# Web Application Security 101 ###### tags: `web app security`, `cybersecurity`, `OWASP top 10` In this article, we delve into the measures one can take to enhance the security of web applications through securing app/web servers. The aim is to give an overview that can guide the secure design and deployment of web applications. *The article is heavily informed by the OWASP Web Security Top 10* ## Securing App / Web Servers in line with OWASP ### 1. Enforce Role Based Access Control (RBAC) - This would implement strong access control mechanisms to restrict unauthorized access to the app/ web server according to the principle of least privilege. - Disable web server directory listing and ensure file metadata like git files and backup files are not present within web roots. - Log Access control failures and alert admins as needed, e.g. in case of repeat failures. - Mitigates Broken Access Control. ### 2. Ensure proper Data Classification and Encryption - Classify data to be processed, stored, and transmitted by the application, and identify sensitive data such as Personally Identifiable Information (PII) that is governed by privacy laws and regulatory requirements. - Discard data as soon as it is not needed or use PCI DSS-compliant tokenization. - Encrypt all sensitive data in use, in transit, and at rest. - Disable caching for responses that contain sensitive data. - Mitigates Cryptographic Failures. ### 3. Enforce effective validation of all user-supplied input - Use server-side input validation and escape any special characters using the interpreter’s specific escape syntax - Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection. - Enforce the URL schema, port, and destination with a positive allow list - Mitigates Injection attacks such as SQL injection, and Server Side Request Forgery (SSRF) ### 4. Establish and enforce the use of secure coding practices - Establish and use a library of secure design patterns - Threat Model for critical authentication, access control, business logic, and key flows. - Collaborate with the Dev team to write unit and integration tests to validate that all critical flows are resistant to the threat model while compiling use cases and misuse cases for each tier of the app. - Validate the threat model with the dev team and agree on how to handle exceptions. - Mitigates Insecure Design. ### 5. Enforce proper Patch Management - Create a repeatable hardening process that eases the deployment of an appropriately locked-down environment - Aim for a minimal platform with only the necessary features, components, documentation, or frameworks. - Review cloud storage permissions. - Enforce a segmented application architecture that would provide effective secure separation between components. The use of docker would help with this. - Mitigates Security Misconfigurations and the use of Vulnerable and Outdated components. This can function as a starting point to enhance the cyber security resilience of your applications. For more, continue reading [Web Application Security 102](https://hackmd.io/@codeAssassin/HJ6YtlTZT)