How much do you think about web app security best practices for your business or professional website? If we go by the numbers, probably not as much as you should. 

According to the World Economic Forum, 54% of organizations have an insufficient understanding of cyber vulnerabilities in their supply chain.

Taking into account that a cybersecurity attack occurs every 39 seconds on average, costing around $8 trillion in losses in 2023, this fact should be of more concern, especially in web security affairs. Web application attacks represent the second most common type of cyber threat, with 17% of all cyber attacks targeting web application vulnerabilities.

In this article, we will delve into the worst web security practices that businesses and individuals should be aware of, as well as the best web security practices to follow in 2024.

What Is Web Application Security and Why Should You Care?

But, what's the first thing that comes to mind when you hear the words "Web Security"?

Maybe encryption mechanisms, DDoS (Distributed Denial of Service) attack resistance, or defense in depth (DiD) and WAF (Web Application Firewalls) between your serving path.

Those are all important for sure (and we shouldn't take anything for granted), but we're overlooking what's possibly one of the most recurring issues so far in web application development, either due to time or budget constraints: the security of our codebase, from a CIA perspective (Confidentiality, Integrity, and Availability; also known as the Triad of Information Security).

To properly expand on it, let's take a quick dive into some of the most common vulnerabilities that we can introduce to our web codebases while creating new functions or maintaining existing ones.

10 Web Security Worst Practices (Top Web App Vulnerabilities)

First, let’s get a common understanding of what’s a web application vulnerability.

Web app vulnerabilities can be defined as any weakness that can be used by either a malicious or curious individual (depending on the intention) to gain some sort of advantage over a system protecting restricted information.

For example, imagine a subject in question is performing Reconnaissance (or Recon, for short). Once an interesting weakness has been found, the attacker will try to take advantage of such vulnerability to gain access to restricted resources by writing malicious code. This process is called “exploitation”. 

During the “exploitation”, the attacker will normally try to escalate their privileges - which allows them to move to a system with higher privileges. Then, if any escalation vector is found, they will try to install a way for themselves to come back later to the privileged area as much as possible.

Finally, once the attacker is satisfied with all the gathered information, they will cover their tracks by deleting any malicious code, logs, and even the entire system if necessary.

Now, with that basic knowledge, we can make an assumption: given our interconnected world, it's far easier to find vulnerabilities in open systems. There are a lot of tools that make this kind of attack easier, such as ZAP, BurpSuite, Nessus, and next-gen all-in-one tools enriched with ML models and AI.

Fortunately, some concise frameworks can help us understand the most common vulnerabilities around web applications and systems, so we can decide on what/where/when to prioritize fixing those vulnerabilities. One of the most frequently used references is the OWASP Top 10.

Here are the top 10 web application security vulnerabilities or WORST practices you should never follow:

1. Injection: Avoid validating or sanitizing user input, which may enable the injection of malicious code.

2. Broken Authentication: Storing passwords in plaintext or employing weak authentication mechanisms can facilitate the theft of credentials by attackers.

3. Sensitive Data Exposure: Exposing credit cards or personal information by leaving them unencrypted or inadequately protected.

4. Security Misconfiguration: Utilizing default configurations or outdated software exposes vulnerabilities due to a lack of proper security settings.

5. Broken Access Control: Failing to adequately control user permissions allows unauthorized access to sensitive data or functionalities.

6. Security Misuse of Functions: Incorrect usage of security features can compromise their effectiveness.

7. Cross-Site Scripting (XSS): Neglecting to escape user input permits attackers to inject malicious scripts that can steal data or hijack sessions.

8. Insecure Direct Object References: Allowing attackers to access or alter unauthorized data by manipulating object references poses a security risk.

9. Mass Assignment Vulnerability: Assigning user input to multiple variables without appropriate validation can lead to the exposure of sensitive data.

10. Insufficient Logging & Monitoring: The absence of adequate logging and monitoring challenges the detection and response to security incidents.
 

How To Fix Web Security Worst Practices?

1.  How to fix Injection?
Sanitization of any user-provided input is the most important thing, accompanied with parameterized queries or usage of Object Relational Mapping Tools (ORMs) to query our database. Libraries like sequelize can help to abstract our database access in a way that minimizes the risk of SQL injection attacks.

2. How to fix Broken Authentication?
Implement robust multi-factor authentication (preferably TOTP), introduce login delays when possible, and audit session ID generation mechanisms. Libraries like otpauth can manage TOTP tokens effectively.

3. How to fix Sensitive Data Exposure?
Use TLS with Forward Secrecy, avoid storing unnecessary business data, disable cache for sensitive routes, use strong hashing and encryption algorithms, employ secure number generators (CSPRNG), and use pre-commit hooks to detect sensitive credential leaks. Tools like Qualys SSL Labs and Nuclei can assess SSL configurations and identify runtime route secrets.

4. How to fix Security Misconfiguration?
Follow hardening guides like the CIS benchmarks for both on-premises and cloud environments. For Kubernetes, tools like Aqua’s Tracee can help align nodes with CIS recommendations.

5. How to fix Broken Access Control?
Implement a single Access Control List (ACL) mechanism and reuse it throughout the web app lifecycle, log and alert ACL failures, rate-limit access to APIs and controllers, and ensure proper session invalidation on logout. Libraries like node-casbin can provide powerful ACL solutions.  

6. How to fix Security Misuse of Functions?
This category can align with "Insecure Design." Identify design flaws early and adopt a secure development lifecycle framework, such as NIST SSDF or the Secure Software Alliance Framework, to prevent and address security issues from the start.

7. How to fix Cross-Site Scripting (XSS)?
Ensure all user input is sanitized or escaped, and implement content security policies to prevent malicious scripts from executing.

8. How to fix Insecure Direct Object References?
Validate all user-input URLs and enforce proper network ACL policies to prevent unauthorized access or data exfiltration from within the server’s network.

9. How to fix Mass Assignment Vulnerability?
Automate dependency upgrades to avoid using unsupported libraries or outdated versions. Tools like GitHub’s Dependabot or Aqua’s Trivy can facilitate automated updates.

10 How to fix Insufficient Logging & Monitoring?
Implement centralized logging with services like Google Cloud Logging or Grafana Cloud to ensure critical paths are monitored and logs are preserved even if local systems are compromised.

11 Web Security Best Practices

Now that we’ve gone through the worst, let's review 11 web security best practices you should follow to prevent any of the issues above:

1. Adopt Secure Software Development Practices: 

From the initial stages of development, prioritize security by embedding secure coding practices. This foundational approach minimizes vulnerabilities and sets a strong base for further security measures.

2. Be Vigilant with Input Validation and Injection Protection: 

Treat every piece of user input with suspicion. Implement stringent input validation to prevent common threats like SQL injection, ensuring that only sanitized data interacts with your systems.

3. Encrypt Sensitive Data: 

In the era of data breaches, encrypting data at rest and in transit is non-negotiable. Utilize strong encryption protocols to protect sensitive information, ensuring that even in the event of a breach, the data remains unintelligible to unauthorized parties.

4. Enforce Strong Authentication and Access Control: 

Authentication mechanisms should be robust, incorporating multi-factor authentication where possible. Coupled with precise role management, ensure that users have access only to the resources essential for their role, adhering to the principle of least privilege.

5. Implement HTTPS Across the Board: 

Transition all traffic to HTTPS, not just sensitive communications. This practice secures data in transit, providing confidentiality and integrity while also boosting user trust and search engine rankings.

6. Regularly Update and Patch Systems: 

The digital landscape is constantly shifting, with new vulnerabilities emerging regularly. Keep your systems resilient by applying updates and patches promptly, closing potential entry points for attackers.

7. Deploy a Web Application Firewall (WAF):

 A WAF serves as a gatekeeper for your web applications, scrutinizing incoming traffic and blocking malicious requests. It's an essential layer of defense that protects against a myriad of web-based threats.

8. Incorporate Rigorous Testing and Quality Assurance: 

Before deployment, subject your web applications to thorough testing, including vulnerability assessments and penetration testing. This proactive approach identifies and rectifies weaknesses, reinforcing your application's defenses.

9. Foster a Culture of Security Awareness: 

Security is a collective responsibility. Educate your team about the latest threats and best practices, ensuring that everyone contributes to the security posture of your organization.

10. Utilize Real-Time Monitoring and Logging: 

Keep a vigilant eye on your applications with real-time monitoring, enabling swift detection and response to suspicious activities. Detailed logs serve as invaluable forensic tools in the event of a security incident.

11. Embrace Continuous Improvement: 

The threat landscape is ever-evolving, and so should your security practices. Regularly review and update your security measures, learning from industry trends and past incidents to continually fortify your defenses.

For sure, OWASP Top Ten is not the only reference available. We can also count on SANS SWAT list, and the quite extensive MITRE ATT&CK® array: those can be not only used for Web Vulnerabilities, but also for other ancillary systems that make our internet to function properly, like Routers, Firewalls, VPN concentrators, DNS servers, time servers, and most importantly, developer machines. 

In summary, with those general ideas we can start exploring our codebases in such a way that security issues are triaged, prioritized, and then executed according to business requirements. 
 

Start Reinforcing Your Web App’s Security Today!

As the statistics at the beginning of this article show, web app security is an increasingly concerning issue, yet it is not taken seriously by many companies and major websites.

To mitigate this risk, start by addressing the principal vulnerabilities mentioned in this article and implement the recommended best practices.

However, with constant changes, AI automation, and new threats emerging everywhere, there's a chance that, unless you are a true web security expert, something might slip by.

If you want to improve your web application's security or cybersecurity in general, reach out to one of our experts. At Octahedroid, we excel at solving complex security challenges with a personalized approach tailored to your industry and specific needs.

Contact us today to avoid losing any sensitive information or investments in security.