-1

I'm asked to secure an appli web and I don't know really which steps I can follow to secure my appli web.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user200516
  • 1

1 Answers1

1

I would strongly recommend you enumerate the critical assets of your web applications first. For example, consider the following:

  1. Does your web application process, transmit or store critical data? (Consider critical data anything that should be secret, for example user passwords).
  2. In case you transmit critical data, which you probably will, always consider securing your conections through TLS 1.2 or similar. This means your web application should only be accessed through HTTPS.
  3. In case you store critical data, I'd recommend you encrypt it with a strong algorithm like AES-128. In the special case of passwords, store the SHA-256 salted hashes instead of cleartext passwords. You should not know what your users'passwords are.
  4. It's most important to be aware of how you write the code of your App. You need to understand how the most relevant web attacks work and how to secure your coding against them. Check out OWASP's Top 10 attacks https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  5. You need to come up with a network architecture that ensures at least minimum security. You need to protect your local network (databases and such) with a firewall solution like a well-configured WAF. If you're using a Cloud Service you could possibly use a Bastion Host in your DMZ to access to your Web Server. This is a huge world you need to explore in order to secure your network. It depends on what do you want to do and how are you trying to build it.
  6. Never forget about logging and monitoring. If anything goes wrong, you'll be thankfull you have logged all accesses to the Web Server and all activities in the repositores. It will help you do your own forensic investigation or at least help auditing what you're doing.

So, with all this in mind, let me conclude with this tips:

  • Read the OWASP's Top 10 Attacks, and really understand it.
  • Secure your network.
  • Secure your critical data at transit and at rest.
  • Log everything critical, from accesses to activies.

Glossary you should be familiar with:

  • Man in the middle attacks
  • XSS, CSRF
  • Symmetric/Assymetric encryption - AES/RSA
  • SQL Injection
  • Hashing (specially SHA family of algorithms).
franpen
  • 153
  • 8
  • Thank you , should I make some tests in the application to ensure that there isn't vulnerabilities top 10 ? – user200516 Feb 25 '19 at 20:00
  • Another question please , Should I start by a risk analysis to determine security objectives in order to propose targeted countermeasures ? – user200516 Feb 25 '19 at 20:01
  • @user200516 I don't know if you're building something on your own or as part of a company or something. Anyway, a good architecture will always consider Dev, QA and Production enviroments. Your security tests should be done in QA, before deploying the app in Production. – franpen Feb 25 '19 at 20:13
  • @user200516 Of course a Risk Analysis is the way to go. You need to fully understand what you're building, what data are you responsible for and what are the risks in handling that data. Only by knowing that you can start thinking of ways to protect yourself from hackers or human-fault impacts. – franpen Feb 25 '19 at 20:15