In our previous article on web-based application security, we detailed the numerous ways in which your application can be compromised, including threats emanating from external actors actively attempting to create a breach, as well as risks stemming from internal mistakes, miscalculations and poorly implemented plans.
In the article below, we will investigate the methods, principles and best practices your organisation can follow in order to reduce the potential for a potentially business-crippling compromise.
As noted later in the article, security can be a tremendously complex, multifaceted and fluid ecosystem, meaning that the total negation of threats and for an indefinite amount of time is practically unattainable, as threats evolve, new threats emerge, systems become outdated and human error cannot be completely removed from the equation. However, there is no reason to avoid improving your security measures and decrease the chance of an attack to the lowest possible percentage.
Security measures and best practices
There are a number of measures an organisation can take to bolster to ensure that they reduce the possibility of organisation or user data becoming compromised, including some that one would think would fall under the common sense but need to be reiterated and explained nonetheless.
Developers and product managers involved in the creation, design and running of web-based applications must research any external components that they are considering for usage during the application’s development so that they avoid any components which have long-established and published vulnerabilities. This includes software modules, various frameworks and libraries which can be found online. Not all of these software components are made equal in terms of security.
Furthermore, developers and other people responsible for maintaining an application that has already been launched must comprehensively monitor the application at a sufficient rate in order to minimize the duration of a potential breach or other vulnerability to its absolute minimum. It is not uncommon for exploits and other breaches to take more than half a year to be detected and they are not always identified by internal monitoring teams.
Additional steps include the restriction of the number a user can make any data request from the application as this can indicate a malicious entity bombarding the application with an inordinate amount of requests in a few seconds; the implementation of a firewall to add an extra layer of defence and monitor or block any ports that are not in use by your dedicated server(s); the creation of regular backups at a sufficient redundancy level so that at the very least data can be retrieved in the event of a breach or other malicious manipulation of your data; and the correct configuration of access levels and the privileges each level of access is assigned, as this can help in the event where an external party has taken control of a privileged account.
While absolute security is an impossible objective to achieve, trying to minimize the possibilities of an exploit by taking the correct measures and implementing the best practices related to the launching and running of web-based applications should be considered a minimum requirement for an organisation wishing to remain secure and maintain the integrity of its data and services.