As web applications have become more and more complex, the surface area for attacks by hackers has also increased. When the codebase becomes larger, it can be difficult to find and manage all the potential security vulnerabilities, especially for teams who do not have a dedicated security specialist. However, a company without some level of security may find themselves the target of hackers and potentially have lots of data exposed, disruptions to service, or in the worst case, the company may have to be closed down. This guide serves to explain some of the basics that developers should be aware of so that they can implement a more secure web application.
The cost of poor security
Although properly implementing security measures can be costly, it is more than likely that a security failure would be even more costly depending on the severity of the vulnerability. Here are some various levels of situations that can be caused by security failures and the possible impact they may have.
- Due to code being injected unknowingly, user credit card data has been sent to the hackers for a period of time.
- Database access is compromised allowing hackers to view all of your users' personal information.
- The content editing platform is easily accessed due to weak passwords, allowing hackers to post potentially harmful content to your users.
- Hackers are able to overload the servers causing your service to be unusable for a period of time.
Following on from these situations the possible repercussions are:
- Affected users have to be compensated.
- Your company is sued by users and/or fined by the government.
- Users lose their trust in your company causing a decline in customers.
- Developers have to stop developing new features and focus on fixing the security flaws, causing delays to product releases and increased development costs.
- Service must be stopped for a period of time, meaning no income for that period.
As you can see, there are a myriad of ways a security vulnerability could impact the company, and in most cases could have been avoided if the upfront cost of developing with security in mind was done from the beginning. The cost of a severe security flaw will always outweigh the cost of upfront security development, with the ultimate cost being the destruction of the business completely.
Types of security vulnerabilities
There are a wide array of potential security vulnerabilities in web applications that vary in the effect and impact they can have. Below are some of the more common vulnerabilities you will come across for a standard system.
Cross-site request forgery (CSRF)
Cross-site scripting (XSS)
Code injection
SQL injection
Denial-of-service (DoS)
Unauthorized data access
This is less to do with technical problems and more to do with workplace practices. Regardless of how secure your system is technically, nothing can stop someone who gains the password to a database by other sources such as passwords posted in places not controlled by your company (emails, messaging applications, online documents, etc.). In these cases, you are essentially entrusting your own security with another company's ability to be secure.
Mitigating potential security vulnerabilities
I won't go over the techincal details of how to prevent security vulnerabilities in this article, as this will vary depending on the systems and technology you are using. However, there are principles you and your company can follow regardless of the technology.
- Before starting development, consider the business requirements and plan the flow of data and how it will be accessed by different types of users.
- Check for potential security flaws during code reviews. This is the last step before the code gets pushed to a live application and is particularly important if you have many junior developers who are not yet fully aware of how to spot security vulnerabilities.
- Define workflow procedures for securely setting, storing, and sharing passwords. For example, don't store secret keys and passwords for APIs in a text file on an unsecure server.
- Have an external company perform security audits and penetration testing. Hiring and training your own security specialists can be time consuming, so an external company can provide immediate help when required.
- Provide bug bounties to give an incentive for external developers to test your systems for you.
Taking responsibility as a developer for web application security
It can be easy for developers to overlook web application security, especially when in small teams with too much to do. However, overlooking security during development could end up costing the company everything and exposing your users to dangerous hackers. Developers are essentially the gatekeepers between hackers and your user data, so if developers don't responsiiblity for security, then no one else can.