How we develop secure web applications at Zitec

The key to secure web applications is understanding that cybersecurity is not a challenge we can solve with a vulnerability scan now and then, but rather a long-term goal.

Here at Zitec, we strive to deliver innovative cybersecurity solutions that meet our clients’ needs. One of the most common questions we get from companies in these uncertain times is how they can be more prepared against potential threats.

In this article, we’re going to share with you how we approach web application security in order to minimise risks and protect user data efficiently.

A short overview of web application security

One of the great benefits of the technologies we have available today is that companies can easily exchange information and complete transactions online via web applications and services. These tools need to have a user-friendly design, be available 24/7, and, most importantly, be oriented to their needs while preventing data breaches.

When it comes to launching a new application, the process can be very resource-intensive and time-consuming, with different teams being involved in planning, developing, testing, and deploying creative ideas. So, it is not uncommon for security activities to take a back seat.

One of the most effective cybersecurity actions that organisations decide to use when testing the security of their web applications is the classic Penetration Testing exercise. This type of security testing helps uncover critical security vulnerabilities that malicious parties might exploit.

To perform a penetration test, the experts from our Security & Data Protection department simulate real attacks against the clients’ web infrastructures while also helping them fix every single door left open.

The complexity of these tasks can often grow and require more in-depth analysis, as most of the applications we test have a solid backbone in cloud environments. There the responsibility of configuring secure cloud services must be done by the client.

Is penetration testing enough?

It is worth noting that Web Application Pentesting is a measure with short term efficiency as most companies assess their infrastructures at most once or twice a year.

Each month, applications are enriched with new features, making them more complex and consequently more vulnerable. Thus, elements such as 0-Day security exploits, new frameworks, third-party libraries, and different levels of security knowledge among developers bring new risks into the software development life-cycle. Not to mention, it is also difficult to monitor these aspects over time.

One efficient solution to avoid security incidents and develop a mature cybersecurity culture is to constantly have people involved in training, auditing, testing, and deploying secure services. However, many companies have limited human and financial resources, making automated solutions a popular alternative.

Currently there are a wide range of web security scanning tools that audit applications for security vulnerabilities. But even the more high-end and costly ones fall short when it comes to solving an organization’s specific requirements.

How can 360 Security protect your business?

We created 360 Security because we wanted to provide our clients with an innovative solution that would ensure continuous integrated security at competitive costs. Such a solution would have had to include different types of security testing and uncover the vulnerabilities at various layers, while keeping maintenance and manual operations at a minimum.

We glued together in-house tools written with the dynamic cybersecurity landscape in mind and open-source modules that proved their efficiency in time. This has helped simplify the process of identifying security issues and has eliminated the time required for configuration.

The best part is that our clients don’t require any additional development bandwidth to deploy the necessary security technologies. Now, with just 3 lines of code added to a project, all security engines are powered on.

What does the vulnerability scanning process look like?

Our 360 Security solution includes different modules that split the vulnerability scanning process into individual engines, covering as much of the application attack surface as possible.

Dynamic Application Security Testing (DAST)

Simulates external attacks on web applications while they are running and emulates malicious users’ behaviours. It’s highly efficient in finding common vulnerabilities like SQL injection or XSS (Cross-Site-Scripting) in a short period of time.

Static Application Security Testing (SAST)

Identifies security vulnerabilities directly into the source code without having to run the application. It helps development teams to quickly remove flaws and comply with industry security standards and saves the costs of fixing a security issue in production.

Software Composition Analysis

Scans application source code base and generates an inventory with all the open-source components that contain known security vulnerabilities. Each entry yields information about the presence of the library in the project, details about the existing vulnerabilities, and references with fixing recommendations.

Secrets Detection

Detects and monitors the presence of keys, hard-coded passwords, API tokens, and other sensitive materials in the application source code during build time. Prevents malicious use of secrets that were committed accidentally.

Container Scanning

Provides automated vulnerability scanning for containers and their components to identify security threats and mitigate risks.

Dashboard

Collects all the results issued by the scanning engines and presents them in a user-friendly web interface where they can be easily observed and monitored.

Automated Ticket Creation for Vulnerabilities

Once the security vulnerabilities have been identified and false positives findings were eliminated, tickets in project tracking platforms are automatically created for high visibility and management.