You’re Probably Missing These Pieces On Web Application Security

Security breaches keep dominating the headlines and as a result, more organizations have moved to better protect their web apps.

Gone are the days when people used to think that they had enough ducks in a row in this department; today no matter how much you strive hard it won’t be enough done to secure your web applications. Is there anything like complete 100% security, you may ask? Probably not, but there is always a fair chance of an unforeseen circumstance taking place.

Fortunately, some strategies can help organizations to actualize to help decrease the opportunity of running into undesirable web security issues.

But we have a secured network firewall

One of the most common web application security myths is that nothing can happen to their network as long as they have a firewall in place. Network security is different from web application security: in network security, firewall-like perimeters are often used to block the bad guys, and only allow the good guys in.

When it comes to web applications, these perimeters won’t work as the administrator has to allow all kinds of incoming traffic and keep their fingers crossed about no-one breaking the rules. In addition to this, network firewalls cannot analyze any kind of such web traffic, so blocking malicious requests such as SQL Injection or Cross-Site Scripting is just impossible.

Another major concern is when most organizations end up only focusing on the server-side, leaving a critical attack vector exposed; the client-side. On the contrary, it’s not about protecting any side in particular, but more about protecting the entire web application ecosystem including mobile, JavaScript, desktop, server, and API.

What about protecting the backend?

Web applications are client-server apps which perform the procedure on customers (frontend) just as servers (backend). Of the two server sides, have you ever wondered which are the most enticing targets? These targets are on your corporate network, conducting transactions, and maintaining high-value information such as usernames, passwords, and usage data collected by the application, they are enticing targets for attackers.

By now I hope you have implemented some of the traditional application security tools like a Web Application Firewall that can at least stop network-based attacks.

Having just network security is quite insufficient, why?

With the advancement in technology, the bad guys are becoming smarter and better. They can easily analyze how a target’s apps behave and use the same knowledge regarding the application’s behavior to outsmart the Web Application Firewall in a simple yet effective looking client-based network attack.

Compromising a server via a client-site exploit is not such a big deal as by doing this, application logic can be easily executed in the browser. If you to end up moving all your applications to the cloud, more and more application logic will be executed in the browser.

It may also interest you to know that JavaScript is becoming more functional, as more and more new development frameworks like React JS and Angular JS are being used to build single-page user interfaces of applications and feature more functionality and back-end integration capabilities than ever before.

The more we rely on browsers to perform complex tasks, the bigger the attack surface grows. Apart from this, since it’s delivered in clear text and can be easily interpreted, unprotected JavaScript can be considered as one of the most compelling target.

Also, if your APIs are not sufficiently ensured, an assailant will be more effective and ready to comprehend the web application code. The quicker they can assault your server in a progressively savvy way.

Web apps can also be protected by inserting protective code during development, which obfuscates and deters reverse engineering. JavaScript can be protected with obfuscation, encryption, and additional techniques mainly designed to frustrate attackers, and runtime application self-protection (RASP) can detect whether the JavaScript has been modified or not.

Taking such security precautions can help in protecting client-side web applications, and provide additional layers of server protection.

Overall security is what works

In a nutshell, when starting any web application development project, just make sure that you consider protecting the entire application ecosystem. Web app frontends have been ignored while organizations are still found focusing on securing the backend, but without proper protection, web apps are useful but for the attackers to target server assets.


Rooney Reeves is working as a Business Development Executive at – eTatvaSoft, a Web App Development Company. Know more about the upcoming Web App Development related news. She always accepts challenges and puts some effort into it. She loves to write and spread her knowledge through writing. Follow her on Twitter.


What’s Hot on Infosecurity Magazine?