Application security
The main purpose of securing your web application is to protect your user's data. Securing your data is at different ranges and levels. Securing everything that is related to how your web application works, from the website itself to the database that stores your data to the API that interacts with your application and lastly the server that host the application.
What web security is all about
As developers, we should be able to imbibe into our coding strategies to always have a security first mindset, with these three qualities:
- Detect
- Prevent
- Response
While building an application, security should not be among the things to be catered for, it should be the first thing as a: performance, design, accessibility, among others which are just as important should come after in whatever order the application is centered on.
Security measures to access your application
There are different security measure that are used in managing the security of a web application, it includes:
- Authentication
- Authorization
Though this two are used interchangeably, they don't mean the same thing and authentication has to happen before authorization can done. In simple terms, Authentication is validation while Authorization is permission.
Example: A job web application where there are job seekers, job providers and the system administrators that manages that whole application.
Now as a job seeker, you can not access the job providers side of the application not because your details does not exist but because you are not authorized to, you don't have the right access specific to that but your details are correct for a job seeker. If your authentication is right, then your authorization is configured to that access.
Authentication
There are different ways in which one is authenticated, it is through handshakes. Handshakes are ways in which the server communicate with the client.
- Handshake 1 (Key-based): Username & password
- Handshake 2 (Token-based): OAUTH1 & OAUTH2
- Handshake 3 (Token-based): Single sign-on
Authentication Best Practices
- Hash password: Use Bcrypt
- Verify email address
- Use captchas: e.g Google captcha
- Implement rate limiting: limiting login request from an IP address
- Implement 2FA: Use Authy, Google Authenticator, etc
Authorization
Authorization involves managing the actions and access of users on your app. There is more vulnerability on the client than the server. While a users actions is been validated against the type of permission the user have access to, one needs to secure and validate on client side and the server. Validating on the server is a must.
Adaptable security controls
- Setup firewalls: building the app with security first mindset, with tests in the project, tests during deployments and proper code review are integrated into the system to with the application is built.
- Rate-Limiting: just as mentioned earlier.
- Using TLS instead of SSL to secure your website.
- Using Authentication Mechanisms
- Limiting the use of 3rd parties packages, plugins or libraries for your project. It is good to develop your own package for your application. This way if there is an issue with your package, you can easily fix it as opposed to using a third party package that you would have to remove totally and leave your app to you responding to it to with a urgent fix.
- Use Bcrypt to hash your password, it is currently the most secure cryptography available as opposed to SHA1 or MD5.
Assessing the type of libraries/packages to use
If creating your own package will take more time to create and implement or even be of more risk. Take time to review the package that will be added to your application using these tips:
- Does any reputable company or person endorse it?
- Check out the number of contributors involved on github.
- Compare the number of downloads, the more the better.
- When was package last updated, the sooner the better.
Conclusion
Have a security first mindset. Happy coding.
Check out this course on Web Application Security for the Everyday Software Engineer on Educative.io
Image from undraw