Security in enterprise web applications: technical guide for executives

Most common attack vectors in enterprise web applications

• SQL and NoSQL injection: the oldest attack vector and still the most common. A web form without proper validation can give complete access to the company database. 30% of enterprise web applications have an active injection vulnerability.
• Broken authentication: weak passwords without MFA, sessions without expiry, predictable password reset tokens, and lack of brute-force protection. Broken authentication is the second leading cause of breaches in enterprise web applications.
• Sensitive data exposure: APIs returning more information than necessary, logs containing personal data or credentials, and error responses revealing the system's internal architecture. Very common in applications migrated from legacy without security review.
• Broken access control (IDOR): an authenticated user can access another user's data by changing an ID in the URL or request body. Critical in B2B applications where each customer should only see their own data.

Essential security controls in any enterprise application

• Multi-factor authentication (MFA) and session management: mandatory MFA for all users with access to sensitive data, sessions with limited inactivity timeout, and authentication token rotation. Reduces account compromise risk from stolen credentials by 99%.
• Encryption at rest and in transit: HTTPS with TLS 1.3, encryption of sensitive database fields (bank data, credentials, health data), and secret management with a dedicated vault (AWS Secrets Manager, HashiCorp Vault) instead of plaintext environment variables.
• Input validation and output encoding: all user input must be validated server-side (not just client-side), and all output to HTML must be encoded to prevent XSS. Non-negotiable in applications handling third-party data.
• Security logging and monitoring: audit logs for all critical actions (login, permission changes, sensitive data access), automatic alerts for anomalous access patterns, and log retention compliant with GDPR (minimum 6 months, maximum per retention policy).

NIS2 and GDPR compliance in web applications

• NIS2 (Network and Information Security Directive): in force in Spain since October 2024. Applies to mid-sized companies in essential sectors (energy, transport, health, banking, digital infrastructure) and important sectors. Requires cybersecurity risk management measures, incident notification within 24h, and supply chain assessment.
• GDPR — appropriate technical measures: Article 32 of the GDPR requires appropriate technical measures to protect personal data. The AEPD can sanction up to €20M or 4% of global turnover for breaches resulting from insufficient security measures in web applications.
• Data Protection Impact Assessment (DPIA): mandatory when the application processes data at large scale, special category data, or systematically monitors individuals. The DPIA documents privacy risks and the technical measures to mitigate them.
• Incident management and notification: GDPR requires notifying breaches to the AEPD within 72 hours and to affected individuals if the risk is high. The application must have a documented process for detecting, containing, and notifying security incidents.

How to conduct a security audit of your web application

• Software Composition Analysis (SCA): identifies third-party libraries with known vulnerabilities (CVE) in application code. Tools: OWASP Dependency-Check, Snyk, GitHub Dependabot. Must be done at each release and in the CI/CD pipeline.
• Penetration testing (pentest): simulation of real attacks by an external specialist team. A standard web pentest for a mid-sized enterprise application costs €3,000-€10,000 and should be repeated annually or after major architectural changes.
• Security code review (SAST): static analysis of source code to detect insecure code patterns. Integrated into the CI/CD pipeline, it detects vulnerabilities before they reach production.
• Infrastructure configuration audit: review of web server, database, cloud provider, and third-party service configuration. HTTP security headers, CORS, CSP, HSTS — many teams ignore these until they're audited.

Related resources