10 Best Practices for Application Security

It's hardly necessary to remind you about the critical importance of application security, but at least we should offer some historical context. Keep in mind that when we say history in terms of computing, we're talking dog years. Things change so quickly that the latest and greatest innovation becomes stale in a matter of months. To put things in perspective, let's remember that it was only recently that business applications were let out of their pen.

For the longest time, corporate workers logged into intranets whose equipment was housed in secure local data centers, often in-house. Now both users and applications are spread all across the world, and road warriors connect to confidential company data through handheld and laptop electronics. Now it's like the Wild West out there. Application security is more important than ever.

The bad guys will poke into every nook and crevasse to try to find a way into these distributed networks. IT professionals have more to look after than the traditional campus networks and intranets. To combat the evils of hacking and the weaknesses of poorly implemented networks, an organization called the Open Web Application Security Project (OWASP) was formed in 2001.

We have written about the OWASP Top Ten List and Trends in Application Security in previous posts. Here, we have a look at what responsible IT professionals, managers, and users should do about application security.

Some industries have codified their best practices. But because there is no clear consensus on the most important best practices for web application security, we will offer our own. Other writers' lists will differ. So, what are the best practices in application security?

1. Follow Secure Coding Practices

The first priority in the mind of an application developer is to make it work. If the software doesn't perform its intended functions, it has no value, no matter how many bells and whistles it has. But too often coders are so immersed in the task of getting their programs to run properly that they may overlook what is really a higher priority: security. Tech writer Garrett Gross calls it "a logical first step".

Jaikumar Vijayan, freelance writer for Tech Beacon, suggests that software writers should implement a DevSecOps approach. That just means adding security into the equation during the development stage. OWASP has blessed us with a lengthy list of coding practices that address the intersection of coding and security. It's called the "OWASP Secure Coding Practices Checklist", and it covers these areas in depth:

• Input Validation

• Output Encoding

• Authentication and Password Management

• Session Management

• Access Control

• Cryptographic Practices

• Error Handling and Logging

• Communication Security

• System Configuration

• Database Security

• File Management

• Memory Management

• General Coding Practices

2. Enforce Minimum Permissions

We cite this as a best practice, but it is normally stated in another way: the Principle of Least Privilege. TechTarget defines itas "the practice of limiting access rights for users to the bare minimum permissions they need to perform their work".

It's like the old story of the camel sticking his nose in the tent. Once he's in, he really wants to go all the way in. A malicious user who is granted too liberal of an access level may use his wiles to nose around in your confidential data and do a little mischief. Best practice is to keep his nose out of the tent in the first place, or at least prevent it from getting in too far.

3. Automate Security Functions

Have you properly secured your applications? How do you know?

"The best way to know your applications are safe is to have an automated process to check the application every step of the way," says Docker VP and CSO contributor Banjot Chanana. He says that one way to do that is to envelope your application in a secure container, which is a cutting-edge method of application delivery.

According to TestingWhiz, "Automation for security tests is related to automation of performance or functional tests." In other words, while a coder is developing and testing his application with automated tools, he may as well be testing for security while he's at it. Automation and testing go hand in hand, but we have kept them separate here for emphasis. Besides, there may be other security functions besides testing that a developer or operator will use with their web applications.

4. Testing! Testing! Testing!

The IT certification company Offensive Security Ltd certainly puts their certification candidates through the paces. Their main focus is penetration testing and their exams are sheer tests of endurance. The shortest exam is four hours long, and the longest one lasts for three days! These IT security candidates are taught to try to break into web applications and IT systems as white-hat hackers.

It's this kind of aggressive testing that is required to ensure that your applications are safe. The point is that if you — or your hired hand white-hat hacker — can penetrate your web software, then so can the other guys. Constant and through testing will keep the black hats out of your apps.

5. Patch Your Web Servers

The focus of attention may have changed from security at Layers 2 and 3 to Layer 1 (application). But the best security practices take a top-to-bottom and end-to-end approach. That means securing every component in your network infrastructure as well as the application itself.

The security status of web servers is easy to overlook. Have you checked for updates or patches on your Windows, Unix, or Linux servers lately? You may be surprised to see what you've missed.

6. Inspect All Traffic

You application belongs to you. It stands to reason that you should have some control of the traffic passing in and out of it. You're allowed to make the rules, and you determine the type of allowed traffic. To inspect and filter web application data, you need a web application firewall (WAF). Here is how OWASP defines it:

"A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection."

Set up your firewall to detect unwanted or suspicious traffic — and block it immediately. This is especially important for critical data paths that are subject to financial and government regulation.

7. Encrypt Everything

Any network professional worth his salt knows the difference between HTTP and HTTPS. But just in case you need a refresher, we'll lay it out for you. Hypertext Transfer Protocol (HTTP) is the standard protocol for building websites. A protocol is a conversation, in this case, between web clients and servers. It involves requests and responses back and forth across the WorldWide Web (WWW).

Hypertext Transport Protocol Secure (HTTPS) is the secure version of HTTP. As Techopedia explains, "HTTPS is primarily designed to provide enhanced security layer over the unsecured HTTP protocol for sensitive data and transactions." All websites with confidential data should use HTTPS. But don't stop there.

Application encryption is possible across many layers. Files, disks, databases — there are lots of elements that could use some form of encryption, and it all works together to keep out intruders.

8. Learn About New Vulnerabilities

Ignorance may be bliss, but it's also pretty risky. What you don't know can hurt you. To protect your applications from attack or unanticipated failure, you should find out about the latest threats to your application environment.

Of course, whatever information we could pass on to you this week might be old news by next week. So do a web search on "latest application vulnerabilities" and find out for yourself. We're all responsible for staying abreast of anything that might adversely affect our IT resources.

9. Focus on Key Threats

By now there must be thousands, nay, millions of potential threats to your software. It's ridiculous to think that you can personally keep up with them all. Of course, you'll need to depend on your security software, such as antivirus tools, firewalls, and so on. Also, make sure that you have the latest updates. That said, experts advise that you to stay focused on the major issues, and those don't necessarily get the most press.

Gartner advises, "Focus on the Biggest Security Threats, Not the Most Publicized". And they put it rather succinctly at the beginning of the article:

"Don't let high-profile security attacks dominate your security efforts."

The most important threats, says Gartner, are the ones everyone already knows about, not the latest internet scares. They tell us that 99% of the vulnerabilities we will experience in the near future are ones that IT security professionals already know about. It's best not to major on the minors.

10. Create a Plan

We could say that this last bit of advice goes without saying, but that would not be true. Despite all the information about application security floating around cyberspace, there are probably a lot of organizations who haven't thought enough about the subject.

And even if they have people dedicated to security applications, it makes sense to document your methods of procedure, troubleshooting processes, and escalation ladders. Everybody needs a plan.

Concluding Thoughts

Our Top Ten list is not the final word on application security best practices. But we hope that it's enough to spur you and your organization to action. Because best practices are something that you do, not just think about. And you know how important it is to protect your application infrastructure. Best of luck.