/oct 11, 2023

Web Application Security: 5 Security Tips for Software Engineers

By Michael Man

As a software engineer in a cloud-native world, you’re the first line of defense in web application security. Armed with a few best practices that have a huge impact, securing both the code you create and the code you compile can be simple. Here are five tips that make your role easier in protecting data with secure development. 

Overview of Preventing Breaches with Web Application Security Practices 

Growing threats in the digital landscape, like entering the era of AI-driven attacks, make proactive code security essential. A nonprofit organization focused on open-source software security, the Open Web Application Security Project (OWASP), maintains the OWASP Top 10, a list of the top 10 security risks faced by web applications. This is a foundational resource for ensuring secure code. Many of these risks can be handled using the tips that follow. 

Tip 1: Start Building Apps with Security in Mind 

Consider security from the beginning. Here’s how CISA defines Secure by Design: “Secure by Design products are those where the security of the customers is a core business requirement, not just a technical feature. Secure by Design principles should be implemented during the design phase of a product’s development lifecycle to dramatically reduce the number of exploitable flaws before they are introduced to the market for broad use or consumption.” 

Congratulations, by reading this blog, you’re already putting this step into practice. Secure coding knowledge is only part of creating software that’s Secure by Design. Another great tactic is threat modeling. I recommend The Ultimate Beginner’s Guide to Threat Modeling as a great foundation for the right security mindset when engineering. 

For information on how insecure design opens the door for a hacker to get sensitive data, and coding examples for how to remediate with secure design, download the Secure Coding Handbook

Tip 2: Properly Validate and Sanitize User Inputs in Custom Code 

Treat all data as untrusted, parameterize queries, and critique the code you write for ingress points hackers can exploit. Injection flaws allow attackers to inject inputs — such as from a web form, cookie, or URL string — to access privileged data in a SQL database (CWE 89: SQL Injection), inject scripts that execute when visitors visit your web application (CWE 80: Cross-Site Scripting), and otherwise inject commands.  

In custom code (even if it’s been sitting there a while), we can detect this via static application security testing (SAST). The thing is, finding flaws is only half the battle. More importantly, we must fix what we find, and we can fix flaws more quickly using generative AI

Tip 3: Select and Maintain Secure Open-source Components 

Open-source software libraries have varying degrees of security. Be sure to use approved open-source libraries and regularly check for security flaws. It’s also important to keep frameworks and libraries up to date. For additional visibility, generate a Software Bill of Materials to identify and avoid vulnerabilities across open-source, commercial, and custom-built components. Explore our State of Software Security: Open Source Edition for more information on vulnerabilities in open source. 

Tip 4: Incorporate a Data-driven Response to Common Issues 

Data from security testing scans can be used to identify the kinds of security flaws that are common or recurring in applications. Since these flaws keep popping up, it’s wise to focus training on this area. Try using scan data to curate custom secure code training exercises.  

You can also use data for comparison with peers in the industry. A metric that can be used for this comparison is mean time to remediate (MTTR). MTTR in this context can be calculated using the following: corrective maintenance time / total number of corrective maintenance actions. 

Tip 5: Consider the Software Supply Chain Beyond Third Party 

Software security risk is not just from custom code or third-party code (which can be addressed by Software Composition Analysis or SCA), but also in other components in the software supply chain. For example, custom code generated by machine learning (ML) tools needs to assessed. These tools are only as good as the code/model they are trained on, and our State of Software Security report shows that most of the code in the world is insecure.

In the following video, you’ll see a developer generate insecure code with ChatGPT, find the flaw with SAST, and secure it with Veracode Fix to quickly develop a function without writing any code. 

Web Application Security Resources for Diving Deeper 

These tips are just an introduction into the world of secure coding. For detailed descriptions and real secure code examples you can use today, check out the free Secure Coding Handbook. If you’re looking for an immersive way to fix apps in a sandbox, then take a free trial of Security Labs for a spin. 

Related Posts

By Michael Man

Michael brings more than 20 years of IT security experience. He has advised large enterprises on secure software development, working across all stages of delivery, while engaging with the different stakeholders to deliver successful business outcomes. His favourite certification is his OSCP due to his keen understanding of ethical hacking practices. Michael is also the founder of one of the largest DevSecOps community meetups “DevSecOps - London Gathering” and has co-organised the conference “DevSecOps Days London”.