Staying on top of the latest vulnerabilities and constantly revisiting the security of your web application code can keep you one step ahead of internet ne’er-do-wells.
As anybody plunking upon the latest smart-phone can demonstrate, we live in a world of rapid technological change.Web technologies, standards and best practices are far from immune to these chaotic transitions. But with each new language, framework or SQL database alternative, one maxim remains the same: developers had better be proactively securing their apps against the inevitable line of malicious users.
Writing Secure Code: In and Out
Regardless of what language, framework or database a developer chooses, they should be concerned about the passing of data both into and out of their application. While it is true that some languages and frameworks handle data-sanitizing automatically, this isn’t always the case, and in certain situations said languages and frameworks might not be going far enough. In any case, it falls to the developer to understand exactly what a language or framework is doing and to determine what data-sanitizing should be implemented.
Manual and Automated Pen-Testing
Once a developer has their application code written, it is important to get extra sets of eyes upon the code to perform various quality-assurance tests, including tests for application security. Manual code review techniques and penetration tests can provide for additional analysis from a human perspective but should be coupled with automated testing when possible. This can include static analysis of the application source code or the use of automated testing tools such as open source applications like OWASP ZAP or commercial products like IBM’s AppScan, which simulate browser-based attacks from malicious users. Regardless of the tools chosen, a formal security review process should be defined and implemented during every development cycle for any major code release.
Lastly, there are many great resources these days for web application security. First and foremost would be OWASP (owasp.org) – what many would consider to be the leader in open-source web application security. They offer numerous online materials which serve as great starting points for web application security, as well as some excellent open-source software, including the aforementioned OWASP ZAP. There are also several great security blogs out there – VeraCode, Sans AppSec blog and Port Swigger to name just a few. In the battle against malicious users, it is important to remember that web application security is constantly changing as new attack vectors are developed and used to exploit vulnerable applications every day.