Web applications are a key component of business in today’s Internet connected world. The first place people look for information on new products is online, and if you do not have a website, you may not get any sales, despite the quality of your product.

However, if your website gets hacked or otherwise compromised and you end up losing people's billing data and their personal information; this is almost worse than not having a website at all, as the negative publicity this will cause can hurt significantly more!

Web Application Security Best Practices

A key thing to realize here is that firewalls by themselves are not enough. Firewalls can block access to your network, but your website is publically facing – this means it is outside of the firewall – and is vulnerable to web application hacking. Studies have shown that 96% of tested applications have vulnerabilities that are susceptible to attack, but fortunately, there are a host of tools for code review and vulnerability scanning available that can help plug these gaps.

Tools for code review

An extremely popular tool is Sucuri, which is a free malware and website security scanner. This application works on a host of popular platforms including Wordpress, Joomla, and Drupal to name just a few.

One of the best tools available, that provides a host of different reports and data, is Scan My Server. This tool has a SQL injection protectiontest site in addition to cross site scripting protection and other tests.

A great SaaS based tool is Detectify. While this is not a free tool like Sucuri, you can obtain a 21 day free trial on their website, which should give you an opportunity to evaluate it properly in your environment. Being a commercial SaaS tool, the main advantage of Detectify is that it will always have the most current and up to date vulnerabilities identified.

Another good tool with a great GUI that is simple, easy to understand, and use is Tinfoil security. This tool audits your site against the top 10 vulnerabilities and other known security holes.

Manual monitoring is only the first step in protecting your website. It is key to setup automated scripts to ensure that your organization is always protected, not just from the malware currently in the wild, but also from issues yet to be discovered. Alerts need to be configured to update staff at the correct intervals, so that appropriate action can be taken, and tests need to be scheduled to simulate disasters in order to come up with corrective action plans.

https://www.checkmarx.com/knowledge/knowledgebase/SQLi