Web applications are becoming increasingly popular, since the Web provides a convenient way to provide application functionality to just about anyone. The Web also provides significant security risks; the huge security breach of Sony’s PlayStation Network is just the latest example.
Because hackers can be anywhere and access any Web app, the possibility of damage has dramatically increased since the days prior to the Internet (or the “Cretaceous period” as some of us call it). Web developers must take extra measures to ensure their applications cannot easily be hacked.
Any computer on the Web is accessible to any other computer on the Web. This is terrifically convenient for legitimate users, but it also creates significant opportunities for hackers. The hacker can be anywhere, hopping from one proxy server to another prior to reaching your server, making it difficult to track him or her down afterwards.
How do you protect yourself and your Web app? Your first line of defense is the server upon which your Web application runs. The very fact that it’s connected to the Internet means it’s vulnerable. An Internet security expert I know told me the only way to truly secure a server is to unplug it. Since that’s not an option, you have to assume a hacker is going to get access to your server. What happens once they do?
Many Web applications are nothing more than a bunch of text files containing HTML, CSS, JavaScript or PHP. If they can gain access to your server, hackers can easily open these files… and change them. They might do something obvious such as place a graphic in the middle of one of your pages. That could be very embarrassing, but at least it would be easy to spot and fix. Or they might make a much subtler change such as changing the code. Customer credit card details, e-mails and other sensitive information could be compromised in a way not easily noticed.
Some hackers will even replace the Web server application itself with a hacked version that compromises your data. If your server is ever hacked, don’t assume it was just your app. Your best bet in that case is to wipe the drive clean and reinstall everything from a source you trust is not already hacked.
Though nothing can completely prevent hacking, you can make it difficult enough that the hacker decides to look for an easier target. One of the easiest hacks is called a “SQL injection attack” where the hacker simply enters a valid SQL database command into a field that will be used to perform a database query. If the developer has not been careful, this can cause the SQL command to be executed instead of the query. A hacker could wipe out your entire database—or use this exploit to gather valuable information.
Web developers should review the top vulnerabilities provided by the Open Web Application Security Project and make sure their applications cannot be exploited by them. You can read their Top 10 list here.
Even those tips won’t stop a hacker from getting on your server and making changes to text files in your app. There are various techniques for detecting a change to these files, and they are certainly worth considering and perhaps implementing, but they don’t stop the hacker from gaining access and looking for ways to cause you grief.
The vast majority of hackers know the popular languages of the Web such as HTML, CSS, PHP and JavaScript. So, you could make yourself a more difficult target by developing with a Web application technology hackers are unlikely to know.
Consider: Desktop applications are difficult to hack because they are compiled to machine code. If you develop your Web application with a language that compiles to machine code, you dramatically reduce the number of potential hackers because very, very few of them will understand machine language at all. Even those few that do are not likely to spend the considerable amount of time necessary to go through thousands of machine code instructions to make the changes that cause damage but also don’t cause your app to crash, giving away the attempted breach immediately.
There is also the further consideration of how to protect your intellectual property. Your Web application contains the business processes and technology you’ve spent your energy creating and implementing.
A hacker might not change your Web application at all but instead simply scour your source files to steal or exploit your confidential business processes. They might use this information to create a competing technology. This is not usually an issue with desktop applications because they are compiled to machine code. This creates the same significant barrier to access as it does for a hacker wishing to change your code.
Also, if you build your Web application with a technology that allows you to compile the application to machine code, your source code is well-protected because it’s not on the Web server at all. If you are a commercial software developer, this method of delivering a Web application can also make selling Web application licenses as easy as selling desktop software licenses.
If you take the necessary steps, you can protect yourself, your clients, and your intellectual property from embarrassment and damage from hackers. Web application security is still not being taken seriously enough, and breaches will continue to increase if developers are not more careful. There are many techniques that can be employed to combat hackers. By taking enough measures, you can reduce the chances that your Web application will be their next target.
Geoff Perlman is the CEO of Real Software, which sells cross-platform development tools that compile Web applications into machine language.