Nowadays, there are a lot of users use digital products and website to shop, being social and book an appointment. It is, however, not easy to know which one are more reliable and secure. Therefore, It is a must rule for developers and innovators, to build a system which follows latest security standards. So, How do you achieve this?
In this blog post, I will be sharing few points which I have learned from my experience through working on banking projects. Most of the points are covered by Open Web Application Security Project
Application Security Points:
- Input Validation: Standard application always receives input data from a user request. Please do not blindly assume that you will receive accurate, the desired format and expected data. If you are expecting number fields, then strongly put a check for the numeric field. In all requests, data should be validated from client-side to the server-side.
Example: GET https://www.example.com/app/users?id=1
Here, “id” is the request parameter and its value is 1. It is then necessary to be validated on the server side as an intruder can intercept those requests and modify them to gain useful information from the server.
Advantage: This security check-point covers maximum of security aspect.
- Input Field Restrictions: There should be predefined characters allowed in the input forms and the same should be validated on the server end.
Example: Character limit on the input box, Special Character handling, script tag not allowed, etc.
- SQL Injection Prevention: Application should not use the dynamic creation of SQL queries. In the context of Java, Use PreparedStatement instead of Statement object.
- Cross-site scripting(XSS): If the application had received incorrect data which is going to be displayed on the webpage, then XSS attack will happen. To prevent this, you need to parse page correctly by not allowing client script to run.
Example: xss prevention in jsp servlet web application
- CSRF prevention: Even though the user is authenticated and authorized to post/update data, each request must be validated against generated token sent in the form page.
Example: Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
- Proper Authentication and Authorization implementation: A system designer should define a good and accurate authentication and authorization logic. A password logic should be encrypted using strong encryption algorithms and there should not be any open authorized page.
- Id field in the request should be encrypted and encoded. It will be difficult for anyone to guess id number if we encrypt it with a strong encryption algorithm and then encode it to send in web URL.
Server security points:
Servers systems must be checked against good security policies.
- It should not allow any other port than required HTTP or HTTPS port.
- A web/application server should be hardened. Please refer server hardening points related to tomcat. ( Securing tomcat )
Furthermore, There are many points that need to be taken care while building a secure web application. The most common and important points are covered in this post.
If you feel if there are some points that need to be added/rectified, please do let me know in the below comment section.