Securing cookies
Most web-apps make use of cookies to store various kinds of information about the user session such as user preferences, last visited pages, shopping cart, authentication tokens, etc. Developers often forget to set the security and HTTP flags on these cookies. These flags are not true by default but must be explicitly set to true to ensure that the information is only going out via encrypted messages (https) and cannot be accessed via client-side scripts thus preventing cross-site scripting attacks.
Securing application/configuration secrets
Secrets in applications include admin passwords, long-lived tokens, API keys, and private keys. Storing secrets in initialization files, in the source code or in a configuration service must be avoided. Instead, developers should use enterprise-grade secret management solutions such as KeyWhiz, Vault, Knox, Confidant, etc. Secrets might even leak through log files and they should either not be written to log at all or masked where required.
Preventing account spoofing and take-over
Users perform operations using their authentication token which they obtain upon login. Applications should always extract the userId from the token and compare it with the userId of the account being operated upon. This ensures that you cannot use user A’s token — though valid — to perform operations on user B’s account.
Standardizing input validation and database queries
Attacks such as SQL-injection and buffer overflow can easily be prevented if both size and content of user input is validated properly. Validating against a whitelist(allowed characters) is preferable to validating against a blacklist(disallowed characters). I have seen developers invariably re-inventing these and missing out many corner cases. Hence, I recommend using a standard validation library such as ESAPI or Apache commons validator. For SQL, it is preferable to use parameterized statements and stored procedures instead of using dynamically generated queries. Parameterized statements safely treat all user-supplied input as the literal representation of those strings instead of treating them as part of a SQL query thus preventing injection attacks.
Keep Your Logins Secure
Make sure your login information is both robust, and unique. Password security requires that you change your password at regular intervals (30, 60, 90 days). Applications such as LastPass allow you to securely store and share login information without actually revealing your passwords. If required, use reCaptcha on certain webpages. Identity theft is one of the biggest threats, and shouldn’t be taken for granted.
Maintaining your website’s security is critical to the long-term success of your organization. If you suffer a breach, it could permanently harm your company’s reputation. In fact, some businesses have even closed as a result. Do everything possible to make your website secure. By staying aware of the vulnerabilities, as well as the methods of combating them, you’ll be well equipped with a secure website.
For more details on our products and services, please feel free to visit us at Auction Software, Marketplace Software, Penny Auction Software, Online Auction Software, Silent Auction Software