To maintain the best possible security posture and protect your sensitive data against cyberattacks, you cannot just rely on security products alone. Here is a list of seven key elements that we believe should be considered in your web app security strategy.

1. Include everyone in security practices

Some businesses still believe that security should only be the concern of a specialized team. In the current business environment, such an approach is not viable:

  • The increasing cybersecurity skill gap means that security teams are unable to catch up to business growth.
  • A dedicated security team becomes a bottleneck in the development processes.
  • If security is reactive, not proactive, there are more issues for the security team to handle.

The current best practice for building secure software is called SecDevOps. This approach, which goes further than DevSecOps, assumes that every person involved in web application development (and any other application development) is in some way responsible for security. Developers know how to write secure code. QA engineers know how to apply security policies to their tests. All the management and executives have security in mind when making key decisions.

An effective secure DevOps approach requires a lot of education. Everyone must be aware of the security threats and risks, understand potential application vulnerabilities and feel responsible for security. While this requires a lot of time and effort, the investment pays off with top-notch secure applications.

2. Adopt a cybersecurity framework

Cybersecurity is very complex and requires a well-organized approach. It’s easy to forget about certain aspects and just as easy to fall into chaos. That is why many organizations base their security strategy on a selected cybersecurity framework.

A cybersecurity framework is a strategic approach that begins with detailed research on security risks and includes activities such as developing a cyber incident response plan along with suitable application security checklists. The bigger the organization, the more such a strategic approach is needed.

Another advantage of adopting a cybersecurity framework is the realization that all cybersecurity is interconnected and web security cannot be treated as a separate problem.

3. Automate and integrate security tools

In the past, security teams performed application security testing manually using dedicated security solutions. For example, a security researcher would first use a simple vulnerability scanner and then manually perform additional penetration testing using open-source tools. However, in the current security landscape, such an approach is not optimal. Just like in the whole IT industry, the most efficient IT security processes are based on automation and integration.

Many security tools are now developed with such automation and integration in mind. For example, business-grade vulnerability scanners are intended to be integrated with other systems such as CI/CD platforms and issue trackers. There are several advantages to such an approach:

  • The less manual work, the less room for error. If security processes are automated and integrated, nobody can, for example, forget about scanning a web application before it is published.
  • If security is integrated into the software development lifecycle (SDLC), issues can be found and eliminated much earlier. This saves a lot of time and makes remediation much easier.
  • If security tools work together with other solutions used in software development, such as issue trackers, security issues can be treated the same as any other issue. Engineers and managers don’t lose time learning and using separate tools for security purposes.

4. Follow secure software development practices

There are two key aspects to secure software development:

  1. Practices that help you make fewer errors when writing application code
  2. Practices that help you detect and eliminate errors earlier

In the first case, software developers must be educated about potential security problems. They must understand SQL injectionscross-site scripting (XSS)cross-site resource forgery (CSRF), and more vulnerabilities and misconfiguration such as the ones listed in the OWASP Top 10. They must also know security standards, secure coding techniques, algorithms, mechanisms, and tools required to build secure web applications. For example, they must know how to prevent SQL injections.

In the second case, what helps most is scanning for security vulnerabilities as early as possible in the development lifecycle. If you integrate security tools into your DevOps pipelines, as soon as the developer commits new or updated functionality, they are informed about any vulnerabilities in it. Because this is done immediately, it also makes such vulnerabilities much easier to fix because the developer still remembers the code that they were working on. It also guarantees that the developer can correct their own code, and not waste time trying to understand code written by someone else a long time ago.

5. Use diverse security measures

There are many aspects of web security and no single tool can be perceived as the only measure that will guarantee complete safety. The key tool for web application security is the vulnerability scanner. However, even the best vulnerability scanner will not be able to discover all vulnerabilities and security misconfiguration in your web applications and APIs/web services such as logical errors or bypass complex access control/authentication schemes without human intervention.

Vulnerability scanning must not be treated as a replacement for penetration testing. Also, to fully secure web servers, vulnerability scanning must be combined with network scanning. Luckily, some vulnerability scanners are integrated with network security scanners, so the two activities may be handled together.

In addition to vulnerability scanners that are based on DAST or IAST technologies, many businesses additionally choose to use a SAST (source code analysis) tool at early stages, for example in the SecDevOps pipelines or even earlier, on developer machines. Such a tool is a very useful addition, but because of its limitations (such as the inability to secure third-party elements), it cannot replace a DAST tool.

Since most software nowadays is built using third-party components, many of them open-source, today’s web applications are often 80% or more based on code that was not written by your development teams. While DAST/IAST/SAST tests still find errors in applications heavily based on third-party libraries, you can save a lot of time and effort by finding well-known insecure versions of such components using an SCA solution.

Some businesses believe that the best way to protect against web-related threats is to use a web application firewall (WAF). However, a WAF is just a band-aid tool that eliminates potential attack vectors. While a WAF is an important part of a complete security suite for an enterprise and the best way to handle zero-day vulnerabilities through virtual patching, it should not be treated as the most important line of defense.

All in all, you should use diverse security measures, but you should not just believe that purchasing them and giving them to your security team will solve the problem. These security measures must be integrated with your entire environment and automated as much as possible. They are there to reduce the amount of work that the security team has, not increase it.

6. Perform security exercises

One of the best ways to check if your sensitive information is safe is to perform mock attacks. This is the key assumption behind penetration testing but penetration tests are just spot-checks. To fully and continuously evaluate your security stance, the best way is to perform continuous security exercises such as red team vs. blue team campaigns.

The idea behind red teaming is to hire an external organization that continuously tries to challenge your security and to establish a local team that is in charge of stopping such attempts. There are many advantages to this approach. A continuous exercise means that your business is always prepared for an attack. It also helps with maintaining general security awareness, since the blue team involves much more than just a dedicated security team.

A dedicated red team does not just exploit security vulnerabilities. They often perform different types of mock attacks (including phishing, social engineering, DDoS attacks, and others) to help you protect against real ones. The added advantage is also the realization of how different security elements are woven together and cannot be treated separately.

7. Maintain a bounty program

Many top-notch security professionals prefer to work as freelancers instead of being hired by businesses either full-time or on a project basis. Losing out on such outstanding expertise is a huge waste. Your business can use such valuable resources by establishing a bounty program.

While some businesses may perceive a bounty program as a risky investment, it quickly pays off. It also increases the respect that your brand has in the hacking community and, consequently, the general brand perception. If you have a bounty program and treat white-hat hackers fairly, your brand is perceived as mature and proud of its security stance. You may strengthen such perception by publicly disclosing bounty program payoffs and responsibly sharing information about any security vulnerability discoveries and data breaches.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.