Web application security, is a branch of Information Security that deals specifically with security of websites, web applications and web services. At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems.
With the emergence of Web 2.0, increased information sharing through social networking and increasing business adoption of the Web as a means of doing business and delivering service, websites are often attacked directly. Hackers either seek to compromise the corporate network or the end-users accessing the website by subjecting them to drive-by downloading.
As a result, industry is paying increased attention to the security of the web applications themselves in addition to the security of the underlying computer network and operating systems.
The majority of web application attacks occur through cross-site scripting (XSS) and SQL injection attacks which typically result from flawed coding, and failure to sanitize input to and output from the web application. These are ranked in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors.
Phishing is another common threat to the Web application and global losses from this type of attack in 2012 were estimated at $1.5 billion.
Secure web application development should be enhanced by applying security checkpoints and techniques at early stages of development as well as throughout the software development life cycle. Special emphasis should be applied to the coding phase of development. Security mechanisms that should be used include, threat modeling, risk analysis, static analysis, digital signature, among others.
OWASP is the emerging standards body for Web application security. In particular they have published the OWASP Top 10 which describes in detail the major threats against web applications. The Web Application Security Consortium (WASC) has created the Web Hacking Incident Database and also produced open source best practice documents on Web application security.
While security is fundamentally based on people and processes, there are a number of technical solutions to consider when designing, building and testing secure web applications. At a high level, these solutions include:
- Black box testing tools such as Web application security scanners, vulnerability scanners and penetration testing software
- White box testing tools such as static source code analyzers
- Fuzzing Tools used for input testing
- Web application security scanner (vulnerability scanner)
- Web application firewalls (WAF) used to provide firewall-type protection at the web application layer
- Password cracking tools for testing password strength and implementation
Advantages of Web Applications:
Develop once run anywhere:
The client-server architecture of the web application allows the web application developer to develop the web application (once) and allow any user (with access to a web browser – which is pre-installed on every computer and smartphone) to access it from anyware. The main advantage here is that the web application does not depend upon the underlying the software platform of the computer or smartphone i.e. the web application will run and perform in exactly the same way on two different types of computers with different operating systems and hardware components.
Easy to upgrade:
When compared with other types of software application, software developed as web applications are very easy to upgrade. This is because, the Server, where all the programming code is stored is the only place where the upgrade needs to be applied. Once upgraded, all users (web browsers) accessing the web application will automatically access the upgraded version.
Performance:
When it comes to developing enterprise level applications that store and process a large amount of data, developing a web application is a very attractive approach. This is because storing and processing large amounts of data required a lot of powerful and expensive hardware and if not centralised, every user in an organisation will require a very powerful i.e. an expensive computer. If developed as a web application, all the complex processing and storing of data can be handled by the server and the users (web browser) are simply shown the end results, saving a lot of investment in expensive hardware.
Open source software:
There are a lot of open software development tools, frameworks and resources available which not only help to speed-up the development of web applications (using readymade libraries) but also help to reduce the cost to develop the same. Frameworks like Bootstrap, AnjularJS, Kendo, etc, provide a lot of our-of-the-box features and functions that can be simply plugged-in into web applications, which can sometimes help to save a lot of development effort.
Standards and maintenance:
Software developed as a web application by reputed companies and developers follow the well-defined, mature industry standards and best practices. Also, because of a wide user base of developers and users, help and resources are always a click away in the Internet. This results in lower maintenance costs and allows the older web application to be compatible with newer versions of software.
The Above mentioned is a Brief about Web Application Security. Watch this Space for more Updates on the Latest Trends in Technology.