Is a custom programmed web application secure?How to program your web app in a legally compliant way
Effective, fast and convenient: Individually programmed web applications are replacing more and more desktop software solutions. But when it comes to security for data and users, there are often major gaps in knowledge. How do I protect the web application against hacker attacks and which data protection rules do I have to observe?
Whether it’s process control or data management, more and more companies are turning to browser-based software solutions. The advantages of web applications are obvious: users can work quickly and from anywhere, independent of platform and device. But what about security for data and users of the software? To ensure that the online app is only used by authorized users, it needs functioning and, above all, absolutely secure access protection.
Note: As a software company, we are not allowed to give legal advice. If you have questions about legal issues or you need legal advice, please contact a lawyer. The following article focuses on the aspects to be considered when programming a web application.
Protect your software from unauthorized access
123456 or simply password: The first and most well-known form of access protection for a web application is the good old password – which is often not chosen to be attack-proof. Secure applications prompt new users to choose a username and set a password. It is recommended to set minimum requirements for the chosen password as well as to program an automatic lockout after three failed attempts. The assigned user role then determines the scope of rights and available program functions.
trinidat security tip: Administrators of the web application should never send passwords by mail, but always send a link to a password change page. For a particularly secure web application, two-factor authentication can be added in addition to login by password and username. This generates an additional code for logging in to another device, e.g. the user’s smartphone.
Beware of Sniffers and the Man in the Middle
Another important aspect for secure online software is the encryption of data transmission between the user’s browser and the web server. As a rule, data on the Internet is transmitted unencrypted via so-called backbone servers. The danger: Unauthorized persons can gain access to a backbone server and intercept data traffic – cyber criminals often use so-called sniffers, such as the Wireshark software, for this purpose. Particularly perfidious are so-called man-in-the-middle attacks, in which the attacker logically places himself between the user and the servers used and is thus able not only to intercept data, but also to read or even manipulate it.
End-to-end encryption protects the data transfer from unauthorized reading. Encryption via HTTPS (Hypertext Transfer Protocol Secure) is common. Data sent via HTTPS is protected by TLS (Transport Layer Security Protocol). Formerly also referred to as SSL, a TLS protocol encrypts data transfer in an interception-proof manner. It also ensures that data cannot be modified or corrupted unnoticed. In addition, user authentication protects against man-in-the-middle attacks.
These are the points you should consider
A web application must meet some legal requirements. Above all, it comes down to data protection. The provisions of the General Data Protection Regulation (GDPR) also apply to online software. The DSGVO is an EU regulation that standardizes rules for processing personal data across the EU. The aim of the GDPR is, among other things, the protection of private and public personal data.
In order for the custom programmed web application to be DSGVO compliant, the rights set in the regulation must be taken into account. This includes, for example, the right to information, correction and deletion of personal data.
This results in various requirements for the web application.
A secure individually programmed web application:
- should give the user the choice to agree to cookies or to refrain from using them,
- needs program functions that allow the deletion of personal data at the request of the user and the automatic deletion of data no longer needed,
- provides information about the data stored about a person.
Can web applications really meet all requirements?
The good news first: Yes, many of the web-based softwares already have preset basic functions that can be used, for example, for the right of access to personal data. Here, program functions that are already pre-installed for regular work with the application are sufficient for compliance with most data protection requirements. An integrated search function can be used to call up and process user data.
One major advantage of a custom-programmed web application is that special functions can be programmed depending on the design of the web application. If the application works with particularly sensitive data, service providers like trinidat can strengthen access protection, for example, depending on the customer’s wishes.
Your web application: Individual and secure
Good web applications need effective access protection and must meet a number of legal requirements, such as data protection. To ensure that your online software is secure for providers and users at all times, experienced service providers offer individual advice on the appropriate application functionalities. At TriniDat, we place the highest value on creating exactly the program functions for you that guarantee your web software is secure.
Looking for a custom web application?
We are specialists for the development of individually programmed web applications. We are happy to advise you in a free and non-binding initial meeting.