The internet is evolving every day to meet the growing needs of consumers and as it matures, static webpages are being rapidly replaced by dynamic web applications that are allowing businesses to underpin an increasingly personal approach to business operations, creating opportunities through commercial portals, accessibility to online banking and online retail sales, as well as CRM (customer relationship management) tools that are contributing to the increased capacity of standard informational resources.  

By leveraging technologies like AJAX (“Ansychronous JavaScript and XML”) and HTML5 to send and retrieve data from a server asynchronously (in the background) without interfering with the display and behaviour of the existing page, web applications are driving real change in internet consumption.

Because of the way web applications operate, they are often responsible for the storage of significant volumes of customer, financial and other data, placing security breaches as a high-priority concern. So, how can businesses ensure their network security is strong enough to protect consumers data when browsing web applications?

How is a web application constructed?

Understanding how a web application is constructed is an essential part of recognising potentially serious security concerns.

Web applications are typically constructed based on a model involving three “tiers” or layers known as the presentation, application, and storage layers.  

1. In a web application, the user’s web browser forms the first tier (presentation layer) and displays information to the user, as well as taking input and communicating via HTTP protocol to the application layer on the web server;

2. The middle tier (application layer) consists of code or libraries that act as a dynamic engine using dynamic web content technology such as ASP, PHP, or Ruby on Rails. It forms the application logic, making decisions on whether requests from the presentation layer are authorised and how they should be routed, handled, processed, and responded to;

3. A database forms the third tier (storage layer). It contains and controls access to all the data that the web application may need to handle requests and build responses to return to the consumer.

Each of these layers deliver specific functionality and must communicate and exchange data between the other layers to maintain a strong and effective interface. Despite this carefully curated construction offering hybridised functionality, it is essential to recognise that the boundaries between each layer can introduce security weaknesses to business networks.

By nature, web applications are dynamic and their complexity positions them with what security researchers call a ‘large attack surface’. In simple terms, this alludes to the number of vulnerabilities an unauthorised user can access to extract data they’re not entitled to.  

The general rule of web applications suggests that the more complicated the application gets, the more potential for errors and the harder it is to maintain security. The combination of patchy security and vast amounts of valuable data ensures web applications remain a prime target for attacks, but this shouldn’t  deter organisations from adopting this unique website alternative.  

While the risks can be high for organisations without a web application security testing solution in place, there are some extremely successful and relatively low cost options available for organisations of all sizes and complexities.  

What is web application security testing and what are the benefits?

Web application security testing is the process of identifying vulnerabilities and mitigating them to protect against attacks. There are several web application security solutions and tools that can be used to test the security of a web application. Some common methods include:

• Manual testing: This process involves a manual review of the source code by an experienced human tester. While this is a time-consuming method that requires the tester to review the code and configuration of the application to look for common vulnerabilities, this is an effective way of ensuring your organisations web application security functions are in place. Some checks may include SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and insecure storage of sensitive data. Other issues such as incorrect error handling, insecure communication protocols, and the use of outdated or vulnerable libraries are an important part of a comprehensive web application security testing strategy. It can help to identify vulnerabilities that may not be detected by automated tools and can provide a deeper understanding of the security of the application.  

• ‍Automated testing: A quick and effective specialised tool that can be used to scan the web application and identify potential vulnerabilities. This method features multiple testing tools, including static code analysis (SAST), dynamic testing tools (cross-site scripting (XSS) and SQL injection vulnerabilities) and network scanners that review infrastructure, open ports and misconfigured servers. Despite this method presenting as more efficient than most others, it is recommended that this process is used in conjunction with manual testing to provide a comprehensive view of the web applications security.

• ‍Penetration testing: This method of web application security testing involves simulating an attack on the organisations application to identify vulnerabilities that could be exploited by an attacker. Involving a combination of manual testing and specialised tools, the tester can then document any highlighted vulnerabilities to provide recommendations for mitigation. While penetration testing is resource intensive, it is important to regularly test the security of web applications to track changes and patch up potential vulnerabilities for protection against cyber-attacks.

Conducting web application security testing is essential for any organisation hosting web applications. From protecting sensitive data and maintaining trust among customers to meeting regulatory requirements and improving overall security posture, web application security checks keep businesses from falling victim to the potentially disastrous consequences of a cyber-attack.  

While not all testing measures guarantee to prevent attacks, they make a fantastic preventative measure and have been proven to detect and correct vulnerabilities in web applications before they are compromised.  

Organisations hosting web applications should be mindful that aspects of every stage of development have the potential to increase risk factors. Remaining conscious from planning and design through to implementation and maintenance is another way to ensure that vulnerabilities are patched on an ad-hoc basis.