Web Security Policies and Processes
Good planning is crucial to ensure that you have a solid strategy for web application security as an integral part of wider cybersecurity. This includes developing formal strategy documents, fostering a security-first culture throughout the organization, and documenting your web assets so you know what you’re working with.
1. Define and Adopt a Cybersecurity Framework
A formal policy document and strategy approach is a must for large organizations. To make sure you cover all the vital areas without reinventing the wheel, it’s a good idea to start with existing industry standards. Cybersecurity frameworks provide a detailed blueprint for developing your own policies. While they are far too extensive for most organizations, you can pick and mix to select a starting set of policies that works for you. See our article on cybersecurity frameworks in web application security to get started.
2. Make Security Everyone’s Business
Organizations can no longer afford to leave cybersecurity to just the security professionals, and this also applies to web application security. Just as IT security policies and practices should involve a wide cross-section of functions, so web app security should also be integrated into all stages of the development, operations, and testing process. This is the idea behind DevSecOps – an approach that embeds security practices into the combined development and operations processes of DevOps.
3. Know Your Web Assets
A large organization can have hundreds or even thousands of web assets, including websites, web applications, web services, and web APIs. Even if you have only a handful of applications, they might be connecting to dozens of services and exposing their functionality via multiple interfaces. There might also be forgotten test and staging environments that are still live – but you still need to test every single point of web access. That’s why asset discovery is a crucial step in any cybersecurity program. Invicti provides a web application discovery service to help you find your assets so you know exactly what you need to secure.
Security in Web Application Development
The traditional approach to securing a web application has been to develop first and test later. With the rapid pace of development of modern applications combined with the growing intensity of web application attacks, this is no longer workable. Security must be an integral part of the software development lifecycle. Automation has also become a practical necessity, especially when a small team has to secure multiple new and existing websites and applications.
4. Incorporate Security into Software Development Practices
It goes without saying that prevention is better than remediation – you don’t need to fix vulnerabilities that were never introduced in the first place. Security training for developers is crucial not just to minimize the number of security issues that make it into application code but also to involve developers in the security process from the very beginning. With the increasing cybersecurity skills gap, web security teams are often understaffed and overworked, so a proactive approach to securing web application takes the load off the security professionals and speeds up the whole development pipeline.
5. Fix Vulnerabilities, Not Just Bugs
If you look at changes across the years in lists of common web security flaws such as the OWASP Top 10 or CWE Top 25, you will notice that some types of bugs keep coming back year after year: cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), buffer overflows – the list goes on. This is why communication and education are so important in web application security.
If developers treat vulnerabilities as just another bug to fix, it is likely they will make the same types of errors in the future. In effect, you will never run out of vulnerabilities, because new ones will appear just as quickly as existing ones are fixed. To see progress and build more secure applications, developers and security professionals need to work together to understand vulnerabilities and eliminate their root causes, not merely to fix bugs.
6. Automate and Integrate
At any one time, large organizations can have many hundreds of web assets to maintain and multiple new applications in development. This can mean thousands of vulnerabilities to identify, process, and fix. The only way to ensure web application security at that kind of scale is to automate everything that can be automated and integrate security tools directly into the software development lifecycle.
When this is done right, reliable reports of automatically verified vulnerabilities are loaded directly into the developers’ bug trackers and go straight to the fixing stage, bypassing the bottleneck of manual verification by the security team. Invicti provides extensive integration capabilities that aid automation and allow security professionals to focus on issues that only a human can solve.
Secure Web Application Operations
The real security test starts when your application is deployed to the web. By choosing the right tools and processes, you can minimize the risk of a successful cyberattack and maintain a solid security posture.
7. Use Enterprise-Grade Security Solutions
Cybersecurity has always been a game of cat-and-mouse, with criminals keeping at least one step ahead of the security industry. By using a cutting-edge web vulnerability scanner, you can accurately find vulnerabilities and confidently address them. If developers can’t immediately fix a critical vulnerability, you can use a web application firewall (WAF) to temporarily block that attack vector until a fix is deployed. With Invicti’s web application firewall integration functionality, you can generate WAF rules directly from vulnerability reports.
8. Minimize Your Attack Surface with the Latest Web Technologies
Even if your application code is secure, you still need to make sure the application is securely deployed and used. Many security measures exist to protect against specific types of attacks. For example, well-configured Content Security Policy (CSP) headers can stop many XSS attempts, while enforcing strong passwords can help to secure sensitive data and prevent data breaches caused by unauthorized access. On an operational level, you can use DDoS mitigation services to help protect your application against DDoS attacks.
9. Keep up to Date
As in network security, it is good practice to have and follow a patching and update policy for your web application environments. A modern web application can rely on multiple components in several layers, and they all need to be up to date. If you maintain your own infrastructure, you might start with the web server, application server, and database server. If you run a CMS such as WordPress, keep track of its development and be sure to use the most recent version for maximum security.
10. Test Your Defenses
Even if you have a solid security process and use leading-edge vulnerability scanning solutions, attackers might still be able to find a weakness somewhere. Periodic manual penetration testing by experienced security professionals will help you identify attack vectors that don’t show up during automated scanning. For example, a real-life attacker might combine several minor weaknesses into a critical vulnerability.
Red team vs blue team security exercises are one way of identifying vulnerabilities and testing the organization’s defensive response. You can also run a bounty program to encourage white-hat hackers to test your defenses and report vulnerabilities before cybercriminals can exploit them.
For a more detailed discussion, see our whitepaper Enterprise Web Security Best Practices: How To Build a Successful Security Process.