# Web Application Security 102 ###### tags: `web app security`, `cybersecurity`, `OWASP top 10` Welcome back to the Web Application Security series where we go through a guide on how to better secure your app / web server environments. *The article is heavily informed by the OWASP Web Security Top 10* ## Securing App / Web Servers in line with OWASP *For steps 1 to 5 read [Web Application Security 101](https://hackmd.io/@codeAssassin/SJ9L8gTba)* ### 6. Enforce strong authentication, authorization, and session management mechanisms - Use Multifactor authentication (MFA) where possible to prevent brute force attacks, credential stuffing, and stolen credential reuse attacks. - Align password length, complexity, and rotation policies with NIST 800-63 b guidelines for memorized secrets and modern evidence-based password policies. - Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same message for all outcomes. - Use a server-side, secure, built-in session manager that generates a new random session id with high entropy after login. Session identifiers should not be in the URL and should be securely stored, and invalidated after logout, idle and absolute timeouts. - Mitigates Identification and Authentication Failures. ### 7. Enforce Data Integrity verification mechanisms - Use digital signatures to verify that software/data is from the expected source and has not been altered. - Ensure libraries and dependencies such as npm or maven are coming from trusted repositories. - Enforce a review process for code and configuration changes to minimize the odds of malicious configurations being introduced into code. - Ensure the CI/CD pipeline has proper segregation, configuration, and access control to ensure the integrity of the code flowing through the build and deployment process. - Mitigates Software and Data Integrity Failures. ### 8. Enforce logging and auditing - Ensure logs are generated in a format that log management solutions can easily consume - Ensure log data is encoded correctly to prevent injections or attacks on the monitoring system - Ensure high-value transactions have an audit trail with integrity controls to prevent tampering/deletion e.g. append-only database tables. - Mitigates secure logging and monitoring failures. ### 9. Implementing appropriate segmentation and resource limitation - Limit memory, CPU, and maximum number of restarts for docker containers as a way to avoid Denial of Service (DoS) attacks - Disable inter-container communication such that it is necessary to explicitly specify which containers can communicate with each other. ### 10. Security Monitoring and Incident Response - Deploy monitoring tools to detect suspicious activities and potential security incidents. - Ensure appropriate alerting thresholds and response escalation processes are in place. - Establish an incident response and recovery plan such as the NIST 800-61r2 or later, and identify how the plan applies to the web app. ## Conclusion Implementing these steps in line with your cybersecurity strategy shall make for an easier time defending your web / app servers.