Request a Proposal
Compliance Council Location

Knowledge

12 December 2018
Information Security

What is web application security?

What is Web Application Security?

Web application security means designing web applications to keep users’ data safe. Web application developers and owners must follow the security standards set out in the OWASP Application Security Verification Standard (ASVS) to develop safe and secure apps. These standards help to ensure that web apps do not contain security holes that scammers can exploit to steal data.

What is the OWASP Project?

OWASP stands for the Open Web Application Security Project. This project is a global not-for-profit organisation that has the aim of improving the security of web apps and software.

OWASP has launched an Application Security Verification Standard (ASVS) project to improve the security of web applications. ASVS provides a basis for testing web apps to ensure they are secure enough to withstand common types of attacks. It also provides developers with requirements to help them develop web apps that have adequate security.

The aim of OWASP ASVS is to standardise the level of rigor with which companies verify the security of their web applications. This allows all companies and organisations to avoid leaving vulnerabilities in their web apps, such as loopholes that allow SQL injection attacks or Cross-Site Scripting (XSS).

How to Establish a Secure Development Environment

All organisations need to establish secure development environments for system development. They must also protect this environment to ensure it remains secure. OWASP provides the following implementation guidance to help companies set up and maintain a secure development environment.

The first step is to assess the risks associated with development efforts. Examples of risks to consider include:

  • The sensitivity of data that the system will process, transmit, and store

  • Internal and external security requirements, such as federal regulations or company policies

  • Security controls already in place to support system development

  • Trustworthiness of employees working in the secure environment

  • The security of outsourced development

  • The need to segregate different development environments

  • Access control

  • How to monitor changes to the environment

  • The security of offsite backups

  • How to control data moving into and out of the environment

Once an organisation has identified risks, they should put in place and document processes to protect against them. All individuals working in the environment should receive a copy of the documentation.

How to Establish Secure System Engineering Principles

Part of setting up a secure web application involves putting in place secure system engineering principles. It is essential to not only establish these principles, but also to document them so they can be maintained and applied to all information system implementations.

It is important to design security into all architecture layers, including business, data, applications, and technology. This integration should balance the needs for security and accessibility. Whenever the business implements new technology, it is important to analyse the security risks that it could pose.

Secure system engineering principles need to be reviewed regularly to ensure they describe adequate security standards. Regular reviews allow established engineering procedures to stay up-to-date and relevant even as the business introduces new technologies and solutions.

How to Provide Secure Coding Training to Developers

Developers need appropriate training to help them create secure code. This training is necessary even for experienced developers to allow them to stay up to date with the latest security best practices and principles.

Pluralsight is a useful tool for training developers to create code that is more secure. With expert-led courses and assessments, developers can use this platform to assess their skills and keep up to date with the latest security technologies.

Another good option for learning the principles of secure development is Hacksplaining. Courses on this platform train developers to prevent SQL injection and command execution attacks.

Secure Code Warrior is another good way to train developers in application security. This tool focuses on providing gamified training, which can help developers to stay motivated.

Requirements for Information Security Testing

All developers should test their web applications to ensure they are adequately secure. The test environment must always be as realistic as possible to ensure the test results are reliable.

Information security testing should include static code analysis, dynamic code analysis, and code reviews. These analyses help to ensure that the code can withstand attempts to attack the application, such as SQL injection.

There are a number of tools available that can help with static code analysis. These include Veracode, SonarQube, Fortify, and Burp Suite. Any of these tools can help developers to ensure that code is as secure as it can be.

Vulnerability scanners such as Tenable and Detectify can also be helpful for detecting vulnerabilities in web applications. Always use a tool like this before allowing a web application to go live.

Third-party libraries can introduce vulnerabilities into applications that are otherwise secure. Before using any third-party library in a web application, use Whitesource to check that it is secure and safe to use.

Conclusion: How to Ensure Web Application Security Today

Web application security should be a high priority for all organisations, especially in light of the wide range of security threats that face businesses and consumers today. Through careful adherence to OWASP ASVS, rigorous testing, and regular developer training in web application security, organisations can keep themselves and their users safe from cyber attacks.