Web Application Security

Security incidents are on the rise worldwide. The threat no longer comes only from individuals but also from organizations and state actors. This ever-increasing threat also gives rise to regulatory requirements, such as the EU Network and Information Security Directive (NIS-2).

In 2023, 8,214,886,660 data records were lost in 2,814 security incidents. These figures were already exceeded for 2024 in January. The preliminary status for 2024 is 35,900,145,035 data records in 9,478 incidents. These are the only incidents that have been made public. The number of unreported cases is, therefore, probably higher.

These figures correlate with the data from the Open Worldwide Application Security Project (OWASP for short). OWASP regularly publishes a top 10 list of the most common vulnerabilities for web applications. Therefore, the most common vulnerability is "Broken Access Control," i.e., insufficient or missing measures to control access to resources. However, classics such as injection vulnerabilities are also still present.

In the following, we will examine what is necessary to avoid becoming part of these statistics ourselves.

IT security affects all organizational roles, and building knowledge is the basis for implementing projects that meet modern standards. However, before building knowledge to avoid vulnerabilities, comprehensive awareness of the problem must first be raised. The basis for a sustainable IT security culture can be created only through high awareness.
 

All team members must have a common, basic understanding of security and be trained individually according to their role. There are many different ways to train employees, which should also be based on individual preferences. What is important is that there must be an overarching training concept in which employees have the opportunity for continuous further training.

In modern software development, the “Shift Left” concept is becoming increasingly important. The basic idea is to integrate security-related aspects as early as possible and thus as cost-effectively as possible into the development process to identify and address potential security problems in the early phases of software development.
 

A central aspect of this approach is security requirements engineering, which aims to systematically identify, specify, and validate security-related requirements. By considering security requirements early on, the development team can ensure that potential threats and vulnerabilities are addressed in the design phase. In this way, security aspects are not considered a retroactive add-on, but rather an integral part of the entire development process.

You must follow some basic design principles to protect yourself from security vulnerabilities when implementing applications.
 

One such principle is security by design. This means that security measures are integrated into the application's design and architecture from the outset. To do this, developers follow security best practices and code conventions to avoid vulnerabilities.
 

Another important concept in software development is Zero Trust. This means that no user or system can be trusted per se. As a result, every action must be authenticated and authorized, not only when initiated by a user, but also by another system or service.

In addition to data security, it is also important to consider data protection. Privacy by default means that personal data protection is also integrated into the development process from the outset. This ensures that data protection requirements are automatically met and user information remains secure.

The Secure Development Lifecycle helps to implement the previous points and to integrate security holistically into the development process. However, it is essential to note that it is not a feature that can be bought but rather a mindset that must be adopted by all parties involved, including the customer. Only in this way can robust and secure software be created that can meet the increasing demands and threats of today's IT world.

1. Requirements: At the beginning, the individual security needs are determined, and security requirements for the application are defined. Not all applications or parts of an application have the exact security needs. For some, standard requirements are sufficient, while others require higher security.
2. Design: The design phase determines which application components are particularly relevant for security. For this purpose, risk analysis and threat modeling are used. Both tools help identify, evaluate, and prioritize potential threats to the application.
3. Implementation: Automated tools should be used in addition to the design principles already discussed. These include, among other things, tools for static code analysis. These can already find some of the most common security problems, such as storing passwords in the source code. Since many applications depend on external libraries, software composition analysis (SCA) should also be carried out. This is a process in which the libraries are automatically scanned for known vulnerabilities. To handle the results of these tools, it is essential to operate an appropriate vulnerability management system. Automated test tools only make sense if the results are managed accordingly.
4. Test: Implemented features are verified using code reviews. In addition, dynamic security tests are carried out to check the running application for vulnerabilities.
5. Release: After the application has been released, it is essential to set up reliable security monitoring and define what should happen during an incident. Penetration tests can also be carried out depending on the requirements and the need for protection.
6. Training: The entire process is accompanied by ongoing training for everyone involved. As mentioned at the beginning, awareness and knowledge of security topics is the basis on which a Secure Development Lifecycle is built.