APPLICATION SECURITY
Knowledge Base
Search Our Knowledge Base
Web Application
What is a Web App?
Simply put, a web application is any application that is accessed via a web browser. The browser is the client that runs the web application and allows the user to enter information. The server is the Internet or intranet which stores and retrieves information for all user clients. Information is generated dynamically by the web application through a web server and sent to user browsers. Many of today’s websites are essentially large web applications themselves. One common and prevalent example of a web application is web-based email services such as Gmail or Yahoo.
Web applications are popular because of the ubiquity of the Internet. Prior to the web, developers needed to build separate clients for specific computer operating systems – such as Apple, PC or Unix. Now users can access web applications regardless of OS or browser type; however some may run better in specific browsers. This cross-platform compatibility explains their popularity as an application development model – web apps can be deployed and maintained easily without needing to update client-side software. Increases in broadband access and processing power have only improved performance, even when accessed by smartphone.
Web application development employs both client-side script (e.g. HTML, Javascript) to store and retrieve information and server-side script (e.g. ASP, PHP) to present information. There is wide variation across web applications in the balance of client-side functionality to server-side functionality. Some are simply online storage applications with all tasks completed on the user side; while others offer complete online office suites with robust server processing. Regardless of the mix, if a browser is the common user interface – it’s a web application.
Considerations for Web Application Security
Web application security practice now extends to web services and websites themselves. The internet is inherently insecure. Users and developers of web applications alike need to consider application security.
Most web applications are custom-made and, it must be assumed, have been subjected to a lesser degree of testing than off-the-shelf software. Users must keep their browser of choice up-to-date to patch any new security holes. They should carefully consider how a web application may access local storage or other sensitive information on their device. They should think twice before using file sharing, collaboration features, online payment, notifications and other permission-based functionality.
Likewise, developers must build trust and assurance with users of their web applications. These apps can theoretically track anything that users do, leading to privacy concerns. Forcing updated browser compatibility is one way to enforce application security, but this risks alienating large numbers of current users in the process. Securing personal information stored in databases is another, but ignores the fact that most hacks and attacks enter via the application. If the web application is not secure, then sensitive user information remains at serious risk.
The best method (and the one most in the application developer’s control) is to secure web applications from the inside by avoiding common coding errors that make web software vulnerable. Web application testing during the development process can expose cross-site scripting, SQL injection and other common security flaws. Veracode offers web application developers a host of web scanning, black box, white box, and manual penetration testing services to find and remediate these problems.