![\"Education\"](\"https:\/\/www.mrc-productivity.com\/blog\/wp-content\/uploads\/2010\/11\/Education.jpg\")
Modern developers are caught between a rock and a hard place. On one hand, businesses are requiring faster application delivery from their development staff. As software plays an increasingly important role in the modern business, developers regularly face impossible deadlines.<\/p>\n
On the other hand, web application development is becoming more complex. For instance, as outlined in this article<\/span><\/a>, modern developers must create applications that adapt to any device, port to any platform, integrate with other services, and withstand increasingly sophisticated attacks. Whew!<\/p>\n The big problem<\/strong>: With these changing requirements and growing demands for faster development, developers struggle to keep up. Certain development aspects are bound to fall through the cracks.<\/p>\n As it turns out, that is exactly what\u2019s happening…with security. Despite the growing importance of proper security, many developers aren\u2019t following basic security principles. How bad is it? According to this study<\/span> from last year, 99% of applications have one or more serious vulnerabilities.<\/p>\n Today, let\u2019s examine this problem. While I know we can\u2019t address every security mistake developers make, we can highlight the most important principles. What basic security guidelines should every modern web developer follow? How can you protect your web applications from being easy targets for an attack? While the list could be much larger, I\u2019ve rounded up 7 of the most important security tips every developer must follow, and listed them below: One of the most important security principles a developer can practice: Only store the data you absolutely NEED to store. This starts with two questions: First, what data does your company need to store and protect? Second, if that data was compromised, how much could it harm the company or your customers?<\/p>\n For example, some companies put themselves (and their customers) at risk because they needlessly store sensitive customer data. Do you really need to store credit card numbers, addresses, or other sensitive information? Reducing the amount of sensitive data stored instantly makes your applications more secure.<\/p>\n What happens if you absolutely must store sensitive data in your database? If so, never store anything unencrypted. Ignoring this advice will likely land your company on the front page of the news–but not for good reasons. Do you really want to be the company that loses your customer\u2019s sensitive data because it was all stored in plain text in your database?<\/p>\n \u201cEncrypting sensitive user data, such as passwords, with one-way encryption — In case your server ever gets hacked, you want to make sure that no one gets hold of secure data,\u201d explains Alex Zorach, Founder and Editor of RateTea.com<\/span><\/a>. \u201cIn larger organizations or shared hosting environments, this becomes even more important because you may not be able to trust everyone with access to the data not to exploit user data.\u201d<\/p><\/blockquote>\n Hackers look for the path of least resistance when trying to access your database. In many cases, this involves finding outdated or insecure software and working from there. To minimize this risk, you must follow two important guidelines. First–as explained below–you must rigorously patch and update your software.<\/p>\n “In web applications, similar to any other modern software, there are a large number of third party libraries used,” says Ehsan Foroughi, Director of Research of Security Compass<\/span><\/a>. “An example is usage of OpenSSL library to facilitate HTTPS communication, or LDAP libraries to provide Single Sign-On support. Many of these libraries\/packages are open source. Regardless, there are vulnerabilities discovered every day in these libraries, such as failure to properly validate input elements, or special boundary cases that can be exploited to gain privileged access to the server by remote users. The detail of these vulnerabilities gets published online and attackers start looking for software that use these libraries, either based on signs or by blindly testing against these weaknesses. The recommended best practice is to monitor common sources of vulnerability disclosures, such as the SecurityFocus email list and portal, and once there is a vulnerability disclosed and the patch becomes available, apply the patch to your environment as soon as possible. In rare cases where the patch is not immediately available, there might be other mitigation factors suggested by the vendor of the specified third party software.\u201d<\/p><\/blockquote>\n Secondly, you must disable unused software. It’s not uncommon for companies to have software connected to their systems that’s not in use. As explained below, this provides an excellent path for hackers if left unchecked.<\/p>\n \u201cMany web hosting packages come with software enabled that is not used by the developer,\u201d says Zorach. \u201cEvery service or piece of software installed or running on your server introduces an additional piece of software that can potentially be hacked. Common examples include Plesk or mail servers. By disabling or removing anything that you are not using, you decrease your risk of getting hacked.\u201d<\/p><\/blockquote>\n Sometimes, the biggest threat to your data isn\u2019t an outside attacker at all. It\u2019s an uneducated end user with too many system privileges. Limiting these privileges is best for all involved–it helps keep your applications secure while eliminating the risk of security mistakes from end users.<\/p>\n “In a web application or within a business’s IT systems, it’s a good idea to give each user only the privileges he or she really needs as opposed to giving everyone the same level of access,” explains Jason Swett, IT Consultant at Ben Franklin Labs<\/span><\/a>. “This is called the Principle of Least Privilege. In addition to the obvious benefit of protecting the system from abuse by unqualified users, application of the Principle of Least Privilege also protects unprivileged users of accusation when an abuse occurs, since a properly privileged system makes it physically impossible for users to carry out tasks they’re not authorized to perform.”<\/p><\/blockquote>\n When accepting user input from a web application into your database, you must perform two forms of validation: Client-side and server-side. Client-side validation (using JavaScript) protects against user error, like incorrectly entering data or forgetting a field. Server-side validation protects against malicious input, like users trying to inject their own code into your database. The problems arise when developers make the mistake of using client-side validation as a security measure.<\/p>\n “Validating user input on the client side with JavaScript is a convenient way to give the user instant feedback, but server-side checking is still necessary for security,” explains Swett. “A user with malicious intent can bypass your client-side validation by either turning JavaScript off or manipulating your JavaScript code however he or she pleases. Since everything on the client side is manipulable, everything coming from the client side must be treated with suspicion. Client-side validation can provide an improved user experience but not meaningfully improved security.”<\/p><\/blockquote>\n It should go without saying, but user input from a web application should never communicate directly with the database. It must be validated and sanitized to maintain data integrity, and avoid common attacks like SQL injection.<\/p>\n
\n<\/a><\/p>\n1. Understand what data you need to protect<\/h3>\n
2. Encrypt sensitive user data<\/h3>\n
3. Keep software updated (or disabled)<\/h3>\n
4. Limit user privileges<\/h3>\n
5. Use both client-side and server-side validation<\/h3>\n
6. Sanitize user input<\/h3>\n