security

Best practices for developing secure applications

Best practices for developing secure applications

security

With the rise in the usage of applications over various electronic media, and many a time using sensitive information, it has become a must to do to secure applications.

Let’s talk about various measures and practices involved in developing secure applications.

 

  • Input validations: We need to design our applications with having validations on both client and server-side. On the client-side, I am referring to the browser side, where we can stop the user immediately if they are entering any bad data or trying to manipulate data. Try to allow only specific data types with specific formats and data only.

 

  • Encrypt Data: Try to encrypt any data which is sent across. Use strong asymmetric crypto algorithms while encrypting data. ALL PCI and PI data should be encrypted even when it is stored in the session.

 

  • Use Authorization engine: Attribute-based assess control systems are gaining popularity and Axiomatics is one of the leading providers. There are other open-source Auth engines available that can be used. So access to any API or resource should be handled from the authorization engine.

 

  • API gateways: Always secure your web services and Apis by using reverse proxies. Popular ones are APIGEE and Layer 7 gateway. However, one can use open-source gateways like KONG and Gravity. These gateways can help in reducing DDOS attacks and having control over consumers.

 

  • Be strict with some patterns: guest/temporary account, the open ports and have proper access, libraries are up to date, security protocols are taken care of.

https

  • Use HTTPS : content whether static or dynamic should be transferred via HTTPS protocol. One can buy a certificate from authorities like Verisign or Comodo and use these certificates for an SSL connection. If you are opening up APIs, then preference is to use massl (mutual authentication) over SSL connection.

 

  • Auditing: We need to make sure that we have enough auditing in place for our application. It is separate from access or application logs and can have details for major transactions, like make a payment or cancel the payment.

 

  • Fewest privileges: Always run the application with fewest privileges. Try not to offer root access to any application. Limit the read and write access.

 

  • Avoid cookies: Avoid cookies to store any sensitive or PI data.

 

  • Handle SQL injections: Make sure your web application is taking care of SQL injections. Here the hackers try to put some SQL statements or special characters to expose your database. We can prevent this by adding validations to all inputs from the user and then converting all simple SQL statements to prepared statements.

 

  • Cross-site scripting is a security breach that impacts dynamically generated content and its types include non-persistent XSS, persistent XSS, and DOM-based XSS. We can have our application to handle these risks by using x-xss-protection security headers. There are various libraries like, HTML purifier, xssprotect which can help us to prevent these attacks.

 

  • Prevent access to static resources: One can prevent access to various scripts and CSS files by using subresource integrity pattern. Here a code value is sent in link and script tags and if that matches then only the resource will be accessed.

password

  • Strong passwords: Need to have a strict policy in application and server for having strong passwords.

 

  • Security awareness: Need to train your team with the latest security threats and latest design patterns for minimizing risks.

 

  • Professional consultation: Once your application is ready, ask a professional security professional to attack your website and see if any loopholes can be found and we can fix accordingly.

 

  • Back and Restore: Always conduct backup and restore activities.

 

  • Scan your application using security tools available. One can use SourceClear and Coverity scan tools to find vulnerabilities and can fix them accordingly.

 

  • 2FA : If possible, try to implement 2-factor authentication.

 

  • Hosting: Always use a secured hosting platform and avoid shared hosting. If required, we can use AWS, Azure or DigitalOcean for hosting applications.

 

  • Hire Professional developers: One can hire a professional development team to build a secure applications and who has experience with security practices. Deventor.com is one of the popular professional team out there having good expertise in e-commerce and custom application development

 

 

Frequently Asked Questions:

Do I need to secure my WordPress blog?

WordPress sites are the most commonly used content management systems and so have high chances of getting attacked. Make sure that WordPress has necessary security plugins and all plugins are up to date. Use Akismet plugin and captchas. Comments are mostly spammed, so either has strict captcha or change it with another commenting platform like Disqus.

Related: Fix Insecure WordPress Website warnings

 

How secure is shared hosting as compared to private hosting?

If you are a technical person /or have a technical team, then private hosting is preferred over shared hosting. Shared hosting comes with standard security policies in place. Private hosting or VPS requires you to set up all the firewalls, security policies by yourself and if you are not good, then use private hosting.

 

Which coding language is more secure?

It all depends on your implementation. Since PHP is mostly used by most systems, it tends to have more risks and threats. Try using strict languages like Java.

 

 

 

Leave a Comment

Your email address will not be published. Required fields are marked *