Secure Web Application & Software Development

Every company designs or develops the web apps but no one checks for the security. But Sytech Labs give you the assurance of not the quality in the development but also provides the best of security measures with it.

What is Web Application?

Web application is a series of programs executed on a web server. The server is connected to a backend database. It responds to client’s requests from dynamic webpages via Hypertext Transfer Protocol (HTTP) to provide cross-platform services on the Internet and intranet. For instance, in an electronic transaction, the user inputs information including the credit card number on the webpage, and completes the transaction.

What is Penetration Testing?

Penetration Test (pen test) is a process of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders. The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures.Sytech Labs offers a wide-ranging website penetration test; each audit involves a highly complex website security testing procedure that will identify and exploit known weaknesses in web applications. Website security testing includes a full website security audit and website penetration test. You will also receive detailed documentation and reports of our findings as part of the testing process which is provided to assist you in mitigating known website security vulnerabilities.

Security Threats to Web Applications

Since web applications are usually connected to the Internet or intranet, users can utilise the resources provided by the system and enhance work efficiency. However, web applications also bring about certain security threats.

Generally, security threats to web applications originate from

A) Untrustworthy client
A web application usually cannot monitor the operation of its clients. Therefore the application should not be designed to fully trust and directly process the data inputted by clients.

(B) Security loopholes in the application design
Attackers will launch attacks targeting security loopholes in the design of the web application. The most typical attacks include code injection attack, cross site scripting attack (XSS), etc.

(C) Insecure network communication
If the web application communicates unencrypted information with its clients via the Internet or other insecure networks, such information can be intercepted and altered during transmission.

Security Measures

In designing web applications, organisations should adopt appropriate security measures to mitigate security risks. In general, security measures can be categorised as follows:

(A) Web application security architecture

The typical web application architecture contains three tiers, the external web server, the application server, and the database server. With such a tier-based architecture, even if an attacker can intrude the external web server, he still has to find ways to attack the internal network. The external web server should be placed within a demilitarised zone (DMZ) which is a special network segment containing servers with access to Internet services. Servers storing sensitive information should be located in the internal network with additional protection.

(B) Web server software security guideline

Website system administrators should configure web servers securely and assign access rights in accordance with the web server software security guideline. For example, avoid using privileged accounts (e.g. “root”, “SYSTEM”, “Administrator”) to run web server processes so that the web server software cannot modify unauthorised system files. In addition, take appropriate precautionary measures such as using secure sockets layer (SSL), etc. to encrypt the transmitting data.

(C) Web application development process

The security controls of web applications should be analysed and defined during the early stages of software development. For instance, perform source code review to identify security bugs that were overlooked during the development stage. Risk assessment will also help reduce common security loopholes.

(D) Web application secure coding

Software development teams should follow a set of web application secure coding practices, for instance, validate all input parameters and filter special characters such as ~!#$%^&*[]<> to prevent attacks of code injection and cross site scripting (XSS) effectively.