What are the Best Practices for SMBs for Web Application Security?

16 developers, SMB owners, security professionals, and subject matter experts discuss their tips for keeping your web applications secure.

Web application security is a top concern for small and medium-sized businesses – at least it should be. According to Ponemon Institute’s Global State of Cybersecurity in SMBs report, 50% of SMBs have suffered a web-based attack.

Web applications have many vulnerabilities, from out-of-date plugins in content management systems like WordPress and Joomla to malware, permissions and privileges that are far too lenient for security, SQL injections, cross-site scripting (XSS), and more. Cyber attacks aren’t just increasing in number; they’re also becoming increasingly complex and sophisticated, making the task of ensuring secure web applications a monumental one for SMBs.

To protect your business and your sensitive data from cyber attacks, SMB owners must follow best practices and implement a trusted monitoring solution with web application vulnerability scanning. To learn more about the best practices and expert tips SMBs should follow when it comes to web app security, we reached out to a panel of developers and security professionals and asked them to answer this question:

"What's the most important tip for SMBs when it comes to web application security?"

Meet Our Panel of Developers and Security Professionals:

Read on to learn what our experts had to say about the most important tips to keep in mind when it comes to web application security.


Adam ThompsonAdam Thompson

Adam Thompson is a product manager in the cybersecurity industry, with 17 years of experience in web application management and development.

"Update, update, update…"

A lot of common attack vectors can be effectively blocked by simply keeping all of your software up to date. This includes everything from the operating system and web server your web application is running all the way up to things like WordPress themes and plugins. Exploiting known vulnerabilities in existing software is a favorite tactic of hackers – and it's pretty easily defeated by installing updates (which often contain security patches) as quickly as possible.

Consider using managed services. WordPress Managed hosting, for example, allows you to focus on your website while your hosting company completely manages updates. For more sophisticated web apps, serverless architecture such as AWS Lambda allows you to run code without managing any aspect of a server, including updates.

Set up a schedule for updates you're responsible for and stick to it. Weekly is generally sufficient for most use cases, but you may need to check 2-3x weekly or even daily for security-sensitive web applications.

Backup regularly. Having good backups won't protect you from being attacked, but they sure make recovery easier and faster. As the famous saying goes, there are two types of companies – those who have been breached and those who will be breached. When your turn comes, having a good backup system in place will make your life much easier.

Setup automatic backups. Don't rely on manual backups – they're always out of date when you need them most. Schedule automated backups (at least daily) to incrementally backup your files and database on a schedule that works for your business. Example: daily offsite backups, real-time onsite database backups.

Save backups offsite. You can't rely on backups stored in the same location as your web application. Servers crash, data centers go down, $&!# happens. Backup your web application files and databases offsite – if the worst happens, you can still access them.


Stacy ClementsStacy Clements

@StacyClements

Stacy Clements is the owner of Milepost 42, providing web and cybersecurity services to small businesses who want someone else to handle the web stuff.

"SMBs need to remember and apply cybersecurity basics to all their systems and applications, including web applications…"

Secure access by only allowing user permissions to the level required (e.g., don't make everyone an admin), and remove users who no longer need access. Keep the application updated – web applications often include third-party extensions which also need to be updated, and they should also be regularly vetted to be sure they are actively being developed to adapt to newly-discovered security vulnerabilities. An important part of any security strategy is the ability to recover in case of a problem, so make sure you are backing up the application as well as any data stored in that application.

For SMBs, the most common web application is a customer-facing website. Because this is a touchpoint for your customers, and you want to maintain their trust, consider additional security measures, such as a web application firewall (WAF). While this won't protect you from zero-day vulnerabilities (previously unknown issues that have not been patched), implementing a WAF along with regular vulnerability scanning adds an additional layer of defense to protect your business and your customers.


Bryan OsimaBryan Osima

@uvietech

Bryan Osima is a software engineer and CEO of Uvietech Software Solutions Inc., an NYC-based company that helps businesses grow and succeed with technology.

"Never automatically trust user input and interactions with your site…"

I would say that the most important tip for SMBs when they build web applications is to make sure they sanitize and validate all user inputs and interactions with forms and other entry points to such web applications.

The bulk of malicious attacks occur through lax validation schemes on web forms and other points of interaction with web users or visitors.


Patrick LeonardPatrick Leonard

@brighteryeg

Patrick Leonard is the Owner of Brighter Digital.

"The number of small businesses that don't employ basic web security is a bit alarming…"

For the most part, business owners aren't exceedingly tech savvy, so my tip is to keep it as simple as possible. Want secure emails? Get something easy-to-use like Google's GSuite. Can't afford expensive web security solutions? Most SMBs are on WordPress, which has free plugins like WordFence that are much better than nothing. There are also affordable web vulnerability scanning solutions out there too. Are they using the same password for all their accounts? Stop that! Get a simple and affordable solution like 1Password. It doesn't have to be difficult; a lot of these businesses just need a little guidance.


Tim PerryTim Perry

@pimterry

Tim Perry is the creator of HTTP Toolkit, a suite of open-source HTTP tools for developers, testers, and debuggers everywhere. He's worked on projects from IoT startup platforms like Balena to major news sites like the BBC, and he's an enthusiastic advocate for the web, TypeScript, and open-source.

"The greatest web app security risk for an SMB is out of date software, and the most important security step almost all SMBs can take is to…"

Subscribe to security notifications for the key software and tools they depend on, and ensure they have processes in place to quickly update them when vulnerabilities are announced.

Why:

Last year, there were over 12,000 formally published security vulnerabilities, including more than 5,000 vulnerabilities with 6/10 severity or higher, meaning they have a reasonable chance of posing a serious risk for all affected.

Each of these published vulnerabilities is a case where software that you may have been running safely in January now has a hole that attackers everywhere are well aware of. Public vulnerabilities like these then become the most efficient routes for an attacker, by virtue of their wide applicability. An attacker can scan and automatically test millions of sites looking for vulnerable software, and automatically exploit it when found, rather than individually probing specific sites for their own unique vulnerabilities.

This is especially important for SMBs, as their size makes it far more likely that they're attacked as part of a widespread effort, rather than being individually targeted.


Nick GalovNick Galov

Nick is the co-founder of Review42.com and has years of hands-on experience with web hosting companies, big and small, as a customer, technical support agent, and junior system administrator. He has also worked as an online security expert.

"One of the most important things for web applications is regular data backup…"

Without it, you risk losing all of your information in a matter of minutes. Don’t rely on web hosting services to do this for you. Small business owners should always be on top of things and make sure that data is stored in one safe place that they can access at all times. This way, even if something goes wrong, data won’t be lost.


Swapnil DeshmukhSwapnil Deshmukh

@CertusCyber

Swapnil Deshmukh is CTO & co-founder of Certus Cybersecurity. Swapnil is a subject matter expert in application, cloud, and emerging technologies security. Swapnil is co-author of the Hacking Exposed Series, and a frequent contributor to conferences, roundtables, and publications. Prior to Certus Cybersecurity, Swapnil was a Senior Director at Visa.

"Small and medium-sized businesses should place the greatest focus on understanding where their data resides, where it’s moving, and the sensitivity of the information…"

This is the first step. In order to secure their data, business leaders should first look to free and open source resources such as the Open Web Application Security Project (OWASP) Top Ten Project, the SANS Top 25 Most Dangerous Software Errors, and the various frameworks and guidelines available through the National Institute of Standards and Technology (NIST). These free tools equip SMBs with the knowledge and best practices to integrate security into their products and services.


Chris LoveChris Love

@ChrisLove

Chris Love has over 25 years of professional web development experience. He currently specializes in progressive web application development and SEO. Chris has authored four web development books and spoken around the world at a variety of developer events.

"The #1 issue I see today is lack of proper authorization and authentication using a proper identity platform…"

Today, classic cookie-based authentication and a simple username/password table in your database is the last thing you want.

Instead, you should leverage a third-party identity service like AWS Cognito or Auth0. They take care of a very complicated aspect of online security today and provide rich, token-based authentication.

Beyond not using a modern authentication service, many applications do not use the authentication credentials to lock down access to their data. Just last week I inherited a health-related application with a user login, but the application data was easily accessible without authentication.

Just securing data behind an authentication token is not enough. You must add a layer to your business logic to restrict access to data by user and user roles/permissions.

Authentication and security is not simple for a reason. It is designed to make it difficult for bad actors to act badly. You must invest in a solid architecture to protect you and your customers’ data.


Aiden AngeliAiden Angeli

@RipeMarketing

Aiden Angeli is a Senior Marketing Consultant and founder of Ripe Marketing. She assists business owners with getting on Google's good side. When Aiden isn't mastering digital marketing, you can see Aiden on TV or in films.

"Many hacks are due to vulnerabilities in plugins and theme software that are not kept up to date…"

The number one action we do for our clients is manually check for needed updates weekly and keep plugins and software updated. We have security measures in place that alert us if problems arise in between the weekly check-ins.

We also encourage our clients to use a host provider that specifically has server-side monitoring on their end with anti-hack systems built in. We recommend every website be built with the following security features:

  • Google Recaptcha installation to keep automated software from engaging in abusive activities on your website.
  • Admin Dashboard redirect to mask the login page. Delete the default username admin. To hack a site, you need the username and password. If the username is the default admin, hackers already have 50% of the equation done for them.
  • Htaccess limits, which limits the number of attempts of failed logins. Once a person has reached this number, their IP address is blocked.
  • SSL Certificate Installation to ensure any data coming to and from your website is encrypted. This prevents unwanted eyes from viewing any data that passes to and from your website.
  • Theme Name Setup, which renames the developer's theme. This makes it harder for a hacker to evaluate the website by using a code inspector to determine the theme. Once a theme is known, they can search databases for theme plugin and software vulnerabilities that can be exploited.

We also recommend scanning posts, pages, and comments for malware URLs on a regular basis.


Alex ParetskiAlex Paretski

@itransition

Alex Paretski is the Knowledge Manager at Itransition, a Denver-based software development company. He's been working in the industry for over 5 years.

"Unlike large enterprises, SMBs might not have resources to implement and support a fully-functional information security ecosystem…"

That's why SMBs might lag behind large enterprises in terms of real-time monitoring of their web applications. At the same time, SMBs can always protect their web apps by sticking to proactive security measures. There are also affordable automated web app scanning solutions that can help SMBs find vulnerabilities on a regular basis.

For example, SMBs can plan regular penetration testing (pentest) activities. Pentests might not strain the company's budget as much as the implementation of a sophisticated SIEM solution. They also allow business owners to understand the current state of their web app security and take immediate remediation steps if severe vulnerabilities are found. Professional pentests conducted according to the OWASP methodology will allow security specialists to verify all security levels at once. For example, a penetration tester can check how reliable the authentication controls are, how an app can resist a variety of external attacks, and how well it protects sensitive data.

If pentesting becomes a planned and repeated activity, SMBs can stay alert to their web app security status. They can plan necessary improvements and foresee potential security risks even without complex security software in place.


Rob BlackRob Black

@IoTSecurityGuy

Rob Black, CISSP, is the Founder and Managing Principal of Fractional CISO. He helps organizations reduce their cybersecurity risk as a Virtual CISO. Rob is the inventor of three security patents. He consults, speaks, and writes on IoT and security.

"When trying to compromise a web application, attackers will often use a credential stuffing attack…"

This attack is one where the attackers will take email and password pairs from other compromised sites and try the credentials on other sites. If any of your users reuse their credentials, then your corporate data could be exposed via this type of attack.

A related but different attack is the password spraying attack. This attack uses a handful of the most common passwords with email addresses associated with a web application. The attacker is only interested in getting an account compromise. The law of large numbers will allow the attacker to find the email addresses with the common passwords.

For both of these attacks and others, there is one technical control that makes it very difficult for an attacker to successfully compromise the account: multi-factor authentication (MFA). That's why you see so many articles and advice for turning on MFA. Multi-factor authentication uses a second factor in addition to a password, such as a six-digit code generated from a mobile application. This second factor makes many attacks very difficult and will push an attacker to look for another victim. So, to better secure your web applications, turn on multi-factor authentication!


Aqsa TabassamAqsa Tabassam

@Brandnic_com

Aqsa Tabassam is a Sales Associate & Growth Marketer at Brandnic.com LLC.

"Understand your risk…"

A survey conducted by Towergate Insurance shows that 82 percent of SMB owners didn’t believe they were at high-risk for cyber attacks. You need to understand that spending money on tighter security of your web application goes beyond a simple business expense. It’s a necessary investment to keep the business secure and strengthen customer trust.

To watch out for SQL injection, you need to use parameterized queries. Most web languages have this feature, and it is easy to implement. To avoid cross scripting messages (XSS), you need to use powerful tools in the XSS defender's toolbox, like the Content Security Policy (CSP). CSP is a header which your server can return which tells your web browser to limit how and what JavaScript is executed in the page.

Encode, encrypt, and divide customer data. In an organization, for the sake of networking, the data has been distributed on the system. This shared data can be processed in the form of a customer's transaction. Online transactions are built on customers’ trust. Any malicious attack or malware can adversely affect your relationship with the customer. That trust of the customer is your most valuable asset. So when you are putting customer data online, encode it in the first place, encrypt it, and store different elements in different locations so that one security infringement does not give away the whole database.


Maksym BabychMaksym Babych

@maksymbabych

Maksym is a serial entrepreneur and IT professional. He is a CEO of SpdLoad, a startup development company. He launched SpdLoad almost 7 years ago, and now it has 20+ successful products.

"For 7 years I have been working on developing applications for small and medium-sized businesses…"

And you will not believe it, but the most common mistake I come across is simple password management. People use the password 12345, the year of their birth, their mobile number, or just the word ‘admin.’ If there is an admin password, attackers can gain access to important information. On my list, this is the number one tip – use strong and complex passwords and update them every 3-6 months.


Salman SaleemSalman Saleem

@salmansaleem920

Salman Saleem is a Digital Marketing Strategist at Cloudways. He is also a contributor at Readwrite, Aeroleads, Porter Medium, Towards Data Science, and Medium Startup.

"There are certain factors that SMB owners need to consider when setting up their web application security…"

Server Security:

  1. Firewall Installation: Is the firewall performing properly to keep intruders away from accessing the server?
  2. Malware Detection: Does the server have the latest malware detection application that can keep away any type of malware from the server?
  3. DDOS Attack: Is the server capable of blocking a DDOS attack on the server that could crash it in the same instance as well?

Application Security:

  1. SSL: Is the SSL certificate attached with the server to keep the web application secure from bots?
  2. TFA: Is TFA enabled on the application to prevent intruders from hacking the web application?

Ram ShengaleRam Shengale

@FantastechSolu1

Ram Shengale is the Founder & CEO of Fantastech Solutions.

"Always hire an experienced developer to build the web application…"

Now this might sound like an obvious thing to do, but most small businesses try to save money and go with a less experienced developer, which costs them in the long term.

I am saying this from personal experience of 7+ years as a web developer and owner of a web agency. I've done so many website projects that I know of every possible way a site could get hacked and know how to prevent that from happening for my clients.

On the other hand, when I see some of my entry level employees code a similar thing, they leave a lot of parts open to vulnerabilities. So, hiring someone experienced to build the web app is the first and most important tip I can give.

Another important tip is to keep the username and password complex. Again, this is an obvious thing to do, but using weak login credentials is the number one reason sites get hacked. A Brute Force Attack is the most common practice hackers use to figure out a website password.


John MossJohn Moss

@EnglishBlinds

John Moss is the CEO of English Blinds.

"When it comes to web app security, SMBs need to first and foremost…"

Ensure that their employees and everyone else using, handling and vitally, managing your web apps are aware of and up to date with the key security and protection protocols in place for the safe running of your app.

Monitoring and problem solving will only take you so far if your weakness is human, and a lack of training, consistency, and understanding on the part of teams tends to be the easiest-to-breach weak point in terms of web apps and other forms of cybersecurity protocols, too.

Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →

Secure My Business
Ellen Zhang
Written by

Ellen Zhang

Digital Marketing Manager

Enthusiastic and passionate cybersecurity marketer. Short-story writer. Lover of karaoke.