Web Application Security Explained: Risks & Nine Best Practices

As convenience and remote access have become vital to employees and consumers across the globe, web applications have seen a similar increase in demand. Web apps deliver the same functionality as desktop or native applications, but with the convenience of browser accessibility. They are also easier to deliver across platforms, increasing an organization’s ability to build a larger user base. Unfortunately, web apps also introduce gateways for attackers to breach databases and client systems.

Because of the innate security risk that comes with browser-based apps —  as well as advances in build and deploy methods — developers now carry greater responsibility for securing the code of the new web applications they release. Many developers have previously operated on a “security by obscurity” basis: They believed that hackers wouldn’t dig deep enough to exploit vulnerabilities in code. This has proven to be a mistake. It’s now essential that developers shift their thinking and take responsibility for securing applications before they release them, leveraging application security solutions to help them find and fix vulnerabilities.

The top web application security risks

The Open Web Application Security Project (OWASP) is an industry non-profit that is dedicated to promoting security across the web. Every few years, they create an updated list of the Top 10 Web Application Vulnerabilities.

In 2021, this list included:

1. Broken Access Control - Present in nearly one in 25 applications OWASP tested.

2. Cryptographic Failures- A root cause of sensitive data exposure.

3. Injection- Attackers inject malicious code into SQL queries or commands.

4. Insecure Design - Consists of poor or absent control design, such as generating error messages that contain sensitive data.

5. Security Misconfiguration - An increasing risk with the shift towards highly configurable software.

6. Vulnerable and Outdated Components - Require sophisticated tools and processes that are capable of scanning components in development and live environments.

7. Identification and Authentication Failures - Slid from the second position in the 2017 Top 10 list but remain a common vector for attacks.

8. Software and Data Integrity Failures - A new category on the 2021 list that relates to code or infrastructure that is introduced without checking it for integrity.

9. Security Logging and Monitoring Failures - These are difficult to test for but are key for detecting breaches.

10. Server-Side Request Forgery - A low-frequency but high-severity type of flaw where attackers hijack URL requests in a way that bypasses network access controls.

For an in-depth analysis of these vulnerabilities, and how to remediate them, check out our analysis of the OWASP Top 10

Nine best practices for securing your web app

1. Shift security left in the SDLC

2. Injection & input validation

3. User authentication management

4. Data encryption

5. Find and fix misconfigurations

6. Logging & auditing

7. Web application firewalls (WAF)

8. Security testing within CI/CD

9. Authorization

1. Shift security left in the SDLC

Shift left security replaces legacy security processes and tools designed for the waterfall release methodology by moving security as early as possible in the software development lifecycle (SDLC). The following methods will facilitate this shift:

• Using threat modelling

• Incorporating security considerations into code design and architecture

• Testing code while it is being written instead of waiting until applications are live in the production environment

2. Injection & input validation

Injection is a family of attack methods where malicious code is inserted into browsers or other entry forms. Two examples of injection are SQL injection and cross-site scripting, which use malicious SQL code and malicious scripts in website frontends, respectively. To protect against injection attacks, input validation methods should be used to ensure only properly formatted data can be inputted, thus blocking any malicious code from entering a system.

3. User authentication management

With “Identification and Authentication Failures” in the seventh position on the 2021 OWASP Top 10 list, user authentication is an important aspect of web-based security. User authentication management helps strengthen usernames and passwords and gives security admins many options to ensure only approved parties are accessing their apps. One such method is multi-factor authentication, which requires users to prove who they are by using at least two types of authentication.

4. Data encryption

Failures related to cryptography (or lack of it) can lead to breaches of sensitive information, making cryptography number two on the OWASP Top 10. Encrypting data, both at rest and in transit, is a key protection in the event of a breach. Encryption algorithms themselves typically come in open source packages and are already written by cryptography experts. In practice, encryption means enforcing controls and standards around encryption, such as encrypting all internal and external traffic, using updated encryption algorithms, and enforcing encryption.

5. Find and fix misconfigurations

Misconfigurations — like failing to implement the principle of least privilege access — make it easier for third parties to access sensitive data. Most misconfigurations are introduced by manual error, so using infrastructure as code (IaC) and automation can help prevent them. Additionally, scanning tools like Snyk IaC can detect and remediate misconfigurations before they reach production environments.

6. Logging & auditing

This addresses number nine on the OWASP Top 10 list: Security Logging and Monitoring Failures. There is little direct data to show how logs and audits can prevent breaches, but detecting and addressing breaches is still nonnegotiable. This category includes logging events like logins and noteworthy transactions, monitoring logs for unusual activity, and creating automatic alerts or automated remediation steps in case unusual behavior is detected.

7. Web application firewalls

A web application firewall (WAF) sits between clients and web servers and serves as a proxy for traffic between them. By setting up rules in a WAF, you can protect a web application or set of web applications against common attacks like injection.

8. Security testing within your CI/CD

Waiting to run security tests until the end of CI/CD pipelines, or worse, when web applications are running in a live environment, results in costly and time-consuming remediation. You’ll save your team time, money, and frustration by integrating security testing into your CI/CD. Automation tools make this possible with minimal disruption to developer workflows.

9. Authorization

Executing authorization processes prevents privilege escalation, an attack where a user gains access to an application then changes their privileges or role to expand access. Privilege escalation can be uncovered through penetration testing, mitigated by running applications with least privilege access, and prevented by properly configuring authentication keys.

Tools for Web Application Security Testing

Let’s briefly discuss the tools available to help developers with web application security assessment and remediation.

SAST

Static application security testing (SAST) tools such as Snyk Code scan code against predetermined best practices to identify problematic code patterns. SAST depends on the specific programming language you're using.

DAST

Dynamic application security testing (DAST) scans applications at runtime and is language-independent.

For more information about the differences between SAST and DAST, read our blog post.

SCA

Software composition analysis (SCA) tools, such as Snyk Open Source, scan third-party code dependencies in web applications. Since modern application development is characterized by heavy use of open-source libraries, SCA is an effective tool in a security team’s arsenal.

Pen-testing

Penetration testing, a function of the ethical hacker, seeks to uncover and address any attack vectors that can be used to breach a web application. Regular pen testing is a requirement for some regulations, including PCI DSS and is strongly recommended for all web apps.

RASP

Runtime application self-protection (RASP) is a technology that is built into applications and monitors their behavior against what the application should or shouldn’t be doing. It works as a complement to perimeter technologies like WAFs, but it can fail to detect certain authentication or authorization-based attack methods. RASP should be used along with other tools like SAST and SCA to be fully effective.

How Snyk can help you build secure web applications

Snyk’s developer security platform brings together its Snyk Open Source, Snyk Code, Snyk Container, and Snyk IaC tools in a single platform. Web application developers can use Snyk within their existing workflows to scan code and open source components for vulnerabilities or misconfigurations. Our comprehensive vulnerability intelligence database is curated by Snyk’s security experts and is the most comprehensive on the market.

To learn more about web appsec, check out these articles:

Application Security Explained - Tools & Trends for 2023

Application Security Testing - Top questions answered | Snyk

Application Security Assessment: 5 Key Steps | Snyk

Frequently asked questions on web application security