One of the key reasons for application vulnerabilities is a lack of secure design, development, implementation, and operations. Relying solely on post-development audits for security is inadequate. Instead, security must be an inherent and integral aspect seamlessly integrated into the application’s design and development lifecycle. Organizations should incorporate secured application development practices, and application owners should ask for adherence to the best practices highlighted in this document. They should not only rely on the post-audit. By adhering to these guidelines, applications can be developed with built-in security measures, making it challenging to target security breaches and exploitation.

The guidelines are proposed to identify any lapses/vulnerabilities in implementing the security practices in the application. Key findings and recommendations in the guidelines are mined from the field data analysis of audits conducted by E Com Security Solutions.

Requirements Phase

  • Absolute Specifications: Focus on absolute requirements and features. Excess features increase the attack surface. Include Security requirements.
  • Threat Modeling: Conduct threat modelling exercises during the design phase. Identify potential threats and prioritize impact and likelihood.

Design Phase

  • Input Validation and Sanitization: Implement strong input validation techniques and utilize secure frameworks or libraries to sanitize inputs effectively.
  • Secure File Handling: Validation and handling of file uploads to prevent file inclusion, overwrite, or arbitrary code execution. File type checking, limit file size, and store files in a secure location.
  • Secure API Design: Ensure secure API design principles. Implement strong authentication and authorization mechanisms, input validation, rate limiting, and proper error handling.
  • Authentication and Authorization: Strong authentication mechanisms help prevent unauthorized access to applications. Access control enforce proper authorization and restrict access to sensitive functionality or data.
  • Secure Session Management: Generating secure session identifiers, using secure cookies, implementing session expiration mechanisms, and preventing session hijacking or fixation attacks.
  • Secure Database Access: Utilizing parameterized queries or prepared statements to prevent SQL injection attacks. Principle of least privilege to restrict database access rights.
  • Secure Communication: Protect data in transit and rest. Encryption, hashing, and secure key management techniques to ensure confidentiality and integrity of data.

Development Phase

  • Secure Coding Practices include input validation, output encoding, proper error handling, and safe configuration.
  • Secure File Permissions: Configure file and directory permissions using the principle of least privilege to ensure application files are accessible only to necessary processes and users.
  • Error and Exception Handling: Help prevent exposure of sensitive information, identify and mitigate potential vulnerabilities.
  • Secure Error Reporting: Provide minimal information to users, while detailed error messages should be logged internally. Prevent sensitive information from being exposed.
  • Secure Session Storage: If session storage is necessary, ensure sensitive session data is securely stored. Avoid storing in cookies and use secure session storage mechanisms such as server-side sessions or encrypted cookies.
  • Secure Logging: The application should securely log events, exceptions and activities.

Testing Phase

  • Security Testing Techniques: Fuzz testing, static code analysis, dynamic application security testing (DAST), and interactive application security testing (IAST).
  • Code Reviews: Identify vulnerabilities and weaknesses in applications for timely remediation. Automated code review tools help identify potential security issues, coding errors, and adherence to secure coding practices.

Release Phase

  • Secure Code Deployment: Secure transmission of code, verification of code integrity during deployment, maintaining a safe supply chain
  • Regular Patches and Updates: Keep applications and dependencies updated with security patches to address known vulnerability exploitation.

Maintenance Phase

  • Secure Third-Party Components: Vet and validate third-party components and libraries. Keep them updated with security patches and monitor for vulnerabilities.
  • Secure Configuration Management: Reduce attack surface. Default credentials, unnecessary services, and insecure configurations should be eliminated or adequately secured.

E Com Security Solutions’ Application Security offering helps organisations with cyber capabilities and solutions focused on the security and resilience of enterprise applications. This includes embedding security, controls and resilience as a part of the system development lifecycle from requirements to ongoing maintenance. The scope of applications includes large enterprise software packages, customized enterprise applications, and consumer-facing applications. We assist clients with governance, culture and skills to embed security into development processes, including agile or waterfall, and provide methods and tools to build and test application security (threat modelling, design review, application controls, pen testing, SAST, DAST, etc.), and the integration of toolchains for software developers.