Neglecting to take proper security measures at the application layer is one of the most common causes of data breaches, yet many companies still leave their applications unprotected. Securing your applications begins with developer training on the risks applications face and the methods required for vulnerability prevention. Cost of a data breach averages $5.5 million or $194 per customer record while companies who take security seriously by employing a Chief Information security officer, reduce the cost per customer by upto 62%.
Common application security risks include injection, Cross Site Scripting (XSS), Broken authentication and session management, Insecure cryptographic storage, Unvalidated redirects and forwards. Following simple measures while building the application can help the companies reduce the cost due to security breach by huge margins.
- Here are some points which should be considered while checking applications security.
- Does the application properly encode or escape data prior to exchanging it with external components such as database, LDAP server, web browser etc?
- Does the application comply with the organisation’s existing standards?
- Does the application properly control access to the server’s file system?
- Does the application perform access control checks in a consistent manner across all potential execution paths?
- Does the application protect against Denial of Service (DOS) attacks?
Combating the two most common flaws:
XSS (Crosss Site Scripting) : You may be vulnerable if – input coming to your application is not validated or if the output to the browser it not properly escaped You can prevent by ensuring that all data returned as part of HTML is HTML encoded. Encode the URLs to their respective encoded equivalents.
SQL Injection: You may be vulnerable if unvalidated user input is concatenated into an ad-hoc SQL query You can prevent by encoding the user submitted input into a single object after applying the basic validation and business rules and using parametrized statements to update your Database. Lowest privilege database user should be running these statements to avoid any catastrophic mishap to your DB.
Security is a process and everything should be tested. Most security vulnerabilities will not be discovered during normal application use. Always test applications and all the components, both in isolation and in the production environment. Never assume security controls are effective until you validate them with thorough testing.
Infographic by Veracode Application Security