As a web app developer, you have enough on your plate already. But with cybercrime on the rise – with 86% of companies experiencing at least one successful cyberattack in 2021 – it’s become more important than ever to test your own security measures.
Whether you’re building a small ecommerce website or an enterprise SaaS (Software as a Service) platform, cybersecurity should be a top priority. Cybercrime rates are accelerating. This is in part because of the remote work revolution, which has radically increased the entire world economy’s vulnerability to attack.
You might think your web app is a small fish in a big ocean, and therefore low-risk. However, hackers are increasingly using AI to carry out their attacks, so the time and money it takes a hacker to attack your web app’s defences is shrinking by the minute. That means everyone on the team must be vigilant, not just the security manager.
What’s more, by failing to safeguard user data, you could inadvertently be violating the law. Failing to follow local compliance regulations and GDPR could put you in legal danger. And as more and more critical services are moving to centralised cloud servers (think of logistics companies trying to automate inventory management), providers are under more pressure than ever.
With that in mind, let’s consider the best practices for implementing a security testing program for any web application.
Why is a security testing program important?
There are a number of reasons to make security a top priority.
Every year there are new, high-profile stories about companies losing their customer’s data, from leaked emails to sensitive bank information. More recently, the UK-based gift company Funky Pigeon had to suspend all orders after a cyberattack.
When you’re offering a B2B (Business to Business) SaaS solution like a customer service platform, you’re asking business to trust you with their customers’ data as well as their own. So when it comes to your security measures, it’s not just your business you’re trying to protect, but that of your customers, too.
And as for a B2C (business to consumers) company often holding large numbers of banking details for their customer bases, losing data can put a serious dent in their brand image. If customers don’t trust in your data protection abilities, they will take their business elsewhere.
In fact, Hiscox found that a single cyber incident could cost a small business up to $14,000, with a mean cost of $395,000 for larger businesses.
The high cost of cyber incidents is why end-to-end encryption has become such a selling point, from chat apps to a virtual business phone service. These businesses are effectively unable to operate without a third-party security audit like Cyber Essentials, a government-backed cyber certification scheme. A business can earn that kind of certification by implementing their own successful security program.
Some of the common threats you’ll be testing against will include:
This is most commonly the ‘SQL injection attack’, where hackers are able to send SQL (‘Structured Query Language’) code via a user-facing search bar. Other kinds of injections using NoSQL, OS command, or Object Relational Mapping are also possible. If your search bars aren’t actively scrubbing anything but the expected input, you’re leaving your web app open to injection attacks.
Email was designed for the high-trust internet of the 1970s, which is one reason why it’s the most common avenue for cybercriminals to attack companies and their customers.
If they compromise your network, hackers can imitate you and send emails from your domain, sometimes containing malicious attachments. We’re used to seeing phishing spam in our junk mail inboxes as consumers. Behind the scenes, hackers will opt for ransomware and privilege escalation attacks to target companies and cause serious damage. In 2020, just 92 ransomware attacks cost US healthcare companies $21 billion.
Cross-site scripting (XSS)
The modern internet is an extremely interconnected place: if hackers can compromise one site, this can sometimes get them access to another.
The web browser itself is one of the most common attack surfaces for hackers. If your web app encodes any remotely useful information in URLs, you can bet that hackers will attempt to manipulate it as much as they can to access webpages and information they would not normally have access to. They’ll then be able to use this information to attack you further.
Now that we’ve considered four of the most likely cyber threats to your web app, we can move to think about how to implement security testing measures to mitigate these threats.
Run a manual security audit
The cornerstone of your web app’s security program is the audit. An ‘audit’ may sound innocuous enough, but this process is actually an attempt to attack your web app by someone playing the role of the hacker – on the “red team” – in any way they can.
In a “black box” security audit, no information about your web app is shared with the hacker. You only provide the auditor with your web app’s public-facing URL, and leave them to throw every tool in the box at breaking your app’s security wide open.
Without help, the hacker will have to navigate the user journeys they’d map out on a mobile app flowchart and find ways to compromise the app from user-facing touchpoints.
‘Black box’ audits will expose the most obvious security flaws in your web app, but for errors deeper in the stack – say, an issue in a third-party plugin – you’ll need other boxes.
A ‘grey box’ audit gives the hacker a little more information about the system, whilst the “white box” audit gives them full access to the codebase.
This enables them to put every part of your system under harsh scrutiny, as it’s often those tiny errors that lead to the most valuable hacks. Just recently, the blockchain-based game Axie Infinity had half a billion dollars stolen through a typo in a smart contract.
Some of the steps you’d include in a manual security audit are:
- Identifying assets. Listing potential attack surfaces and any assets / dependencies your web app depends on, any which could be useful to a hacker.
- Checking that all your web app’s components and plugins are up-to-date. While sticking with an older version can be good for reliability, out-of-date plugins and components are a common cause of cyberattacks.
- Inspecting permissions. As we’ll see, broken access control is a big security issue for web apps. If sensitive information is visible to the wrong people, or the system controlling that access can be compromised, you have a serious problem.
- Scrutinising on-site infrastructure. If your web app’s infrastructure is hosted on-site, rather than on a secure cloud server, you should also scrutinise any on-site infrastructure like servers, computers, or even WiFi-connected printers that may store network credentials on them.
Make sure everything is encrypted
These days, it’s essential to encrypt your web app’s traffic both in transit (while it’s moving around the internet) and at rest (when it’s stored on the server).
One reason people went looking for alternatives to Zoom in 2020 was due to poor encryption. Having scaled their operations rapidly, any latent security flaws like “zoom bombing” were suddenly occurring daily.
You probably know all about the importance of SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption, and how Google considers encryption as a factor in your site’s search engine ranking. If you’re concerned about security at all, getting your SSL certificate was one of the first things you did when you set up your domain.
But a web app is slightly more complicated than a website, often employing several plugins. Are you sure that every one of those is encrypted? In transit? And at rest? If you assume the answer is yes without making sure, the web app you’ve otherwise comprehensively checked for flaws could be sitting on a landmine.
Use server logging
Why is data archiving important in cybersecurity? For one, logging.
While you can test and test all you like, chances are you’re not going to catch everything that could be a security vulnerability. That’s why it’s important that your web app’s server keeps a detailed log of every single event that happens on it.
When you’re conducting your tests and audits, logging with tools like log aggregators like Linux Syslog and PaperTrail can give you a detailed story of what’s going on during those tests and how the auditor is moving through the system. If your web app is actually hacked at some point, the log will show you exactly what happened on the server.
While this won’t tell you what was happening with your third-party plugins, it will show you what data was coming to and from those plugins’ servers during the incident.
Stay ahead of the hackers
Web app security is a constantly-evolving field, so your security testing program needs to keep moving to stay one step ahead.
As a starting point when you’re building your web app, you could use the Open Web Application Security Project’s Top 10 list of common security flaws as a measure of what’s good enough.
For example, their 2021 survey of known web security issues shows that broken access control has become the most common flaw since their survey in 2017, when it was lagging in fifth place behind XML external entities and classic injection at the top. 94% of web apps surveyed in 2021 suffered from broken access control.
This is why it’s important to keep an eye on new developments relevant to your app and make periodic reviews and audits part of your testing program. If you’re depending on third-party plugins, set up Google Alerts for each of them and don’t depend on news of a known vulnerability to come through the official channels first.
Implementing your security testing program
A security testing program isn’t a one-time operation. You’ll have to conduct regular reviews, and keep modifying that process as new attacks become common. But by staying on top of every element of your web app and its attack surface, you can ensure you’re keeping yourself and your users safe from hackers.