Designing Secure Apps: How to do it Right
Application security has always been an integral component of app design. Up until recently, developers were only focused on securing apps against external malefactors. For example, employees using an app were not considered a major security threat.
But with so many cloud-based apps in use today, employees, clients and partners are accessing them both from work and from home. This comes with a myriad of security risks and a potential branding disaster. And we cannot rely on users to implement proper security measures on their own.
Therefore, application security has to begin in the early stages of the app design process. Security experts, web designers and developers have to think about all the possible ways in which the security of an app could be jeopardized. Let’s take a look at some of the best practices for designing secure apps.
Consult OWASP Top Ten
The OWASP Top Ten includes the most important web app security vulnerabilities. These threats were identified by some of the top security experts on an international level. The vulnerabilities have to do with integrity, confidentiality, and availability of a web application, its users as well as developers making it. Examples of vulnerabilities include security misconfiguration, sensitive data exposure, authentication and session management, injection attacks, etc.
Being aware of such risks and developing the application securely gives us a much better chance of avoiding security breaches. The OWASP Top Ten therefore helps developers stay in the loop of the latest security threats. However, even with the continuous education and efforts to raise security awareness, many companies still suffer a breach. The importance of being aware of risk cannot be stressed enough.
Run a Security Audit
Considering OWASP Top Ten, having a security mindset and performing continuous self-testing may help you avoid encountering any of the breaches from the list. But even if your developers are heavily focused on security, they still have preconceived filters and biases. This means that developers working on the code every day have a subjective analysis of it. Because they live and breathe the code they are working on everyday, they are unable to critique it objectively. This is why it is important to get another set of eyes on the code. This person must not be biased toward anyone or anything within the organization.
If you want to establish application security, it would be wise to comply with an information security standard such as ISO 27001. You can even get ISO 27001 documentation online and learn how to run an internal audit with the help of free online courses. It is highly advisable to run a security audit of your application to get an idea of how to secure it properly. Always take a security-first approach and you will be able to design secure apps much more efficiently.
Implement Proper Application Logging
After a proper security audit, you have refactored your code and you have established a security baseline for your app. Now, we should take a look at the bigger picture. Let’s look at one of the external security factors, specifically logging. When a bug appears (and it usually does), it is important to solve the problem as quickly as possible. This means reacting before it is too late and for this you have to implement proper logging beforehand. This will allow you to get information on what happened, actions that led to the issue and anything else that was happening at the time.
You have to ensure your application is properly instrumented. There are numerous services and tools out these to help you, depending on the software languages you used to write the app. Also, you will need to store data in a way it can be easily and efficiently parsed when needed. You can use the Linux syslog or an open source solution such as the ELK stack, or a SaaS service, e.g. Loggly, Splunk or PaperTrail. The most important thing here is to ensure the data is being stored and it can be quickly and efficiently parsed when need be.
Use Continuous Security Monitoring and Protection
For any kind of application security, you will need to use traditional firewalls and web application firewalls (WAFs). But firewalls do not offer foolproof protection and can sometimes fail. They can generate large numbers of positives and negatives and their maintenance gets too expensive. But WAFs do give you a certain level of security protection for your app.
If you are looking to use a firewall, it’s best to use them together with a Runtime Application Self-protection (RASP) tool. You can also make use of Application Security Management platforms that provide RASP, as well as WAF modules suited for your specific needs. These tools can provide you with continuous security monitoring and protection. This enables you to protect your app from both external and internal threats.
After you have instrumented a firewalled your app, now it’s time for encryption. And this does not end with just HTTPS and HSTS. Instead, you should actually encrypt everything. There are services such as Let’s Encrypt that can make HTTPS extremely accessible. What is more, Google is even rewarding companies that use HTTPS correctly. Unfortunately, only using HTTPS will not be enough.
While HTTPS can efficiently stop a Man in the Middle attack, we should start looking at the greater picture. This is why it’s important to encrypt data at rest, besides just data in transit. For example, if someone gets access to your servers and clones or destroys the drives, your security efforts will go to waste.
Keep Your Servers Updated
You might have hardened your OS, but have you updated it? Even if it is hardened against the latest version, your packages might contain vulnerabilities. You should set your servers to update automatically as new versions appear. You don’t need to update all the packages, but the ones that relate to the security of your app.
You can automate these processes or do it manually. It will usually depend on you organisation’s perspective on the matter. For automatic updates, you can use UnattendedUpgrades (Debian-related distributions), yum-cron (“update_cmd = minimal-security-severity:Important”) or the Automatic Updates feature in Windows. To use any of these, refer to the documentation for your OS or distribution.
Keep Your Software Updated
Keeping your OS updated is important, but you will need to update your app framework and third party libraries too. Frameworks can save you huge amounts of time and effort, despite people being reluctant to use them.
These third-party software libraries have vulnerabilities just like any other operating system. But they can be patched rapidly and improved if properly supported. Therefore, you have to ensure using the latest version. PHP, Python, Ruby and Go all have package managers. These help with maintaining external dependencies and are automated during deployment. Using them is advisable but make sure you are using the latest version.
Start Designing Secure Apps Today
Today, countless apps are being developed on a daily basis. They help us with everything – from managing our time and finances, to providing us with entertainment. But if the app we love using so much lacks security, we might lose much more than what we paid for. Our corporate and personal data is at stake.
Therefore, application security should be a top concern for designers and developers. Consulting OWASP Top Ten, running security audits, implementing proper logging, continuous security monitoring, encryption, and staying up-to-date with software and servers are some of the crucial things to look at when designing an app. These will help you stay safe from malicious actors.
Guest Poster – Nebojsa Ciric
Neb is a writer and partnerships manager with Advisera – one of the market leaders in helping businesses implement ISO, ITIL, IATF, AS and OHSAS standards. Neb has several years of experience in creating content for the web. Currently, he is on a mission of sharing knowledge on the topics of cyber security, quality management, compliance, etc. Advisera also offers an abundance of free learning courses and materials. If you are interested in learning more about corporate compliance and governance, feel free to visit their blog.