Web Application Security: As Important as it Ever Was

Soldiers protect the castle from the Trojan Horse.

Staying on top of the latest vulnerabilities and constantly revisiting the security of your web application code can keep you one step ahead of internet ne’er-do-wells.

As anybody plunking upon the latest smart-phone can demonstrate, we live in a world of rapid technological change.Web technologies, standards and best practices are far from immune to these chaotic transitions.  But with each new language, framework or SQL database alternative, one maxim remains the same: developers had better be proactively securing their apps against the inevitable line of malicious users.

Writing Secure Code: In and Out


Regardless of what language, framework or database a developer chooses, they should be concerned about the passing of data both into and out of their application.  While it is true that some languages and frameworks handle data-sanitizing automatically, this isn’t always the case, and in certain situations said languages and frameworks might not be going far enough.  In any case, it falls to the developer to understand exactly what a language or framework is doing and to determine what data-sanitizing should be implemented.


Let’s look at jQuery as an example.  By default, jQuery will allow a developer to select and write just about anything to a browser, including html and JavaScript.  It’s rare for a developer to create string data to be sent to the browser via jQuery and not dynamically include some variable data from a potentially un-trusted source – html form inputs, for example.  If any potentially un-trusted data is being sent to the browser, it should be sanitized.  jQuery provides a simple function for such a situation which strips html tags from DOM elements: text().  This function is generally safer to use than jQuery’s html() function, which does not strip or remove html tags.  For more advanced scenarios where certain html characters may be allowed or more strict cleaning must occur, it may be wise to investigate a template system such as Mustache, or a more configurable sanitizing library such as Sanitize.js.


Manual and Automated Pen-Testing


Once a developer has their application code written, it is important to get extra sets of eyes upon the code to perform various quality-assurance tests, including tests for application security.  Manual code review techniques and penetration tests can provide for additional analysis from a human perspective but should be coupled with automated testing when possible.  This can include static analysis of the application source code or the use of automated testing tools such as open source applications like OWASP ZAP or commercial products like IBM’s AppScan, which simulate browser-based attacks from malicious users.  Regardless of the tools chosen, a formal security review process should be defined and implemented during every development cycle for any major code release.

Resources


Lastly, there are many great resources these days for web application security.  First and foremost would be OWASP (owasp.org) – what many would consider to be the leader in open-source web application security.  They offer numerous online materials which serve as great starting points for web application security, as well as some excellent open-source software, including the aforementioned OWASP ZAP.  There are also several great security blogs out there – VeraCode, Sans AppSec blog and Port Swigger to name just a few.  In the battle against malicious users, it is important to remember that web application security is constantly changing as new attack vectors are developed and used to exploit vulnerable applications every day.