Web App Security Checklist: What You Should Pay Attention To While Launching Your Business

Creating a web product means that you’re ready to show it to thousands of people on the Internet. But the broader audience you have the more tempting your business becomes for attackers. TecSynt is here to discuss how to organize your actions protecting your product and what you should beware of.

We’re going to start with the risks threatening any web product and to end up with a ready-made checklist which is vitally important for the high level of web app security.

Top 10 Web App Security Risks According to OWASP
Web App Security Audit: Statistics and Prognosis
Web App Security Checklist for 2018

Top 10 Web App Security Risks According to OWASP


Open Web Application Security Project (OWASP) is a non-profit organization taking care of the software security. This institution follows up malware issues and informs about them via reports. By the end of the last year, we had the data on the top 10 security risks – and here how it looks.

1. Injection occurs when the data from attackers is sent to the app as a “native” command. An interpreter eventually acts according to this command which can lead to accessing sensitive data.

2. Broken authentication means that user passwords and keys, as well as user identities, can be easily compromised. The main task here is to correctly implement authentication management functions in the app.

3. Sensitive data exposure is an issue when attackers steal weakly protected data. This risk is especially dangerous for financial and healthcare information, so any app from these branches should use the means of extra protection.

Read also: Healthcare Mobile Apps’ Business Models: How to Get to the Top Positions within 3 Years

4. XML External Entities (XXE) is an attack type which is directed to the app analyzing XML input (External Markup Language). If a web product has a poorly built XML parser, it becomes an attack’s goal. This risk has lots of impacts like disclosure of the sensitive data or denial of service.

5. Broken access control appears when limitations on the actions of authenticated users are not worked out properly. If developers don’t take care of these limitations, malware gets an access to the unauthorized data (sensitive files and accounts).

6. Security misconfiguration is a common issue when it comes to web apps. It means that some default configurations, cloud storages, HTTP headers (and lots of other items) may be set in an insecure way. So, all of the frameworks and libraries must be checked and updated on a regular basis.

7. Cross-site scripting (XSS) is a type of an attack when hackers are able to carry out scripts in the browser of the attacked side. Usually, such scripts steal user sessions, distort websites, or can send a user to the malicious page.

8. Insecure deserialization is a remote code execution in the most cases. But this attack can be also used to perform other types of attacks such as injections we’ve already discussed.

Read also: Fintech Startups Digital Security Risks

9. Components with known vulnerabilities are always a threat for the app as they influence the whole defense system. Any library or framework can be vulnerable to attackers and should be healed immediately.

10. Insufficient logging & monitoring shows how important it is to collect and monitor all the data concerning logging activities. If you do not have a systematic approach, then your business is open to lots of security breaches.

Now you know the most dangerous enemies that web developers should fight with. We’ve also prepared some more specific data for you, which includes the overall statistics on vulnerabilities. It vividly demonstrates how web app security testing is important for any business on the market.

Web App Security Audit: Statistics and Prognosis

To learn the global situation on the market, we’ve turned to a research held by Imperva. Security is the main specialization of this company, so the data we’re about to cover is taken from its daily experience.

Read also: Top 5 Emerging Software Testing Trends to Follow in 2018

  • As for the overall number of vulnerabilities, it rose significantly in 2017. This index was the highest in the middle of the year and then gradually decreased by December.

Web Application Vulnerabilities in 2016-2017

Web Application Vulnerabilities in 2016-2017

  • You should know which type of security risks makes applications the most vulnerable in the face of the malware. Cross-site scripting (XSS) is a major risk you will likely to meet (and fight with). All other risks appear less often, but in 2017 the number of issues rose for each risk type.

OWASP Risks in 2014-2017

OWASP Risks in 2014-2017

  • The IoT sphere is on the top regarding the recorded number of vulnerabilities. The index is more than twice higher than it was the previous year. If your business is somehow connected with small devices, you should be aware that you’re in the red vulnerable zone.

Number of IoT vulnerabilities in 2014-2017

Number of IoT vulnerabilities in 2014-2017

  • There are four leading platforms when it comes to content management systems. You probably work with one of them, so take a look. WordPress has the highest number of vulnerabilities, but it’s not surprising as this CMS is the most popular on the market. Comparing to the year of 2016, entrepreneurs should be more cautious than ever, especially with WordPress plugins.

Vulnerabilities by the CMS Platform in 2016-2017

Vulnerabilities by the CMS Platform in 2016-2017

With these numbers at hands, we won’t be surprised to see the growth of vulnerabilities in 2018. What can it mean for businessmen all over the world? Web app security should and will be at the core of any web product together with usability and a complete set of features.

Read also: The Top IoT Security Challenges in 2018

Whether you have a ready-made solution or develop one at the moment, you should be sure that your app is tested from all sides. Let’s figure out what it means.

Web App Security Checklist for 2018

No matter what web app security tools your development team uses to protect your application, there are some aspects that should be thoroughly elaborated and tested by all means. These are five points you could keep in mind as a business owner.

1. Authentication

Authentication is the first defense means standing between an app and an attacker. On this stage, only recognized users and programs can communicate with your product.

In practice, user authentication security issues often lead to data breaches, so providing a strong layer of security is especially important for apps with sensitive data. In this case, two-factor authentication becomes a vital thing to consider.

Read also: Security Customer Authentication and 2FA Tools for Your Business

Important aspects to test out:

  • Missing authentication.
  • Predictable and default credentials.
  • Obscurity-based authentication.
  • Acceptance of weak passwords.
  • Missing logout function, etc.

2. Access control

When the authentication is passed, a software product should be smart enough to give a certain data access to the user. Even an authorized user has limitations concerning aspects of data he can get to and modify.

If app developers don’t take a good care of this issue, unintentional data breaches may appear. To secure a product, technicians often allow users to access only a very little amount of data.

Important aspects to test out:

  • Applying access control checks.
  • Applying the principle of “least privilege”.
  • Any direct references to files or parameters.
  • Any invalidated forwards in the app.

3. Command injection

As we’ve already mentioned, “injections” are issues when a malicious code finds any open parameters in the app and penetrates there. If it is an SQL injection, then malware get right to the database. If it is cross-site scripting (XSS), then attackers get right to the end user.

Remember that XXS is the most common security risk, so pay much attention to this point. Your development team must work on validating data and restricting data input.

Important aspects to test out:

  • All kinds of injections: SQL, system command, XML, XPath, SSI, HTTP header, and many others.
  • Validation of uploaded files.
  • Validation of the input source.
  • Whitelisting input – allowing only the data with certain criteria.
  • Using parameterized SQL queries, etc.

4. Session management

Session management concerns those situations when attackers steal information from the user sessions. With this info, they can move forward and get the user access to the application.

On this stage, developers usually start with cookies and devoid them from any sensitive data. Additionally, it is better to create a unique ID for each session and generate it automatically.

Important aspects to test out:

  • Any cross-site request forgery.
  • Any missing session revocation after logout or regeneration after login.
  • Regenerating session tokens.
  • Logging a user out automatically after a certain period of time.
  • Using safe cookie elements (Secure flags and HttpOnly).

5. Data protection and transmission

Data transmission is a part of a so-called “motion security”. And many companies overlook this concept, which eventually can harm them a lot. The thing is you should protect a sensitive data not only when it rests but also when it moves.

Your data should be properly encrypted – and this is an action neglected by lots of your competitors. You should also remember that encryption slows down your app to a certain degree, so the decision on which information to encrypt must be made carefully.

Important aspects to test out:

  • Using SSL certificate.
  • Using the Strict-Transport-Security header.
  • Storing passwords with strong hashing techniques.
  • Any insecure SSL ciphers.
  • Limiting the usage and storage of sensitive information, etc.

Feeling Safe in the Web Environment

Even when your users sleep tight, malware attacks occur here and there every second all over the world. With each passing year, the number of websites continues to increase, so sensitive data becomes the most delicious piece of pie that each attacker would like to bite.

Naturally, precautions which you’re going to use to protect your audience depend fully on the branch you work in. But there are top risks threatening web applications regardless of the sphere or user portrait. Now you know the basics of web app security and will be ready to confront malware storms.

Read Next

Mobile Application Security Checklist
Mobile Application Security Checklist
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
The Top 5 IoT Security Challenges in 2018
The Top 5 IoT Security Challenges in 2018
Fintech Startups Digital Security Risks
Fintech Startups Digital Security Risks
Don’t leave us hanging!
Get in Touch