If you are responsible for a web application, how do you measure how safe it is?
What do we mean by “safe”?
safe | seɪf | adjective
Protected from or not exposed to danger or risk; not likely to be harmed or lost:
In essence, you’re asking the question, how well is this application defended against accidental or malicious damage?
But how do you quantifiably measure this, and further, how can you then use this information to effectively maintain and improve the application to continue to deliver value to its users?
Let’s look at some of the factors you can use to evaluate the safety of an application. We specialise in supporting and maintaining Ruby on Rails applications, but the elements we discuss can be applied to any web application irrespective of the language and framework used.
Language and frameworks
First, look at the programming language and framework, in our case Ruby and Ruby on Rails, and establish how up to date they are. Any application that is crucial to the operation of your business should be maintained. In practice, this means at a minimum keeping them updated inline with their maintenance policies. It is the only way to mitigate the risks associated with running old, insecure or buggy code.
The same philosophy should be applied to the operating system environment and core applications/services. You should be looking for good practices, such as the use of SSL certificates and protections such as firewalls and intrusion detection systems. Further, look for good configuration practices.
While this typically closely follows the hosting infrastructure, since it’s such a critical element of any web application, it warrants special attention. Beyond assessing its configuration and versioning (in line with maintenance policies as above) also look at the data itself. Is personal or private information stored, and if it is, is it adequately protected by encryption? How are user accounts and permissions configured? Is access to those credentials monitored and who has access to them? What damage could they do and what measures are in place to mitigate them?
To evaluate this, you will need experts to take a deep dive into the codebase to identify known exploits or vulnerabilities in the code libraries that have been used, as well as identifying poor programming practices which could increase the likelihood of bugs or being more vulnerable to being exploited by bad actors.
As with the database data evaluation, extend your investigations to the development and testing environments, plus elements such as mail servers. Look for separation of data. Is production data used elsewhere or is it (as it ought to be) anonymised or obfuscated to protect privacy and manage access to business-critical data? Development and testing environments should be using generated data that does not pertain to real people. Beyond that, look to see if accidental mistakes can be made. For example, a common issue we find is that applications which can automatically send email using production data, which means that you run a real risk of accidentally sending test emails to customers. This could cause damage to your reputation and have many undesirable ramifications, not least causing confusion and extra work for the organisation to clear things up.
Finally, analyse the licensing situation to ensure the organisation knows what their legal position is in the use of the code to ensure legal compliance and there aren’t any potential issues which could open you up to litigation if the providence of the code comes into question.
Use the insight gained to inform your roadmap
This notion of safety is one of the four pillars of web application maintenance. When you have a measurable way of documenting the health of your application, you can use it to inform your development priorities. You can create a strategic plan to ensure you allocate the time and resources needed to stay safe and secure at a pace that works with your budget. In turn, your development team can use this information to improve the codebase naturally, particularly if you conduct regular audits over time. When budgets are limited, having a way to rate the application helps to determine where best to place the effort.
Get some clarity on your application
If you have a Ruby on Rails application and you would like more peace-of-mind for your web application, or you’d like to know where the dragons might be lurking then get in touch to see if our Ruby on Rails Code Audit and Risk Report is right for you. Our comprehensive report will assess your application against our four maintenance pillars of safety, resilience, adaptability and documentation.