Creating more secure applications: 5 tips for developers

The apps we all use, whether mobile, web or enterprise, are an entry point for cybercriminals to access sensitive user data.

Without going any further, the Community of Madrid recently launched a web application to request an appointment for the COVID-19 vaccination and a security breach occurred that revealed health and personal data of the region's citizens.

To avoid such threats, the user should take precautions when using these applications, while for developers the security of sensitive data should be a constant concern. According to a Gartner study, over 75% of mobile applications would fail baseline security tests, falling far short of minimum security commitments.

Before creating an application and equipping it with the tools to ensure the protection of user data, the starting point is to know in advance the possible vulnerabilities in order to strengthen security.


Nexllence proposes 5 tips that programmers should keep in mind when developing applications:


1. Take into account general security principles

When application security depends on a database to function, the end user should have limited access to it, should not be able to create or delete data. For this reason it is essential to keep a history of data and accesses so that in the event of a problem or data interruption the source of the problem can be quickly identified.

In addition, care should always be taken when using external components of our tool. If vulnerabilities are identified, it is best not to use them or to take precautions in these situations so as not to compromise the application.

Finally, there are basic flaws when developing an application that should be taken into account, such as allowing digital certificates to expire, having ports unnecessarily open on the web server, using obsolete security level protocols, not protecting files inside the server or using old software libraries.


2. Embed security in code

One of the biggest security risks that any software solution can suffer from are bugs in the code, be it HTML, Javascript or SQL. Any flaw in coding or design can give attackers access to sensitive user information, so developers must validate data so that only correctly formatted data enters the web application structure. This filter prevents the handling of incorrect or corrupted data that could lead to malfunctioning of the application. In addition, it is recommended to regularly run tests simulating attacks to see how the application would react and to check its penetrability.


3. The user is a gateway for cyber attacks

When accessing an application, it is important to verify who is trying to get in, but today the basic credentials of username and password are no longer sufficient and there is a growing need for multi-factor authentication, which goes beyond two-factor authentication.

The main goal when designing a web application is to give users as few permissions as possible and generate a hierarchy tailored to each situation to ensure that not all users can see and access the same data. Each user should have a profile and have access to only a certain set of the application's functionality.

It is important that the systems that make up an application always keep a record of the accesses and actions performed by the users. Especially the more sensitive or confidential the nature of the data. Thus, in the event of a problem, this information will make it easier to identify the source of the problem.


4. Prevention of on-site cross-site scripting attacks

Cross-Site Scripting or XSS is one of the most frequent attacks on an application. This web security vulnerability allows a hacker to compromise the interactions that users have on a website.

XSS allows the cybercriminal to impersonate a victim user, perform any action the user can perform, and access any user data. If the victim has privileged access within the application, the hacker can gain full control of the application.

To prevent the application from crashing when the user changes the interface by editing data on a specific web page, it is necessary to understand where the data passes through and avoid alternative paths. To prevent such attacks, you can either apply context-sensitive encryption, i.e., filter data on arrival from the user and encrypt data on exit, or enable a Content Security Policy (CSP) to minimize the XSS vulnerabilities that still exist.


5. Always be warned of unknown threats

As application usage increases, security threats also evolve and unknown types of attacks may emerge. For this reason, it is important to stay abreast of the latest trends in cyberattacks and have a proactive plan in place to act as quickly as possible in the event of such a threat.As application usage increases, security threats also evolve and unknown types of attacks may emerge. For this reason, it is important to stay abreast of the latest trends in cyberattacks and have a proactive plan in place to act as quickly as possible in the event of such a threat.

"When it comes to web security, any precaution we can take is not enough; any simple move can be an entry point for cybercriminals. Developers must comply with good security practices when developing an application, so that when it is used, there are no problems during its use and user data is always protected," says David Faustino, Managing Director of Nexllence.


Source: Cepyme News