Introduction

Web applications are services that can be accessed via a browser. They are used in both a B2B and B2C context. In addition to web applications that are only made available internally on a company's intranet, there are often paid-for applications online that must remain available in order to safeguard the existence of the provider. Providers that make these paid-for services available must implement comprehensive safeguards to minimise the risk of lost revenue. At the same time, many web applications process and store sensitive data for users or entire institutions. Some web applications are also security-critical interfaces between the internet and company networks.

As such, web applications are an attractive target for cyber criminals. There have been repeated cases of attackers managing to access information, hold providers to ransom through DDoS attacks or penetrate the company network by compromising the application. The attackers use various methods. The Open Web Application Security Project regularly analyses the types of attack and publishes the most critical vulnerabilities in the OWASP Top 10.

Security information for developers

The security of any web service--as is generally the case for software--is based in particular on the care taken to meet security-specific requirements during the development process. This is partly the responsibility of developers, while clients should also place special emphasis on observing security criteria during the project. The BSI has compiled an overview in two guides for the development of secure web applications:

Leitfaden zur Entwicklung sicherer Webanwendungen. Empfehlungen und Anforderungen an die Auftragnehmer
Leitfaden zur Entwicklung sicherer Webanwendungen. Empfehlungen und Anforderungen an Auftraggeber aus der öffentlichen Verwaltung (the target group is the public administration, but many aspects can also be applied to companies)

The Alliance for Cyber Security has already published recommendations on this topic, including:

Entwicklung sicherer Webanwendungen v2.0 for technicians and
Schützen Sie sich vor professionellen gezielten Cyber-Angriffen v2.0 for managers.

In addition to data security during processing and storing of data in the web application, it must also be ensured that data cannot be intercepted or manipulated while it is being transported. For this reason, the use of transport encryption is always recommended. Information can be found in the cyber security publication " TLS/SSL Best Practice v2.0" as well as the Technical guideline of the BSI.

Providers also have a duty

Providers of web applications must give the security of their service particularly high priority as compromises can cause a severe loss of revenue and damage a company's reputation.

The Alliance for Cyber Security has provided extensive information and tips on the subject in its Bereitstellung von Webangeboten v2.0 recommendation.

It specifies a number of safeguards, including adequate vulnerability and patch management. The cyber security publication Management von Schwachstellen und Sicherheitsupdates - Empfehlungen für kleine Unternehmen und Selbstständige v2.0 offers tips in this area. In this context, the components used also need to be checked regularly for the latest security vulnerabilities.

Interested parties will also find a comprehensive package of safeguards in the IT-Grundschutz of the BSI, with a wide range of sources of risk explained in Module APP.3.1 Web Applications.

Web checks and penetration tests provide ways to check these safeguards.

Safeguards for internet service providers

Service providers whose business model is based on providing (shared) servers for others to host web services have a significant responsibility to protect against cyber attacks, as they must protect their customers' services and data. Adequate measures are therefore essential.

The Alliance for Cyber Security website provides a range of cyber security publications for internet service providers (ISP). Hosting providers will find information about technical and organisational aspects in the " Sicheres Webhosting v2.0" [Secure web hosting] publication.

It is also essential to implement some fundamental technical safeguards. This includes the use of firewalls and appropriate DDoS mitigation safeguards.

Interested parties will find further information about protecting a server in the ISi-Reihe [ISi series] of the BSI.