09 April 2024

by Max Acke

(cyber)security and disaster recovery plan of a web application

Safety is and remains a sensitive and abstract subject. You have to make efforts and investments that do not make a direct, positive contribution to the appearance or functionality of the application or website.

Security is and remains a sensitive and abstract subject

You have to make efforts and investments that do not make a direct, positive contribution to the appearance or functionality of the application or website.

Naturally, it is the correct choice to provide sufficient attention/budget for this and to have a digital partner who has sufficient knowledge and experience for this.

Every company wants good protection of its data and always tries to prevent hacking or downtime of its website or application. Suffering damage to your company image or leaking personal data (or other sensitive information) always has a much greater impact than expected in reality.

Questions regularly asked by customers are

  • Is a Web Application Firewall (WAF) used?

  • Does your proposed solution include using Cloudflare or a similar solution against Distributed Denial-of-Service (DDoS) attacks? And Fail2Ban implementation against hacking attempts?

  • Do you plan to maintain a static version of the application with the possibility of DNS geo routing?

  • What tools do you plan to use when it comes to login pages? For example, Virtual Private Network (VPN), IP restriction, Multi-Factor Authentication (MFA)?

With our experienced Sevendays team, we take our responsibility for safety more than seriously.

Framework native security features

We use a globally used framework, which is a collection of standardized and commonly used functions and libraries that serve as building blocks for developing web applications. It gives us as developers a structured environment in which we can write, test, debug, manage and maintain web applications.

This framework provides this security by default:

  • SQL access via secure ORM, no 'RAW' SQL in code

  • Protection for Mass assignment

  • Secrets and sessions are encrypted with a unique application key

  • Authentication is managed by the framework

  • Robust front/backend validation tools

  • Cross-Site Request Forgery (CSRF) protection

  • Sensitive configuration data is managed outside the application codebase/VCS

Web Application Firewall (WAF)

Cloudflare protection is always possible, but out-of-the-box we have already integrated the following WAF functionality into our PHP framework:

  • Prevent Cross-Site Scripting (XSS) Attacks

  • SQL injection prevention

  • Remote file inclusion (RFI) protection

  • Preventing Local File Inclusion (LFI) Attacks

  • Protection against User-Agent based attacks

  • IP whitelisting: only allows specific IP addresses

  • We log failed logins and block the IP address after a number of attempts

  • We block repeated attacks

  • We send a notification when an attack is detected

Authentication

You only want to allow access to the application to those who really have permission and you want to “obligate” your users to do this in the most secure way possible.

This can be done, for example, with:

  • Two-Factor Authentication (2FA) for backend access: using a 'Time-based One-time Password'. (TOTP), e.g. Google Authenticator

  • IP whitelisting for access to the management area

Distributed denial-of-service (DDoS) prevention

A denial-of-service attack (DDoS attack) can best be compared to a motorway during the morning rush hour. Too much traffic is sent to your website or application for it all to pass smoothly. The road silts up and traffic slows down and even comes to a standstill.

Result, your website or application goes offline.

To resist such a DDOS attack you need a very broad path. That is why our hosting provider's network has a capacity of 100 gigabit/s. Compare it to a highway that suddenly has 100 lanes instead of 3.

Bring on those hackers.

Static site backup

If you want to protect your management environment as much as possible and do not want to expose it to the dangers of the internet, then a statically generated website is also an option (this scenario is less useful for a dynamic web application).

Benefits of a statically generated website include:

  • A static website does not need server-side logic

  • You have a secure, offline management environment that cannot be hacked

  • A static website can use geolocation routing on different zones of an Amazon or Azure environment

 

Best practices from our Sevendays team

On top of everything provided by the framework used, the extra WAF protection, correct authentication for login and superior hosting provider security, we as Sevendays team add the following:

  • We conduct internal audits and follow a security checklist before live deployment of an application

  • We respect the best practices of the framework used

  • We handle sensitive information with care in accordance with your company policy

  • We perform security patches and updates regularly with due diligence

Disaster recovery plan

If, despite all the measures, things still go wrong, we still have a “Disaster recovery plan”

  • The source code of the application is managed in a version control system from which we can make a new deployment on other, uninfected hosting infrastructure with minimal effort

  • Data is managed in 2 locations: in a database and in files

  • A database backup is made at fixed intervals and the files (images, documents, ...) are stored separately on Amazon S3 storage with redundancy

  • You can recover old data at any time

Do you also want “Safety first” for your application or website? Contact us!