web app security banner

Attacks against internet-exposed web applications are actually the leading cause of data breaches - and we have all seen the massive increase in data breaches over the last few years - but why are these attacks so successful? The simple answer is that users aren't concerning themselves with web application security enough, with Veracode's 2017 State of Software Security Report actually finding that 77% of web applications had at least one security vulnerability that could have opened the door to a hacker.

There are a variety of methods that a hacker can use to gain access to website applications or servers, such as exploiting software vulnerabilities or injecting malicious code, so it's understandable that users can feel overwhelmed trying to cover all of their bases - to make things simpler, we've compiled a list of best practices to secure your web applications against cyber attacks.

 

Access Control

Multi-factor authentication should be implemented when logging into web applications or a website server to ensure only authorised users can gain access - this also means that if a hacker obtains a password, whether through credential stuffing or other means, they still won't have all of the credentials necessary to log in.

With most website hosting services admins also have the option to whitelist only authorised IPs as an extra precaution.

 

Update Your Software

Software updated may be great for improving performance and introducing new features - but many users don't know that they're also essential for patching vulnerabilities that otherwise could have been left unknown.

These vulnerabilities leave a website more susceptible to malware infections, such as Cross Site Scripting (XSS) which would leave you around 5x more likely to be infected with malware.

Tip: If you're worried about unknown vulnerabilities within your website, try our free Vulnerability Scanner!
It only takes 2 minutes to set up and scans for all OWASP Top 10 vulnerabilities & more.

 

Install an SSL Certificate

Installing an SSL certificate is a relatively cheap and simple way to encrypt all traffic being transferred between your website and visitor's computers - this ensures that unauthorised users trying to spy on traffic will not be able to make any sense of it, protecting your company data as well as any sensitive information that visitors may be entering such as log in details.

 

DDoS Protection

Distributed Denial of Service (DDoS) attacks overload a server with spam traffic to slow down performance significantly or take the server offline completely, leaving it completely vulnerable to malware injections, data theft, and more. These attacks are typically achieved by using spoof IP addresses or botnets that the attacker has infected remotely.

One method for preventing DDoS attacks is simply buying more bandwidth to make attacks less of a burden on your server, or to spread your servers across multiple data centres to distribute traffic between them - however, you can also find DDoS protection solutions like Barracuda's WAF that use IP reputation to identify genuine users from botnets.

 

Backup Your Website

When creating any security plan, disaster recovery should always be considered. No matter what protection solutions and practices you have in place, you should still be prepared for the worst case scenario of a hacker taking over server access or stealing vital data. A website backup should ideally cover files, databases and plugins, giving you a clean version of your website to go back to in the event of a hack, or even just a software update gone-wrong.

For WordPress at least, which is the most popular website hosting service, there are several website backup options available as plugins.
Infographic button

 

Barracuda's Web Application Firewall

The Barracuda Web Application Firewall (WAF) blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target the applications hosted on your web servers - and the sensitive data accessed within. 

The WAF features include DDoS protection, complete OWASP protection, IP reputation checking, identity & access control, and much more. 

 

To find out more about the WAF and how it can protect your web applications, take a look at the resources below:

Solution Brief

Solution Brief: WAF-as-a-Service Protects Against the Top 10 Biggest Website Threats

White Paper

White Paper: Defending Against Application-Based DDoS Attacks with Barracuda WAF