Acássio Marques
Software Engineer
Checklist to make your app more secure
How much time on average do you spend securing your app?
Are all team member aware of their role on building safer apps?
I like the idea of having checklist’s in the workflow so we don’t run the risk of forgetting any important matter. Even more useful when we are dealing with our app security. Here are some topics to consider before delivering into production and be exposed to the wild.
- Authorization
- Sanitization
- SAST/DAST
- Rate limit
- Packages updates
- Exposed ports/endpoints
- Cryptography
- Tests
- Monitoring
I know that’s a lot, and many things is still off the list. However, the main idea here is having a starting point, and continue evolving in the construction of security layers to protect our application.
Authorization
Do all APIs have an authorization mechanism in place?
I’m pretty sure you’re already using some authorization strategy for services exposed on the internet, but there are a lot of reasons to apply this security layer even for communication between internal services. This way you are better covered for any threat from inside your organization. JWT tokens are a good fit on this scenarios.
Sanitization
Are all data inputted by users properly treated and cleaned?
The main rule here is: Don’t trust any input an user has entered into your application. That’s important to protect the system from attacks such as SQL injection, XSS (Cross-site scripting) and RFI (Remote file inclusion).
SAST/DAST
Is the code being scanned by a SAST tool integrated into the pipeline?
Is the application being scanned by a DAST tool?
Are there any CRITICAL/HIGH vulnerabilities found?
What is Sast?
Stands for Static Application Security Testing. These are tools that look for vulnerabilities inside our code.
Analyse the code with a good SAST tool, will make our application more reliable by exposing security vulnerabilities. Additionally, it will give it higher quality code, providing information about which part of the code might be better written.
What is Dast?
Stands for Dynamic Application Security Testing.
Unlike SAST, the DAST tool will analyse the code from outside in, emulating an attacker trying to find any gap in the application.
Rate Limit
Are the application prepared to prevent spamming and domain attacks?
Rate limiting consists of how often an user can request an application.
Some benefits:
- Help to prevent DDoS (Distributed Deny of Service) attacks.
- Ensure that the resources from your server are been used fairly among the users.
- Can be used as a commercial strategy.
Ex: Limit traffic for non premium users.
Package updates
How often do you check for third-party package updates?
A research conducted by Veracode revealed that 79% of the time, third-party libraries are never updated by developers. A lot of updates might be related to security fixes and you don’t wanna miss that, right?
Don’t fall into the trap of delaying updates for too long, this can be very costly in the short or long term.
Exposed Ports/Endpoints
How many open ports are there on the system? Are they all been used?
Could we restrict access to those that need to be opened?
The same goes to API endpoints. Is always good to review code to make sure there is no deprecated or forgotten endpoints running in production. If no one is using it, clearly shouldn’t be there, it might be a port for an attacker at any time.
Cryptography
Are there any sensitive data being trafficked on the network? Is TLS properly configured? Are sensitive data encrypted at rest?
A good approach is to keep a documentation that will describe how data is classified on the company and how it should be treated. Any new application should follow the rules.
Tests
How is the test coverage?
Are there enough tests to ensure that all layers of security actually work?
Never underestimate tests. Good quality tests can prevent a lot of headache and save you and the company time and money.
Monitoring
There are metrics properly implemented in the code? Are you capable of collecting insights about how the features are being used?
Securing an application is not a trivial task. Updates is a constant, users are unpredictable. There will always be someone trying to discover a loophole to get in. That’s the reason why monitoring is so important. You should be able to detect any strange behavior, create alarms and take actions from it.