Four Things You Shouldn’t Forget About Web Application Security

Eliminating all vulnerabilities from your web application
is an important part of maintaining your overall security posture. As part of
that process, web application vulnerability scanners play a crucial role in
that they provide an efficient and effective method of exposing vulnerabilities
and helping to keep your application online and secure.
Because automated web security scanners play such a crucial
role in the process of web application security, it’s easy to forget
that there are many other elements of security that also deserve your
In this post, we’re going to cover some of the “other”
important security elements that are often overlooked — both in terms of the
application itself as well as the infrastructure.

Don’t Let Infrastructure be Your Weakest Link

Like everything else, a strong security posture starts with
the foundation. As important as it is to eliminate web application vulnerabilities, efforts may be wasted in the
event that your application resides on an insecure web server, or you’re running insecure software, as what happened in theinfamous Mossack Fonseca and Panama papers leak.
We’re not going to get into the process of securing your web
server other than to point out a few of the obvious ways that you can harden
your security. However, as an example, if you’re running a popular open source
option like LAMP stack, there are some straightforward actions you can take
such as:
Make sure you are running the latest version of Apache
Disable any unused or unnecessary modules
Prevent the version number, operating system and
installed modules from being displayed
Disable/Prevent directory browsing
Limit the total HTTP request size to reduce the
probability of a DDoS Attack
Enabling Apache Logging
There are a multitude of additional steps you can take to
reduce your overall exposure including:
Eliminating remote access or at the very least,
restricting remote access to a limited number of IP’s and users
Using a separate environment for development, testing
and production. Amazon EC2 makes the process of setting up temporary testing
and development environments relatively simple which limits access to your
production environment.
If you’re unsure of how to configure your server, get advice
from your server admin or system engineer.

Manage User and Application Privileges

The best way manage user privileges is by following the
principle of least privilege (POLP). POLP states that each individual user
should have their access limited to the minimal level required complete their
necessary tasks. The same rule applies to web applications — assign the minimal
level of permissions required for normal functioning.
Managing privileges is something that can occur on a variety
of different levels — including the server, database and software level. For
example, if you are running WordPress, full administrator privileges is
something that should be restricted to very few users. Even at the
administrator level, there are certain functions that can be disabled in order
to further harden security. Read the Principle of Least Privileges for WordPress
for more specific information on POLP on WordPress.

Keep Software Up To Date

As vulnerabilities are discovered and patches are released,
it’s important to keep all of your software up to date. We can approach this
from two angles:
The first is making sure that any software you’re using is running
on the current version. This is an issue we see frequently on platforms like
WordPress and with JavaScript libraries. Looking at currentWordPress statistics, over 15% of installations are currently
running version 3.9 or older.
In many instances, using a web application vulnerability
scanner will help in this regard. For example, if your web application is using a JavaScript librarythat is out of date, ideally you should be alerted not only that the
library is out of date but also which vulnerabilities are associated with your
particular version.
Secondly is the importance of keeping your scanning software
up to date. If you are using a desktop based scanner, make sure you’re using a
version with the most recently updated vulnerability library — cloud-based
vulnerability scanners will be automatically updated.

Know What’s Happening On Your Web Application

Finally, one security measure that is often overlooked is
the process of monitoring and logging user activity. Web
application logs provide a multitude of benefits. The most important of which
is the ability to help improve your web application security.
Monitoring user activity is often one of the first steps in
determining when an attack might be underway. Even though only a very small
percentage of users are malicious, logging can help to identify those users and
block them from taking any further action.
Logging user actions can also help to identify ways in which
your web application might be vulnerable or for identifying potential misuse.
If you are able to identify, track, record and alert administrators of
suspicious activity, it is often possible to make changes to your application
before an attack occurs or even halt a malicious user before it becomes a major
security issue.

Manage Web Application Security From a Holistic

Managing web application security is a complicated process.
There are many moving parts that need to be managed concurrently.
Unfortunately, the vast number of systems that require attention for even a
basic web application, often result in one aspect of security being overlooked.

When assessing overall security posture, we often default to
the technical aspects of security — scanning for and patching web application vulnerabilities.
However equally important is the ability to manage the most obvious elements
that are often the source of our problems. This includes things such as web
server security, limiting user privileges, properly maintaining software and
being aware of how users are interacting with your application. Your web
application security posture is only as strong as the weakest link.
Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

What Makes ICS/OT Infrastructure Vulnerable?

Infrastructure security for operational technologies (OT) and industrial control systems (ICS) varies from IT security in several ways, with the inverse confidentiality, integrity, and...

Everything You Must Know About IT/OT Convergence

What is an Operational Technology (OT)? Operational technology (OT) is a technology that primarily monitors and controls physical operations. It can automate and control machines,...

Understand the OT Security and Its Importance

This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can...

What is Deepfake, and how does it Affect Cybersecurity?

Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any...