10 ways to strengthen web application security

Joe Stangarone, writer,  MRCs Cup of Joe Blog, June 17, 2014

Summary: A recent study find that 96% of all web applications contain at least one ‘serious vulnerability.’ As cyber attacks rise, how can your company better protect your web applications and confidential data from a security breach?

Target. . . . Ebay. . . . Monsanto.

What do those companies have in common? Each one suffered a massive security breach in the last few months. They’re not alone. Cyber attacks are on the rise, and will only get worse. The bigger problem: Most web applications are still vulnerable. This study from last year estimates that 96% of all web application contain at least one ‘serious vulnerability.’

Security is a problem that will keep growing if not made a priority. It’s a problem that can compromise your customer’s sensitive data. It’s a problem that can cause irreparable damage to your company’s reputation. Today, let’s focus on security from a web application standpoint. How can you strengthen your web application security, and minimize your risk of a data breach? Here is one tip from SystemExperts (to see nine additional tips click here):

Use the principle of least privilege

Oftentimes, a business worries so much about outside attackers, they completely forget about inside risks. Namely, uneducated users with too many privileges. An uninformed user can potentially cause just as much (if not more) damage as a hacker if given free reign over a system.

“If an application is protected by login, each user should have a role in the system that defines what they are allowed to do, and more importantly what they are not allowed to do,” says Mark Huss, Senior Consultant with SystemExperts. “Each user should only have sufficient privileges to perform tasks they need to do – and no more. This principle is called least privilege, and is very important to embrace in order to keep your application and infrastructure secure. At minimum, a normal role and a supervisor or administrator role should be defined and enforced, so that normal users cannot accidentally or intentionally view, change or delete data they should not have access to.”