Web development is a dynamic landscape that’s constantly evolving with new technologies, trends, and security threats. Unfortunately, the crucial aspect of web security is often overlooked. There are many reasons for this, and they vary from team to team and organization to organization.
Many aspects of web security come from a lack of higher level understanding around secure software development, whilst others could be simple coding mistakes.
In part 2, we’ll explore topics such as security architecture, threat modeling and how to secure web applications from a programme or strategic level. In today’s post, we will be looking at the common tactical mistakes made by development teams that can lead to vulnerabilities and weaknesses in a web application.
Common Security Mistakes
1. Not validating and sanitizing user input
User input is one of the most common sources of web application vulnerabilities. We should always look to validate appropriately and consider the type, length, format, and range.
Practical tips:
- Let your framework do the heavy lifting, every web application framework contains data type validation natively.
- Consider using type conversion with error handling.
- Avoid wildcards wherever possible when using regex.
- Carry out checks where a defined maximum or minimum range is needed.
- Prefer allow lists over block lists.
- Carry out validation server-side, not client-side.
- User controlled data that’s returned must be encoded to prevent XSS.
2. Not implementing strong authentication and authorization
Authentication and authorization mechanisms are vital to secure any system. Encourage users to use strong, unique passwords and offer multi-factor authentication (MFA) options. On the authorization front, apply the Principle of Least Privilege (PoLP), which means users should only have the access necessary to perform their tasks, nothing more.
Practical tips:
- Implement strong password requirements.
- Do not truncate or manipulate passwords in a way that would lower their entropy.
- Implement secure password recovery (i.e. NOT secret questions).
- Store passwords securely, find more details here.
- Require re-authentication or step-up to another factor for sensitive functionality.
- Use generic error messages (see the next section).
- Consider rate limiting and throttling.
Authentication and authorization are actually very deep topics that could cover multiple blog posts and courses, so I highly recommend you read up on and follow the best practices relevant to your technology stack.
3. Not practicing proper error handling
Ensure your error messages are informative enough for users without revealing too much about your system. Overly detailed error messages can make finding and exploiting vulnerabilities much easier. It can also reveal information such as usernames and accounts to target.
Practical tips:
- Use exception handling to catch errors that may occur, and return user-friendly error messages.
- Implement a centralized error logging system to capture and review unhandled errors.
- Avoid exposing system internals with your error messages. For example, rather than saying “Database connection failed”, opt for a more generic message like “Unable to process request”.
- Consider using custom error pages to handle specific HTTP error status codes, such as 404 Not Found and 500 Internal Server Error.
- Validate user input prior to processing to avoid common errors (see mistake #1).
4. Not keeping software updated
Ensure that all software components, including server software, Content Management Systems, and third-party libraries, are kept up to date. Known vulnerabilities are typically easy to identify and exploit so patching is a critical part of your software development lifecycle.
Practical tips:
- Keep your software up to date 😉 but also…
- Enable automatic updates whenever possible.
- Monitor vulnerability databases and security bulletins for any disclosed vulnerabilities that might affect your system.
- Regularly scan your system using security tools to identify outdated software or known vulnerabilities.
5. Not testing during development
The earlier you catch vulnerabilities, the less likely they are to make it into the live version of your application. In the rush of development, don’t forget to put your security hat on.
Practical tips:
- Include security checks as part of your code review process.
- Make use of static and dynamic analysis tools to find potential security issues.
- Foster a security culture within your development team. Train developers on secure coding practices and keep them updated with the latest threats and mitigation techniques.
About the Author: Alex Olsen
Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity. He created many of the web hacking courses in TCM Security Academy, as well as the PJWT and PWPT certifications.
Alex holds a Master’s Degree in Computing, as well as the PNPT, CEH, and OSCP certifications.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.