Best Design Practices for securing webapplication
Hi, I am Malathi Boggavarapu working at Volvo Group and i live in Gothenburg, Sweden. I have been working on Java since several years and had vast experience and knowledge across various technologies.
This post will introduce you to the design practices about User authentication which is required for every web application. As you all aware that user authentication is the gateway for the application where user is verified against different set of rules and guidelines inorder to access the application services. Now-a-days Cyber attacks has become very common in this computer world and companies need to protect their Developement systems and software in an effective manner to thwart the cyber crimes.
As we all know User authentication mainly consists of Loginname and Password. Below are some of the best practices we could apply during authentication inorder to safegaurd the application and i also discuss a bit about performance of the application now and then.
Design Practise 1
Make sure that both the Login name and Password is not empty. A frontend validation should be done when the authentication request is sent from the browser. What the frontend validation should do is that, it should validate whether both the Loginname and Password is filled in. Sometimes it would be easily neglected by the developers and the request directly goes to the Server side logic which in turn makes a database call. This induce huge performance impact on your application. It is the effect of bad coding. One way to prevent database call is to check whether the Loginname and Password are empty before making a database call. But it is always good to include empty values check in the frontend itself.
Design Practise 2
For suppose some stranger is trying to login to the application and he somehow know the username and try to imitate the password using many probabilities and combinations which is called Brute-force attack. As you all know Brute-force attack is a method used to obtain information such as password via trial and error method. Generally Brute-force attack is made by using automated software which is used to make large number of guesses to acheive the desired result. There is also a reverse Brute-force attack which is very uncommon but we will just ignore that now.
There are number of methods to prevent Bruteforce attack. Below are few known and popular methods to use.
1) Account lockout policy
The user will be locked out when he or she attempts to login more than N number of times. You can define the value of N as you desire. The effective value could be 3 to 5. The user has to reach out the administrator inorder to activate the account but it has a limitation because many accounts could be locked out due to one malicious user and lot of work for the administrators and also causes service denial for the victims.
2) Progressive delays
When the login attempt is failed for N number of times, the application can introduce some progressive delays preventing the user to make a login attempt immediatly. Progressive delay means, login failure after N login attempts will lock-out the account for X number of minutes. After the complete of X number of minutes, if again the user fails to login after N number of attempts, the account will be locked out but more delay (may be X + 5 minutes) for the second time. The lock-out time increases for subsequent failed attempts. This prevents automated tools to perform bruteforce attack.
3) Another way is to use Re-captcha tools. This will help to identify whether the user is a person and not a automated software. The re-captcha tools can be used to require the user to enter a word or identify some symbols in an image or solve some match equations.
4) The application should enforce strong passwords. The password should have minimum of one number, one Capital letter, one special character. Now-a-days many applications are following this guideline to ensure safety for their applications. Enforcing strong password along with combination of any of the above rules will provide effective way to ensure safety for the application.
Design Practise 3
Password should be hashed out and stored in the database so that when any unauthorized user access the database, he could not see the password. Please search online how to hash out the password as this tutorial only addresses the design principles about user authentication.
Design Practise 4
It is always a good idea to log the user authentication Success or Failure details so that we can monitor and track unusual login patterns and safegaurd the application. We also have several Application monitoring tools available such as Grafana, Graphite etc. They provide graphical representation of different data available to it.
The above said design practices should be followed inorder to provide a secure authentication process for every application. There is also Firebase security API available in the market now where you configure security rules in your application using the FireBase SDK to safegaurd the application.
Please google it to know more information.
Hope the information is helpful. Please post your comments below to improve the post. This post will be updated continuosly whenever i found any new design practice related to Security of the application.
Thank you!
This post will introduce you to the design practices about User authentication which is required for every web application. As you all aware that user authentication is the gateway for the application where user is verified against different set of rules and guidelines inorder to access the application services. Now-a-days Cyber attacks has become very common in this computer world and companies need to protect their Developement systems and software in an effective manner to thwart the cyber crimes.
As we all know User authentication mainly consists of Loginname and Password. Below are some of the best practices we could apply during authentication inorder to safegaurd the application and i also discuss a bit about performance of the application now and then.
Design Practise 1
Make sure that both the Login name and Password is not empty. A frontend validation should be done when the authentication request is sent from the browser. What the frontend validation should do is that, it should validate whether both the Loginname and Password is filled in. Sometimes it would be easily neglected by the developers and the request directly goes to the Server side logic which in turn makes a database call. This induce huge performance impact on your application. It is the effect of bad coding. One way to prevent database call is to check whether the Loginname and Password are empty before making a database call. But it is always good to include empty values check in the frontend itself.
Design Practise 2
For suppose some stranger is trying to login to the application and he somehow know the username and try to imitate the password using many probabilities and combinations which is called Brute-force attack. As you all know Brute-force attack is a method used to obtain information such as password via trial and error method. Generally Brute-force attack is made by using automated software which is used to make large number of guesses to acheive the desired result. There is also a reverse Brute-force attack which is very uncommon but we will just ignore that now.
There are number of methods to prevent Bruteforce attack. Below are few known and popular methods to use.
1) Account lockout policy
The user will be locked out when he or she attempts to login more than N number of times. You can define the value of N as you desire. The effective value could be 3 to 5. The user has to reach out the administrator inorder to activate the account but it has a limitation because many accounts could be locked out due to one malicious user and lot of work for the administrators and also causes service denial for the victims.
2) Progressive delays
When the login attempt is failed for N number of times, the application can introduce some progressive delays preventing the user to make a login attempt immediatly. Progressive delay means, login failure after N login attempts will lock-out the account for X number of minutes. After the complete of X number of minutes, if again the user fails to login after N number of attempts, the account will be locked out but more delay (may be X + 5 minutes) for the second time. The lock-out time increases for subsequent failed attempts. This prevents automated tools to perform bruteforce attack.
3) Another way is to use Re-captcha tools. This will help to identify whether the user is a person and not a automated software. The re-captcha tools can be used to require the user to enter a word or identify some symbols in an image or solve some match equations.
4) The application should enforce strong passwords. The password should have minimum of one number, one Capital letter, one special character. Now-a-days many applications are following this guideline to ensure safety for their applications. Enforcing strong password along with combination of any of the above rules will provide effective way to ensure safety for the application.
Design Practise 3
Password should be hashed out and stored in the database so that when any unauthorized user access the database, he could not see the password. Please search online how to hash out the password as this tutorial only addresses the design principles about user authentication.
Design Practise 4
It is always a good idea to log the user authentication Success or Failure details so that we can monitor and track unusual login patterns and safegaurd the application. We also have several Application monitoring tools available such as Grafana, Graphite etc. They provide graphical representation of different data available to it.
The above said design practices should be followed inorder to provide a secure authentication process for every application. There is also Firebase security API available in the market now where you configure security rules in your application using the FireBase SDK to safegaurd the application.
Please google it to know more information.
Hope the information is helpful. Please post your comments below to improve the post. This post will be updated continuosly whenever i found any new design practice related to Security of the application.
Thank you!
Comments
Post a Comment