What Are Security Standards for Web Applications?
Since most information is on the web these days, a hacker does not need to get into a building or steal your wallet to get data. They can do it from the comfort of their own home! That means you need to set up security.
Where can a business start to ensure they have taken the right security measures? 🤔
There are strict regulations in place that can cover the bases, so you have basic security.
So how can you bridge the basic principles of security with these regulations? Let’s take a look!
These are nicknamed the CIA triad in the information security sector. Information security is based on the balance of these three principles.
But what do they mean?
Confidentiality is also known as privacy. It is the assurance that unauthorized people do not access sensitive information.
Integrity is the assurance that the data is trustworthy and has not been altered by unauthorized people.
Availability is that there is no disruption to a service or accessibility to the data.
These core principles are a key part of how security policies are created.
Security policies are sometimes created based on the regulation the business wants to follow.
Let’s look at some of the security regulations available to organizations that typically have web applications.
Identify the Main Security Regulations for Web Applications
In 2018, the General Data Protection Regulation (GDPR) law went into effect. It changes how we store and use PII data, and how businesses handle it allowing EU residents control over their personal information, including name, age, political affiliation, and sexual orientation. Violators are fined. 😱 Although it is based on European Union legislation, it affects all countries because web applications are available worldwide. EU customers that do business with international companies will require GDPR protection on web applications outside the EU.
How can I be sure my web app meets these standards?
Ensure that you secure all PII data from unauthorized users in transmission and at rest. All PII requested and possessed by the business must have a specified use.
Also, provide an option to delete PII data upon customer request. For example, if someone wants to opt out of marketing emails, ensure there is an option to opt out and unsubscribe. Once they unsubscribe, it is essential that the email address is deleted from storage.
Payment Card Industry Data Security Standard (PCI DSS) is a regulation set for all businesses that handle credit card data. Securing credit card data emphasizes security in accepting, transmitting, processing, and storing. As more cloud web platforms and storage solutions handle the applications for businesses, it is essential that the cloud provider or host is also PCI DSS compliant. Based on the number of credit cards processed per year, a business will be required to comply to one of four levels of security, increasing in complexity.
If you are creating a web application that handles credit card data such as e-commerce or subscription-based website, you must encrypt transmissions. Credit card data transmitted using plaintext is a violation. Stored credit card data must also be protected to guarantee the proper configuration on your database.
Service Organization Controls (SOC 1 / SOC 2) are audits that work at different levels:
SOC 1 is a security standard that focuses on the internal controls for financial reporting. This can include protecting the company’s financial data or payroll information. SOC 1 standardizes secure processes in handling this financial data.
SOC 2 focuses on trust services based on common criteria of security standards. Â It is a security review of the business processes such as organization, management, and communication. SOC 2 is also an audit of the policies, procedures, and processes in handling sensitive information.
Although the SOC audits are based on business processes, they are important for developers like you to understand because they impact the security of a web application. To avoid failure, the organization around the application must adhere to security-based processes to include change control.
Health Insurance Portability and Accountability Act (HIPAA) is a collection of privacy and security rules that protect the confidentiality of patient data. It manages the processes and procedures in medical facilities, medical insurance organizations, and other entities that handle medical data and patient PII. It also aided in the transition of digitizing and standardizing medical information from the paper era. HIPAA regulations also include state privacy and security laws. A patient is required to authorize the disclosure of medical information.
As a web developer, knowledge of HIPAA is required if the software application will be used to handle medical data. The privacy and security of information will require encryption in transmission and at rest. It should also be designed to ensure the privacy of data with proper access control.
Open Web Application Security Project (OWASP) is an impartial, global, non-profit organization. It assesses the top ten security risks to web applications and advocates secure software programming.
OWASP organizes meetups and conferences around the world, and they are open to everyone! I highly recommend that all serious web developers become members of the organization and get involved in their projects or attend a nearby meetup!
As a web developer, it is important to learn how to secure your web application, so it is not vulnerable to common data breaches. The OWASP Top Ten provides a guideline to follow that ensures you have done your best to secure a basic web application from attacks. It saves money, and shows your clients or the company that you work for that you are serious about creating quality web applications!
Also, if you need to make your web application secure according to the GPDR, PCI, SOC, and HIPAA standards, you have to secure it with OWASP first!
Let’s start with an overview of OWASP and the Top Ten application attacks in the next chapters. Then, in Part 2, you will learn how to implement secure coding practices on your web applications by understanding and protecting against these attacks.
Let's Recap!
The CIA triad:Â Confidentiality, Integrity, and Availability, is the basic tenet to information security.
GDPRÂ guarantees data privacy for EU residents.
PCI DSS ensures security compliance for sites that handle credit card data.
SOC1 monitors how financial data is handled, and SOC2 audits overall secure business processes.
HIPAA is protects patient PII and medical data.
OWASP is a nonprofit organization that researches security risk on web applications and more. The OWASP Top Ten 2017 is the latest update on web application security risks today.
