Web Application Security best practices and risk mitigation

Security is usually taken for granted.

A study conducted in 2019 found that 46% of web applications were compromised with critical vulnerabilities. Even more shocking, a staggering 87% of sites had medium security vulnerabilities.

Acunetix's Web Application Vulnerability 2019 report

Security, and what it means to us

Your data, your site, and your reputation are at risk when you throw caution to the wind with regards to web security.

At Ghosttown Development, we place a great deal of pride in our infrastructure and development practices to provide absolute peace of mind when it comes to the integrity of your site or application. We have taken painstaking measures to ensure that your data and information remains protected. This goes from our software development practices to the infrastructure and ecosystem it lives within to securing the connection from a customers browser to your application.

Development Practices and Principles

The web applications we develop are built according to the best known practices today. This means the basics are covered without question, protecting you from SQL Injection, XSS attacks, and more. In addition, we constantly monitor exposed vulnerabilities, and patch work accordingly – if it is found that some code within your application has a vulnerability. If a vulnerability is exposed for which there is no patch, we will work with you to find a solution or workaround.

Infrastructure and Ecosystem

Just like software, the operating system and core application files are constantly monitored for updates and vulnerabilities – and patched accordingly.

Our hosting ecosystem is structured in such a way that no application servers are ever exposed to the internet. A tenacious array of firewalls and routing provide the security needed to safeguard HIPAA protected information, other PHI, and other Personally Identifiable Information (PII).

Connection Security

SSL comes standard. Based on the application built, there are varying levels of connection security that can be provided to ensure that your clients’ information is protected from their browser to your application.


Risk Factors

Configuration errors: defaults and data disclosure

Four out of five web applications contained configuration errors such as default settings, standard passwords, and/or data disclosure. 

When we say default settings, we are referring to the nature of using core values that should be changed but are not. A lot of web application frameworks or off-the-shelf packages will contain a default login/password or something of the like. [Your router, printer, modem are perfect examples]. By using default login and passwords, it effectively opens the front door to attacks. There are lists of the most commonly used passwords, some tens of thousands strong. Don’t use any of these.

Data disclosure refers to the mistake of leaving settings enabled that would potentially provide information to would-be attackers; lessening their guesswork or giving them a road map into your application.

  • Leaving debug modes on
  • Error reporting vulnerabilities
  • IP listener binding
  • Web server software/version exposure

XSS Vulnerabilities

30% of web applications are vulnerable to XSS.

Acunetix's Web Application Vulnerability 2019 report

XSS, or Cross Site Scripting, is the practice of getting a victim to execute a maliciously injected script which is then in turn executed by a trusted web application. This could potentially expose valuable user information to attackers; this information could include personal data, credit card information (if used in a hosted checkout process), and much more. It can even manipulate the application to send other sensitive data to a recipient.

SQL Injection

Two thirds of web application attacks are SQL Injection attacks.

Latest ENISA Threat Landscape Report

SQL Injection is the exploit of web applications that receive form submission data in such that with the inclusion of certain characters, can potentially expose guarded database data, and even maliciously insert or modify database data.