Unlike other aspects like ergonomics, accessibility or the compliance with some standards, the security of a web application, Internet website or mobile application can be quite difficult to assess.
Let’s look at accessibility: Several accessibility levels have be defined, like WCAG (Web Content Accessibility Guidelines) level A, AA, AAA. It is then quite easy to determine whether or not a website is accessible or not, by going through a checklist or by scanning the HTML code a the website.
By nature, accessibility is a set of rules that, if properly followed, makes your website accessible.
Assessing the security of a website
A secure website means that there is “no” insecurities in it (flaws, vulnerabilities) that would allow a malicious entity to perform bad actions (negative for the website users or for the website owner). Although there are some basics in security, attack techniques are really numerous, from a variety of styles and it is therefore clearly not possible to enumerate them exhaustively.
As a consequence, assessing the security of a website becomes a little bit more complex than ticking boxes on a security checklist (although it can help).
Moreover, some vulnerabilities lie directly in the logic of the application itself, in the user journey. A manual analysis is therefore needed, since no automated security tool can detect this.
Building a secure web application
How, then, can we make sure that a website is secure?
In order to reduce the amount of rework, the security of an application must be thought during its conception:
- Security in the user journeys and in the different processes: As an example, the password recovery process must not only take ergonomic constraints to facilitate passwords recovery, but also security rules so as to prevent accounts hijacking.
- Security in the developments: The software development life cycle (SDLC) must include security-related procedures, like code reviews and scans. To achieve this, the development team (or at least some people in the team) must be familiar with web security.
Performing penetration tests
It is not the first time we make an analogy with the automotive industry on this blog and with good reason, because the similarities between the two industries are strong on some aspects.
Beginning in the design stage, the security of our cars is a key element, but things don’t stop there, crash tests are performed before commercialization, and technical controls are perfumed regularly during the lifetime of the vehicle.
Similarly, the security of a web application must be tested before the site goes live, in order to avoid problems such as data leaks or intrusions into the network of the company. We must therefore run a series of tests to analyze the web application and try different attack techniques. Obviously, the web application is not destroyed during the tests, unlike the car being tested…
Code reviews and penetration tests must be performed on a regular basis as technology evolves and new functionalities are added.