When a business wants to provide a service via their website or web application, they want to ensure that their users experience a good service without compromising on security. By building in a focus on security from the start when building a website or application, it is possible to ensure a quality and secure user experience.

This focus on security can be started with a focus on a set of values – the pillars of information security as proposed by OWASP;

1. Maintain confidentiality by only permitting user access to appropriate data
2. Maintain integrity by ensuring that users are only allowed to view or change appropriate data
3. Maintain access by ensuring that functions are only available as and when users require them

An appropriate level of security using these actions

Running through each of these three principles is a theme of appropriateness where applications using routine non-confidential data need not to be over secured. Combining these principles of availability, integrity and confidentiality will enable businesses to take a proactive approach to building in security while maintaining a quality user experience.

These principles can be taken to a detailed level by adopting the following actions;

• Only provide an appropriate set of features relative to what the user requires. Where a user has to enter any information, this data should be validated to prevent any malevolent data being entered that could potentially corrupt the application or website. Similarly  information should be validated before being displayed, as when asterisks are used in place of a person’s credit card number.

• Ensure that your application fails appropriately in the event of an error. If an error occurs, ensure that while the user is informed, no sensitive system information is displayed as part of the error message. For example, if error messages are not formatted appropriately, database table details can be displayed that could allow an attacker to progress their attack further.

• Ensure appropriate defaults are in place to maintain a high level of security. These defaults include;
  1. An aging threshold for passwords after which they need to be updated to a different variation than what was used previously
  2. A validation that passwords contains a combination of numbers, letters and special characters
  3. The use of a timeout threshold so that a user is automatically logged out after a specified inactive period, appropriate to the level of sensitivity of the application (e.g. personal financial data vs. Location finder for restaurants)

  

  4. Access to the minimum amount of privileges. A user should start from a minimum amount of when using an application and then be authenticated appropriately as further privileges are required. Using a combination of personas and user stories can help to decide on an appropriate starter set of privileges after a user is authenticated and what further authorisation is required to progress beyond that initial level.
• If a user has forgotten their password, ensure that a set of multiple questions and/or an ability for a user to select their own questions is available. This reduces the possibility that an attacker could ‘guess’ the correct answer, if a question is used that has a finite number of possible answers (e.g. where were you born?)

Strength in numbers – obscurity is not enough

All of these approaches should be used in a combined grouping, appropriate to the sensitivity of the application / website and to adhere to the principle of defence in depth.

One approach that should not be used on it’s own is the use of obscurity, whereby sensitive information or functionality are buried in an application with no other security provision. Despite how obscure the location may appear, it is too risky to rely solely on this provision without other security provisions being used in tandem.

With the appropriate combination of the above approaches, it is possible to provide both a quality and secure user experience in a proactive manner.

For further information on web applications security, please goto;

• OWASP’s guide to building secure web applications and web services
• Security Ninja’s secure development principles
• Microsoft’s building secure applications principles