What are Application Security Best Practices?

Application security best practices are techniques that effectively increase information assurance by removing root causes of vulnerabilities or adding defense in depth. Vulnerabilities are often caused by programming errors; detecting and fixing these errors removes such vulnerabilities. Fewer vulnerabilities means better information assurance (information assurance is a technically more accurate term for what people might call cybersecurity). In addition to removing root causes of vulnerabilites, information assurance can be increased by adding defense in depth. Defense in depth means adding layers of defenses so that if an attacker breaks into the system, he only gets limited access and therefore can do less damage.

One example of a best practice is separating data and queries when executing SQL queries. A common programming mistake is to concatenate data into SQL queries and then execute them – this programming mistake is the cause of ALL SQL injection vulnerabilities (besides maybe some kind of hypothetical academic situation). SQL injection happens when the attacker is able to add malicious logic to the data and this logic is executed by the database driver as a part of the query. Because the data and the query are concatenated and passed as a single item, the database driver cannot tell the difference between the legitimate query and the attacker’s injected SQL. The database then executes the malicious SQL, typically giving unauthorized access to the database to the attacker. The correct approach is to separate the data and the query and to pass them separately to the database driver. In that situation, the database knows to treat the legitimate SQL and any possible data differently; it doesn’t matter then if the attacker tries to put SQL in the data, because the database knows that it’s just data and not actually SQL. Therefore, separating data and SQL queries is an effective technique at preventing SQL injection vulnerabilities. Removing SQL injection vulnerabilities is a great advantage and there are no disadvantages that compromise the other aspects of information assurance, so this technique qualifies as a best practice. Applying this technique to new and existing code is usually very simple, which is an added bonus. This technique definitely exists and it is definitely effective, which means that at least one “best practice” exists.

Application security best practices work reliably regardless of the organization using them. Separating queries and data works with any SQL database drivers that provides APIs that can do that, which includes most (but not all) SQL database drivers. It doesn’t matter whether the application is deployed by a global financial institution on its production servers or by a college student on his home page, separating data and code works just as effectively in any scenario. It is of course important to make the distinctions of whether the application uses SQL at all or whether the database driver allows separating queries and code. These distinctions are trivial, especially for the team that develops the application.

Most vulnerabilities that are used by actual threat actors can be prevented by applying well-studied best practices. Only a subset of all possible vulnerability types are commonly exploited in the wild. The OWASP Top 10 project enumerates some commonly exploited vulnerability types and the corresponding best practices. Here are some of these vulnerability types and best practices at a glance:

A1 – Injection

  1. Use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface (this is the SQLi example mentioned above).
  2. If a parameterized API is not available, you should carefully escape special characters
  3. Use positive or “white list” input validation.

A2 – Broken Authentication and Session Management

  1. Use a single set of strong authentication and session management controls.
  2. Make strong efforts to avoid XSS flaws

A3 – Cross-Site Scripting (XSS)

  1. Properly escape all untrusted data based on the HTML context.
  2. Use positive or “white list” input validation.
  3. For rich content, consider auto-sanitization libraries.
  4. Consider Content Security Policy (CSP) to defend against XSS across your entire site.

Mapping best practices and documenting them is one of the core efforts of TeamMentor.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s