# Best Practices - Application & Web Security ![human hands holding mobile device with an overlay of a login diagram hologram](/sites/g/files/omnuum12036/files/styles/hwp_1_1__360x360_scale/public/2026-02/appwebsecurity2.jpeg?itok=f4v2E4qL) ## Why Application & Web Security Matters Even well-written code can be undermined by insecure deployment, weak authentication, exposed secrets, or outdated dependencies. Administrators and DevOps teams play a critical role in configuring, securing, and maintaining application environments to prevent breaches, data exposure, and service outages. ## Common Risks SortCategoryDescriptionKey Controls (At a Glance)Insecure Input/Output Handling Poor validation and encoding can cause injection and XSS vulnerabilities. Support secure coding practices; enforce input validation and output encoding. Weak Authentication & Authorization Custom or misconfigured login flows may allow unauthorized access. Use centralized SSO; require MFA (preferably biometric or passkeys); enforce server-side authorization checks. Hard-Coded or Exposed Secrets Secrets in code or config files are easily leaked or misused. Use approved secrets vaults; rotate secrets; restrict access. Vulnerable Dependencies Outdated libraries can be exploited even if the application logic is secure. Track and patch dependencies; use Software Composition Analysis (SCA) tools; remove unused libraries. Misconfigured TLS & Sessions Weak ciphers or insecure cookies enable interception or session hijacking. Require modern TLS; enforce secure cookie flags; use proper session policies. **Note:** *The “Key Controls (At a Glance)” column is intended as a quick reference. Detailed expectations and implementation guidance are described in the Best Practices sections below.* ### General Best Practices #### Support Secure Coding & Input/Output Controls - Ensure developers validate input server-side (type, length, format). - Encourage use of Object-Relational Mappings (ORMs) or parameterized queries. - Ensure output is encoded for its target context (HTML, URL, JS). - Disable debug endpoints in production. #### Harden Authentication & Authorization - Prefer central authentication (SSO via SAML/OIDC) over local authentication. - Require MFA (preferably biometric or passkeys) for admins and systems supporting sensitive data/functions. - Enforce server-side authorization checks on every request. #### Manage Secrets Properly - Store credentials in approved secrets management systems, not in code. - Limit access to secrets and log secret access when possible. - Rotate secrets after staff transitions or suspected exposure. #### Secure TLS & Sessions - Enforce HTTPS with modern TLS versions and ciphers. - Configure secure cookies (Secure, HttpOnly, SameSite). - Set reasonable session timeouts; invalidate sessions after logout. #### Minimize Internet Exposure - Only expose services that must be publicly reachable. - Place web applications behind reverse proxies or application gateways. - Use Web Application Firewalls (WAF) for externally facing apps. #### Keep Dependencies Up to Date - Track major frameworks and libraries. - Use automated SCA tools in CI/CD pipelines. - Apply security updates after testing. #### Integrate Security into the SDLC - Add SAST to build pipelines. - Use DAST for public-facing applications. - Include security criteria in change requests and release notes. #### Log and Monitor Application Activity - Log authentication, authorization failures, and admin actions. - Send application logs to central SIEM for correlation with infrastructure events. - Investigate anomalies promptly and adjust controls as needed. ## Related Resources - [University Standards](/apply-standards "Apply Standards") - [OWASP Top 10 (Critical Web Risks)](https://owasp.org/www-project-top-ten/) - [CISA 'Secure by Design (Software Architecture)](https://www.cisa.gov/securebydesign) - [Mozilla MDN Security Docs (Browser/Web Security)](https://developer.mozilla.org/en-US/docs/Web/Security) - [GitHub Security Lab (Automated Code Analysis)](https://securitylab.github.com/)