Security Standard (PCI DSS) information is handled correctly, but all applications, regardless of their purpose or size should follow security best practice in order to ensure they are not needlessly vulnerable to attack. Web site owners owe it to their users and their business to look after user data and protect their interests as well as minimising the risk of attack.
Here are five well known security considerations that should always be implemented in any web application, yet these are issues I regularly see being overlooked:
- Passwords should never be stored in plain text. Passwords should always be one way hashed, ensuring that they cannot be converted back to plain text. This can be taken care of with the use of salting and hashing techniques. This ensures that the passwords are only ever known to the users themselves.
- All input data must be validated and sanitised in order to prevent injection attacks. If input data is not sanitised correctly malicious code could potentially be used to compromise the system. This is an extremely common attack vector and is very easily guarded against with suitable sanitisation of input data.
- As well as validation, any user input to be displayed within the web application must be HTML encoded in order to prevent cross-site scripting (XSS) attacks. If data is not HTML encoded then malicious code has the potential to be executed by an attacker supplying it as input data.
- Web applications should take measures to ensure that the user did actually request the action to be processed. This is required to prevent cross-site request forgery (XSRF), which if left unhandled could allow an attacker to perform an action using another user’s details. This vector is often exploited by tricking a user into following a URL that will perform an action they did not intend, on a web application they may be logged in to. There are a number of ways of guarding against this, which generally consists of using a unique token that is expected by the server on every request.
- All sensitive data that is stored should be encrypted. Sensitive data should never be stored in plain text, this ensures that someone with access to the server or database will still be unable to read it.
In addition to the steps outlined above, it is also important to ensure that servers are kept up to date with the latest security patches and that servers are correctly configured, with user accounts having the minimum permissions necessary in order to complete the required tasks.
These are just a few well known but incredibly important steps that when followed correctly will increase the security of your web application enormously and should simply never be neglected. There’s no excuse.
Author: Mark Pynen