Web Security: Not An Add-On

As we become increasingly connected through the Internet by access through the computer, our phones, and even household devices, security has become a hot topic. Attacks can happen from any corner.

A web application can be the target of several different kinds of attacks. In the past, attacks on web applications have led to the breach of millions of pieces of personal data, including credit card information. Government sites are also vulnerable to attacks that expose sensitive data.

The Internet has completely revolutionized the way we communicate with each other and share information. Many of us spend hours on social media and online group chats. Nearly all institutions have some sort of computer system administration to keep track of accounts, and buying and selling things on the Internet is now the norm. One by one, even medical equipment, transportation systems, and vacuums are connected to the web.

This openness has enabled so much, but the work to make sure all these communications remain secure and are only available to the right eyes is what web security is all about.

Why Should I Care about Website Security?

Headline-grabbing security incidents are in the news all the time, and just as you are constantly evolving your skills, so are the attackers - they are constantly on the lookout to discover vulnerabilities and find a point of attack. Cyberattacks against websites are extremely common. The attacks can result in:

• Website defacement
• Loss of website availability or in the worst case, total denial-of-service (DoS)
• Leaking of sensitive customer data
• An attacker gaining control over the website
• An attacker using the website as a vector for other attacks
• Loss of user trust in the website
• Reputational damage

Security is Proactive

As a web developer, you should assume that by default, things are NOT safe. Vulnerabilities exist in all corners. In order for web applications to function, there are many parts that work with each other: the user’s browser, the HTML/CSS/JavaScript code including any third-party API’s, the HTTP(S) protocol, and so on. This means there are many points of attack.

For example, from a login page alone, an attacker could try several things. They could impersonate another user or they could inject malicious code into the input boxes to trigger a response. Ensuring security requires integrating security through coding defensively, secure rollout of new features, and constant monitoring and testing.

Penetration testing, or pen testing, is a growing practice where a cyberattack is simulated in order to identify security vulnerabilities so that they can be discovered and remediated. Also known as ethical hacking, pen-testing requires a thorough understanding of topics such as computer architecture and operating systems, business operations, networking protocols, and scripting languages.

Security Principles

A good rule of thumb for web security, and cybersecurity in general, is something called the CIA triad (no, not the US federal agency). CIA stands for Confidentiality, Integrity, and Availability.

Confidentiality refers to protecting private information from eyes that shouldn’t have access to it. It’s the need to enforce access - who can see this, and who shouldn’t? Examples of enforcing confidentiality include implementing robust user authentication and encryption of important user data.

Integrity refers to data integrity here. We need security controls that protect data from being changed or deleted, and that the damage can be reversed if done accidentally. Some techniques related to integrity are database security, keeping backups and using cryptography to check for changes.

Availability refers to data being consistently, reliably available to those authorized. For example, social media websites ensure that even with high traffic or when a server is compromised, information gets to a user’s screen. This is accomplished through constant maintenance of hardware and software, monitoring servers and networks, and having a plan for any disasters.

Keep these principles in mind as you develop for the web! OWASP, the Open Web Application Security Project, is a great resource for web developers, offering tools, security education and manuals. If you’d like to learn about cybersecurity as a whole more in-depth, you can check out our Introduction to Cybersecurity course.

Conclusion

Like the title of this article suggests, web security involves just about every aspect of development and engineering. We need to protect user and sensitive website information whether it’s in transit (being sent in web requests and responses) or at rest (in database). We should architect strong authentication and authorization protocols.

We should be keeping in mind vulnerabilities in the code and new features as we’re coding and staying vigilant with testing and monitoring any strange user behavior that could indicate attacks. This all helps make web applications and data more secure, for both developers and users!

These are all tasks that should start from day 1 of any new project! They will become more and more relevant as web applications scale up.