Recently, we wrote about how the largest companies – from Capital One and Facebook to Marriott Hotels and Target – faced massive data breaches. We ended by saying that companies need to "spend time building the right infrastructure to surround your product".
In this post, we will dig deeper into web app security done the right way. If you are looking to have a discussion about privacy or security, give us a call. Tragic Media has been developing enterprise software for 10+ years and we provide free consultations.
You Need to Secure Your Data
Business owners and project managers alike are eager to ship products, release new features, and wow customers. In fact, they are often judged based on their ability to ship.
As such, it can seem unglamorous to spend time worrying about data access, encryption, and infrastructure. But there is an immense value in architecting your web app the right way, so that you can keep user data private and secure.
In this post, we are going to share the best practices that we use when building applications, whether they are consumer-facing or serving the Fortune 100.
How to Secure Your Web App the Right Way
Let's jump right in. Here are 5 web app security tips and best practices. This list will serve as a great starting point. Whether you are buying software or building software, security needs to be at the top of your list.
Security Tip 1: Schedule time for security audits
This may seem obvious, but we are always shocked by the number of companies that do not allocate time or budget for security audits.
Regular security audits need to be a priority, similar to how releasing regular marketing content is a priority. Without scheduling time for security, many teams get too focused hitting release dates and can feel pressured to skip security audits… again and again.
If you don't have a security expert on staff, there are many third party scanning tools available. We also recommend having team members audit each others code, and share security improvements with the whole team to promote a security-minded development approach.
The aggressiveness of your security scans will heavily depend upon your industry, size, release cycle, and software frameworks. It is best practice to incorporate security scans into your release cycle, and automate it whenever possible.
For smaller organizations, security scans should be performed as often as possible, a security audit every quarter will do wonders.
Security Tip 2: Update your software regularly
When relying on software platforms, it is paramount to keep systems up-to-date.
Making sure that you are using the latest version of WordPress or Drupal, for example, can save you from nasty vulnerabilities such as malware infections, site takeovers, and the corruption of your site files.
Updating your software is a great use of time because someone else is fixing bugs and security gaps for you! Unless there is a deliberate reason to use an older piece of software, we recommend that you update your software as soon as all compatibility issues are addressed.
A good rule of thumb to follow is to update your website / app software once per month to keep it secure and running smoothly.
Security Tip 3: Invest in the right DevOps infrastructure
In our experience, investing in the right DevOps infrastructure can dramatically improve your web app security. Correctly utilizing development operations infrastructure can ensure that your software is correctly deployed and provisioned.
Many security breaches are not done by elite hackers or nation-states. Unfortunately, sometimes it's down to a single cloud instance being left completely unsecured.
Avoid this from happening to you by following best practices for server security, such as key/password storage protocols, API/database access restrictions, and data transfer encryption.
Security Tip 4: Limit, and document, third party dependencies
Next, we recommend that you understand a piece of software's reliance on third parties. This applies both when building and buying software.
Generally speaking, the more third party dependencies that a piece of software has, the more surface area there is for things to go wrong. These dependencies should be understood and carefully documented.
And, ideally, there should be a plan to replace a third party dependencies should it become compromised or no longer supported. (That last point is particularly important! Do not keep using a piece of third-party software if it is not regularly updated and supported.)
Security Tip 5: Leverage strong authentication protocols
The weakest point in a system is often, well, humans. As such, we believe that strong authentication and authorization is key to any secure web application.
Keep access to DevOps infrastructure and databases locked down. For those that do have access, make sure that strong passwords and multi-factor authentication is utilized. (We recommend authentication apps or hardware keys, not SMS messages.)
In addition, we recommend that people only have access to the parts of the system that they need. Marketers, for example, should be able to update content on a CMS but not have access to the underlying architecture.
People often choose convenience over security, but there is nothing convenient about a security breach that can cost you thousands of dollars, your reputation, or worse, your user's trust.
Conclusion
Security is important for all organizations. We often hear pushback from people saying they're not "software companies" so security is not their concern. We vehemently disagree.
Even if you are buying or licensing software from a well-known vendor, you need to understand what you are getting into. Which security features do they have? How do you correctly configure the system? Is my data accessible in a format that is useful to me?
Utilizing the tips above can improve your web app security and keep your customers happy.
If you have questions, or would like to discuss securing your web app with an expert, contact Tragic Media today for a free consultation!
