Cybersecurity in Web Applications - Where to start? Where to improve? Where to learn more?
A curated guide to web application security resources organised by experience level, from getting started with the basics to advanced training and specialised tooling, with short notes on what each resource covers and when to reach for it.
Cybersecurity in Web Applications – Where to start? Where to improve? Where to learn more?
In the realm of cybersecurity, any web application exposed to the internet will be subjected to a countless number of intrusion attempts every day from adversaries using automated scanners. If the scanners find any obvious vulnerabilities, adversaries will likely notice and scrutinize your application further, possibly leading to an application compromise, network intrusion, or even ransomware attacks.
This situation is why it’s more important than ever to identify potential security issues with your web application early and remediate them before they can be used in an attack. Alternatively, security checks can be integrated into application development to ensure your application is as secure as possible before it goes into production.
Whether your application has never been security tested or it has been through several rounds of security auditing and hardening, there is a level of web app security resources right for you. Let’s look at the different tiers of security and the resources that will get you there.
Where to Start? (Basic Web App Security)
If you are new to secure application development, implementing security controls on a web application can seem very intimidating. Still, there are many excellent resources for thinking broadly about basic security best practices, many of which are detailed below.
OWASP Top Ten
The OWASP Top 10 project is a widely accepted document for educating application developers on the most common security issues found in web applications today. Using the OWASP Top 10 as a guide is an excellent start towards securing your app by identifying ‘low-hanging fruit’: issues that potential attackers can easily identify through automated scanners.
For more information, please see the following OWASP Top 10 resources:
OWASP Top Ten webpage:
OWASP Top 10 Proactive Controls
A companion project to the OWASP Top 10, the Top 10 Proactive Controls project was created with developers in mind and describes the necessary steps developers should take towards securing their applications. The OWASP Top 10 Proactive Controls teach developers the latest secure coding practices that will help avoid dangerous code that attackers look to exploit.
See the following link for a PDF version of the OWASP Top 10 Proactive Controls:
Snyk 15 Application Security Best Practices
The Snyk 15 Application Security Best Practices discusses the common sources of security concerns and a general overview focused on keeping web applications secure. Although not technically dense, these best practices provide a solid philosophy towards application security best practices.
See the following link for Snyk’s 15 Application Security Best Practices:
The OWASP Secure Coding Practices Quick Reference
The OWASP Secure Coding Practices Quick Reference (SCP) is a developer-oriented checklist that aims to improve the secure development of your application. Check your application against each item on the list to identify weaknesses and areas that should be addressed. By adopting practices from this guide, you can avoid common mistakes and harden your application against attacks. After addressing each item in the checklist, you can feel better about your application’s overall security.
See the following link for OWASP’s Secure Coding Practices Quick Reference:
Where to Improve? (Intermediate Application Security Standards)
After identifying the most common web application security problems and ensuring that your application is secure against them, the next step in improving security is understanding the application testers’ methods to discover vulnerabilities. Gain a deeper understanding of web application vulnerabilities and thwart the more advanced attackers looking to cause harm.
OWASP Web Security Testing Guide
A common framework that web application testers use while performing their duties is the OWASP Web Security Testing Guide (WSTG), which outlines the typical workflow of a web application security assessment. By understanding the different areas of the application that testers look at, developers can consider how their application would perform when tested against the same criteria and assess whether improvements are needed. See the following links for more information on the WSTG and how you can implement the checks:
OWASP Web Security Testing Guide website
OWASP Web Security Testing Guide PDF document
OWASP Application Security Verification Standard
The OWASP Application Security Verification Standard (ASVS) is a security testing framework that aims to normalize the range of coverage and level of rigor available when performing web application security validation using a commercially available open standard. Three tiers of testing are available within the ASVS:
-
Level 1 testing is the base testing level and covers the minimum controls for best-practice application security.
-
Level 2 testing is the “recommended level for most apps”, or the minimum level of testing for apps that contain sensitive data.
-
Level 3 is the highest level of testing in ASVS and is typically reserved for applications that contain high-value transactions or require the highest level of trust, such as those found in areas of military, health and safety, critical infrastructure, etc.
Like the OWASP Web Security Testing Guide mentioned above, developers can study and utilize the ASVS as a blueprint to create a Secure Coding Checklist specific to their application, platform, or organization. This may also allow developers to increase focus on the security requirements that are most important to their specific project or environment. See the following links for more information on the ASVS:
OWASP Application Security Verification Standard website
OWASP Application Security Verification Standard PDF document
Where to learn more? (Advanced Application Security and Beyond)
In addition to the resources listed above, there are several more advanced frameworks designed to fortify against the more talented attackers and encourage a holistic approach to security. The following resources are an excellent way to further improve your security posture and protect your organization.
NIST Security and Privacy Controls for Information Systems and Organizations
Published by the National Institute of Standards and Technology (NIST), the NIST Security and Privacy Controls for Information Systems and Organizations is a robust catalog of security and privacy controls for information systems and organizations, aimed at protecting against a diverse set of potential threats, from foreign intelligence entities to natural disasters and more.
See the following link for a PDF of the NIST 800-53r5 controls:
Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework
The Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) is an application development guide for integrating security best practices at each stage in an application’s software development life cycle. This framework includes aspects such as defining security roles for each member of the development team and tasks that must be completed by each role at a given stage of software development.
See the following link for more information on the SSDF:
Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1
The Framework for Improving Critical Infrastructure Cybersecurity is a risk-based approach for managing cybersecurity across an organization. This highly flexible framework is ideal for identifying vulnerabilities and hardening against advanced attacks. This framework focuses on:
-
Integrating security in all aspects of an organization
-
Identifying relationships between organizational assets
-
Address risks and threats that may impact the organization
See the following link for a PDF of the Framework for Improving Critical Infrastructure Cybersecurity (version 1.1):
Summary
Securing your web application against modern threats may seem like a daunting task, but the key is to start the process. Pick a framework that applies to you, learn and understand the concepts, then apply the lessons learned or the framework itself to your environment. Like Rome, a strong security posture is not built in a day, but iterative changes can fortify an empire.
Websec Can Help
No matter which stage of security your application is at, Websec can help make it better through security testing and assessment. Websec leverages all of the frameworks listed in this guide and more to identify and protect against modern security threats. We won’t just find your issues; we’ll help you identify potential fixes and test your remediation to ensure you’re safe moving forward.
Cybersecurity isn’t easy, but through smart collaboration, we can make your application safer. Book a test for your web application today and take a step forward for your application’s security!
Tags
Subscribe to our Newsletter
Get the latest cybersecurity insights and updates delivered to your inbox.
