It is a well known fact that the internet is a dangerous place.
Data theft and
virus attacks are two broad categories of website vulnerabilities. To have people use your website/ web application, it is essential for them to trust it, making
Security by design critical for any web application. In simple terms, Security by design means - security aspects are considered and addressed starting at the design and throughout development.
How to detect vulnerabilities?
1)
OSWAP gives an elaborate list of possible security vulnerabilities in a web application and details of how they can be detected.
2)
AppScan is a popular tool for scanning your application for security vulnerabilities giving a comprehensive report of issues by scanning through the code base and also the running application by sending multiple requests similar to performing user actions. The code scan helps in identifying vulnerable code and packages that are in use. AppScan is available as SaaS and on-prem solution. To use App scan you would need to create an account and API key.
Commonly used scans are-
- SAST : for static scan of the code base. You will have to download a light weight utility called AppScan Go! and configure it to point to your source directory -
- DAST : for dynamically scanning the running application. You will need to specify the URL of your application to run this.

Once the scan is complete, the results are displayed on the dashboard and also available for download in the form of reports containing the issues and suggested remedies.
Sample dashboard

Check this
video to learn more about AppScan.
3) Integrating
White source into your source control tool like Git, is another great way to check your code. A basic setup can be done by creating a file named .whitesource in the root directory of the repository and adding the following snippet into that file-
{"settingsInheritedFrom": "whitesource-config/whitesource-config@master"}The value of "settingsInheritedFrom" might differ depending on the programming language you are using. Refer this
link for more details on other configuration parameters.
Once this is done, every time you check-in a file into the repository, the code is scanned to detect packages with vulnerabilities. In case there are any, issues are created automatically containing the details of the problematic module and a suggested fix.
4) The
BURP tool can be used for penetration testing to uncover security threats in the application by providing an interface that helps in mimicking attacks like XSS, CSRF, SQL injection etc.
What else you can do?
Here is a list of few measures that can be taken to secure your web application.
- Implement authentication and authorization with well defined roles to ensure there is no unauthorized access.
- The data provided by the end user can never be trusted, to protect your application *sanitize the data before persisting it to avoid SQL Injection, Cross-Site Scripting (XSS) attacks to name a few.
- Sanitize dynamically constructed links that are embedded in the webpage, for protection from XSS attacks.
- Ensure conscious use of browser storage - cache, session storage, local storage. Data stored here case be accessed by hackers and meaning it can be easily stolen or modified. So ensure that you do not store any sensitive information there and when you do encrypt the data stored there and validate before consuming it. Remember browser storage has high risk of Cross-Site Request Forgery (CSRF) attacks
- Use HTTP only cookies to store sensitive information like JSON web tokens. HTTP cookies cannot be accessed using JavaScript making it impossible for hackers to read or modify them. Since they are cannot be accessed by client code, server side implementation will be needed to set them.
Cookies in general are a good option for storing data as they allow you to configure their life time and access restrictions. Information can be effortlessly relayed from client to the server without writing any code using cookies making them very handy.
- Use HTTPS server to serve your webpages. HTTPS ensures the safe data transmissions.
- Leverage services such as IBM Cloud internet services for protection from distributed denial-of-service (DDoS) attacks
There are a plethora of resources available on securing a web application. But hope this gives you an overview of things.
As they say, you can never be too safe ;)
*Input/ data sanitization is the process of checking the data for malicious content in the form of embedded scripts, or suspicious patterns and filtering them out