Security for Web Applications and Portals – 10 Best Practices

Find out how modern, user-friendly yet safe online working and collaborative environments can be created for employees, customers and partners. Download our new White Paper suggesting the 10 Best Practices of how your IT department can increase its agility and guarantee its users flexible and secure access to information.

Secure Digitalisation: Get the latest must-read here

Download the free whitepaper on the 10 best practices for web application and portal security. It’s easy.


Free Download

Expectations of todays customers and partners

Customers and partners would like to be included in the company’s digital business processes and carry out their transactions directly via a web browser instead of by telephone, post or email. They want to place orders directly via the web and also to be able to modify their data or view the status of their delivery in their browser. Efficient supply chain management can be established by optimizing the processes with partner companies embedded in the value added chain by permitting access to SCM and ERP systems. In addition, numerous process steps can be fully automated using web services.

Requirements on web applications in digital business processes

With this plethora of expectations on digital business processes, it is pretty clear that technology today must adapt itself to the requirements of the business processes. Only in this way will it be able to support efficient collaboration and sensible automation, and thereby enhance the flexibility, user-friendliness and efficiency of a company.

Three critical requirements arise in the implementation of digital business processes in the scenario described above: security, user friendliness and interoperability. Only then can companies achieve the flexibility demanded and keep the doors open to future business opportunities.

Nothing works without user friendliness

Today’s society has a strong focus on commodity. In the context of IT, this means that it only wins the acceptance of the users if they are offered a high degree of user friendliness. Consequently one eye must be kept on simplicity at all times in digitization exercises. Anyone underestimating the credo of usability has much to lose in the Internet era. Stressed employees, overworked customers or partners will all too quickly look around for a simpler alternative.

Interoperability is becoming increasingly important

Unfortunately, many producers even today assume that companies will adapt their processes to the technology offered to them. Yet modern companies no longer allow themselves to be constrained by technology and rightly demand that technology allows itself to be adapted flexibly to the current and future requirements of their business processes. The factor of interoperability is crucial here and despite a wide-ranging landscape allows full flexibility.

IT security – the foundation on which business success is built

The majority of companies have long ago gone down the path of digitizing their business processes. You have made your core applications accessible over the Internet without allowing yourself to be held back by IT security. But when audits are imminent, or hackers are playing their games, you will have to deal with security vulnerabilities.

It is not just the major corporations such as Ebay, RSA or Adobe who have already had to deal with security incidents which have caused immense losses. The current level of threat does not spare the SME and it is just these small and medium-sized businesses who are hit much, much harder by financial losses and damage to reputation than the major businesses.

Hackers attempt at random to disable or compromise applications that can be accessed over the Internet. Standard applications are popular targets for attacks of this kind as they are easy to find and access to them via the Internet is inadequately protected. Studies by WhiteHat Security (2013) showed that more than 86% of all web applications had weak points.

Companies with high brand equity, particular image, special competitive situations or active in sectors that process sensitive information over the Internet are more seriously exposed. Known as ‘Targets of Choice’, these are particularly attractive targets for focussed attacks. Because this type of attack has a specific intention behind it, much more effort is expended on it and the probability of a successful attack is consequently considerably higher.

The best practices laid out below demonstrate how every business can ensure effective protection for its web applications and portals, which play a central role in digital processes. At the same meeting the high demands on user friendliness and interoperability.

The 10 Best Practices

Download the free PDF

Download the free whitepaper on the top 10 best practices for secure digitalisation.


Free Whitepaper

1. Simplify your infrastructure, reduce complexity

A typical business process uses a number of different applications. The cost to internal IT of security in all applications in a complex application landscape can explode: uploading the latest security patches, routine maintenance and implementing a functioning access management for each application, not to mention clear documentation, are just some examples of this.

Centralize the security infrastructure

The most effective step in simplifying security is to outsource access control to a specialized solution. This means that the security of the applications used in the business processes is handled centrally at a single point.

For the IT department, this means that security patches only have to be uploaded once, maintenance is simplified and user access can be managed centrally for all applications. Centralizing the security infrastructure simplifies maintenance of the applications. You will save money because of this, and because of the improved availability of your applications. What is more, uncoupling the security infrastructure in this way, and the consequential enhanced security level, lays down the basis for effortlessly achieving many other best practices.

2. Be better than the average

Opportunity creates thieves, and that is also true for hackers. They quickly notice where things will be easy for them, and where they will have a tough time. This is why it is worthwhile reliably protecting applications that are accessible via the Internet.

Protect web applications and other services accessible via the Internet

Since it is generally not just one, but several applications that are simultaneously accessible via the web, you are best of protecting the applications using a web application firewall. This is installed centrally protecting the applications and takes all queries from the clients and checks them. Invalid queries are detected and filtered, attacks are blocked. Only valid queries are forwarded to the applications. The applications are thus protected against common random attacks and have a solid base protection against focussed attacks.

3. Encrypt communication

The Internet sits between the web application and the user. The data transmitted can be read by anyone as it is sent. Unless it is encrypted.

SSL encryption – the state of the art

Protect all your data against unauthorized snoopers and against modification by encrypting it when it is sent between the application and users.

Define minimum requirements on the encryption method to be applied according to the application and the confidentiality of the data exchanged. The connection will not even be established if the client browser does not support the encryption required.

Encryption is the name of the game and SSL is the state of the art. Perfect Forward Secrecy should be used in the encryption for especially confidential data. By contrast with conventional encryption, information transmitted encrypted with perfect forward secrecy even remains protected if the data traffic is intercepted and the spies come into possession of the server keys at a later date – either because of newly discovered security vulnerabilities as recently was the case with Heartbleed.

For all 10 Best Practices:

Get all the information and the free white paper “Secure Web Applications and Web portals: 10 Best Practices” now!

Free Whitepaper



Author Details

Mathias Wyss

Mathias Wyss

Product Manager Web Access Management & Security Expert @ United Security Providers, MSc ETH, CISSP

Leave A Comment?