Sep 12, 2016
This quick guide looks at the basic principles of application security, and highlights the unique problems associated with web application development. The Basic Principles of Web Application Security
At its heart, the core values of secure web application development are the same as those employed by developers across the board:
- Secure web application development still depends on an organisation’s secure culture – an atmosphere within your organisation that encourages developers to have a proactive attitude towards security.
- The basic principles of agile software security hold especially true in the fast-paced world of web development; with the majority of web applications now using the agile methodology.
- Web application developers, like all software developers, will not prioritise security. In order to encourage meaningful adoption of security practices, your organisation needs to engage developers on their own terms – allowing for flexible, hands-on security training in the form of an eLearning course.
However, whilst the basic principles of secure software development will hold for web applications, there are a few unique instances in web development that require specialised security responses.
Where Secure Web Applications Diverge
The following topics are some of the unique security issues faced by web applications. In order to ensure secure development practices, it’s a great idea to enact specialised web development training – requiring developers to pass specific training modules for each of these issues.
Cross-Site Threats. Cross-site scripting (XSS) and cross-site request forgery (XSRF) are two of the most commonly used techniques for attacking web applications. Whilst the consequences of a successful cross-site attack can be huge, these types of security exploits can be prevented quickly and easily – and security modules in cross-site threats will teach developers how to prevent attacks using data sanitisation and digital timestamps.
Server Side Threats. SQL injection and malicious file uploads are regularly used by hackers to gain access to sensitive databases and information, and steal customer payment information. As a result, these types of server side problems pose a significant threat to both application security and business reputation – and need to be explicitly addressed during development.
Cloud Development. Cloud-based applications are growing in popularity and prevalence, and crucially, bring with them a unique set of security issues. The differing security traits of various service models (infrastructure-, platform- and software-as-a-service), remote data access and API usage all require specialised training.
Compliance Issues. Many web applications handle confidential information and customer payment details. As such, these apps become subject to a wide range of legislation – most notably the rigorous security standards of PCI compliance.
The OWASP Top 10. The world of web development is particularly fast moving – and emerging threats and evolving security practices require developers to update their knowledge with the latest trends in application security. Thankfully, the OWASP (Open Web Application Security Project) Top 10 details the ten most critical security issues currently faced by web application developers. Many leading security organisations will provide developer training geared towards these critical issues – allowing developers to stay up-to-date with the fast-paced world of web security.
The Importance of Pro-Active Training
In order to create secure web applications, developers need to understand the basic principles of secure software development, and learn to identify where web applications diverge from these principles. Wherever a web-based project requires a unique set of tools or techniques to develop, it’s likely that a unique set of security issues will appear alongside it.
In order to ensure that these vulnerabilities never turn into a serious security threat, it’s essential for developers to be proactive with their security training – using training courses to learn about the unique nature of each web application they develop.