Maksim Kabakou - Fotolia

Security Think Tank: Secure your web applications without prejudice

What are the main web security challenges for organisations and how are they best addressed?

Since the start of the World Wide Web, HTTP (hyper text transfer protocol) and HTML (hyper text markup language) in 1989 (yes, this is almost 30 years ago), the opportunities for organisations to share data and collaborate across the globe have exploded.

Today, four main iterations of HTTP later and the usage of complex client-side HTML5 applications brings endless opportunities to create visually pleasing and compelling client-server applications. However, with great power comes great responsibility. The richness and ubiquity of the web has also enlarged the attack surface. No need to go into details about the most notorious hacks of personal data, for example from Yahoo and Equifax – both attributed the success of those attacks to having poorly secured web applications.

I certainly do not want to shame the companies mentioned above. The truth is, web application security is difficult. Similar to DNS (domain name system), the web was not at, its inception, designed with any robust security controls embedded. Security arrived later in the form of add-ons that gradually improved authentication, encryption, stage control, data validation, and so on. History and most information security courses teach us that when security controls are added into any design as an afterthought, things go almost always go wrong, and are far costlier to implement than if security is “baked in” from the start.

There are many reasons for breaches in web applications, but there are a few fundamental causes I see frequently. Firstly, the original stateless nature of HTTP protocol that was later poorly patched by the use of cookies. These travel with every web request and are invisible to users. Any compromise to these authentication tokens allows impostors to impersonate the legitimate user.

The second issue is lack of standardised security building blocks to secure web applications fully. Different application servers, databases and coding languages offer a variety of security functions. This state of affairs is complicated, hard to understand and hard to implement. The old mantra in information security tells us that “complexity is the enemy of security”. The immaturity of inbuilt and easily reusable blocks means that designers, developers and operational teams will probably miss some, with potentially dire consequences.

If you are still with me, you might think Armageddon (of your websites) is inevitable. But all is not lost.

When the security is not built in automatically, the changes to your development and testing process will reduce your risk profile significantly. Some great methodologies, tools and code samples ensure the security is built into the systems, web applications or databases available out there. Look no further than a popular and useful open source project for web application security – Owasp (Open Web Application Security Project).

If you are responsible for a business web-based solution or application, you do not need to know all the above. Your responsibility is to ask the right questions without prejudice and assess your team’s or third-party partner’s responses carefully. Seriously consider enlisting the help of an external expert for your project to give you an independent assessment of your proposed design and the implementation of security controls.

Read more on Hackers and cybercrime prevention