Kumud Bhattarai, Director of Software Development & Enterprise Architect, Pilgrim Quality Solutions
In the era of applications that are either web-based or have some connection to web-based content, making applications secure is one of the most important factors that should be in the back of any system architect’s mind.
Every so often we hear big news about large companies getting breached and private information being stolen from the system. Most of these activities can be attributed to either human weaknesses (such as phishing attacks) or system weaknesses (such as zero-day exploits).
This quick read focuses on what constitutes a bird’s eye view of web application security from a system perspective. The human perspective will follow in a separate blog.
Top Protective Measures to Perform
Here are a few key definitions of application security measures that can help you protect your organization’s data assets:
Authentication is a mechanism to assert that someone is really who they say they are. From a simple form-based login, to multi-factor authentication using biometrics, all solutions focus on a singular purpose.
Authorization is a mechanism to validate the user’s contribution levels in the system. For example, a user may be authorized to create records but not update or close records. Other levels of authorization may be set to restrict access to certain records based on various criteria (like the division/department the user belongs to, severity of the incident, etc.).
- Data Validation
Data validation is a system-level function to check the data for its accuracy before it is committed to storage (for example, all business rules are satisfied, the data falls within the expected boundary, etc.). It also checks security of the data (for example: cross- site scripts or attempt of SQL injections. etc.)
Encryption is a system-level function to convert the data to an illegible form so only authorized parties can access such data. There are primarily two types of data encryption: At rest (in the database) and in motion during transport (from the server to the user’s browser). Encryption at rest is achieved by implementing encryption technology on the storage level or on the database level. Encryption during transit is commonly achieved by using secure Hypertext Transfer Protocol (HTTPS). This is also referred to as HTTP over TLS (Transport Layer Security).
A patch is piece of software that updates the existing software by providing a service (either browser or server) to resolve any issue related to an application feature or to a security vulnerability of the system.
Top Security Flaws to Dodge
Why are the items listed above important? The Open Web Application Security Project (OWASP), a worldwide non-profit organization focused on improving the security of software, publishes an awareness document called OWASP Top Ten which represents the most critical security flaws of a web application.
The most recent Top Ten list includes:
- Broken Authentication and Session Management
- Cross Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Invalidated Redirects and Forwards
So, when selecting your application provider, you want to make sure that they have the right controls in place against Broken Authentication, the right Authorization mechanisms to address Missing Function Level Access Control, Data Validation to prevent Injections and Cross Site Scripting, Encryption against Sensitive Data Exposure and the right Patch Management and Maintenance procedures to mitigate Security Misconfiguration and Using Components with Known Vulnerabilities.
Top Option for Trustworthy Protection
Pilgrim SmartSolve® quality management software, hosted in the Pilgrim Cloud, provides the best of both worlds. The latest versions of SmartSolve includes rich features, regulatory updates, security updates, and a managed infrastructure with latest system fixes. The solution allows you to focus more time and energy on your organization’s regulatory compliance instead of managing your infrastructure.
Note: Next week, don’t miss our blog to learn more about web application security from the user perspective.
Information Security Summary
This white paper details the security controls that Pilgrim has put in place to ensure information security.