How to build a secure web application?
Many of our clients ask for a web application. People now know that there is no parallel to an application you can access from anywhere in the world from any device. The accessibility and the convenience of converting your old fashioned desktop systems to a web based system is life changing and no more revolutionary. I can confidently say that the majority of our clients actively seek to develop a web based system.
One of the first questions that arise when discussing the client specification, is the level of security this kind of application has. The idea that you can access sensitive information with login details on the web, can deter people.
There are certain rules one has to follow when coming to develop a web based application.
First, make sure you use the services of a reputable company or developer. Don’t be lured to go after the cheapest developers and someone you haven’t even interviewed. Make sure to check the company’s history and ask to see a portfolio. Secondly, make sure to query about the security measures that company provides.
Web security is a complex issue, in this article we will try to highlight the main issues for you as a client and what you should be expecting from your development house.
So how do we build a secure web application?
Secure user authentication
First and foremost, as most application require multi-user access, it is paramount that your application has tight user authentication control for example: make sure that the system has a strong back end that allows for separate log-in areas with restricted views in line with user access rights. Allow for only strong passwords to be inputted in the system. Manage password security by administrating account lock-outs, and password expiration. All authentication cookies have to encrypted and make sure to limit the time interval for the validity of the authentication cookie.
Most web system, require multiple access levels for different users. Make sure you design restricted views for different users. Another very important measure is to restrict user access to system level resources, such as files,folders,database information,event logs, and so on. Use Windows Access Control Lists (ACLs) to restrict user access. Lock anonymous users access to system and user multiple gatekeepers.
Make sure that your admin area is accessed only by authorized administrators, it is best that administrators will log only locally, but in case they need to log-in remotely make sure to use encrypted channels, for example, with SSL or VPN technology.
Make sure to encrypt text based configuration files, it is best to avoid using configuration files in the application’s web space and of course as discussed previously make sure to use restricted access privileges for different users.
Auditing and Logging
Make sure to use log files across all fields of the application. Realtime log files are the best ones to use. You can use indows, IIS, and SQL Server auditing tools. Logging of login events, modification of data, including the location and identity of the user and the event itself will give you a better picture of the events. Secure all log files by using ACLs.
Back up tools
Make sure all your application files including log files can be backed up and restored.