Application security

Last updated

Application security encompasses measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.

Application software computer software designed to perform a group of coordinated functions, tasks, or activities for the benefit of the user

Application software is software designed to perform a group of coordinated functions, tasks, or activities for the benefit of the user. Examples of an application include a word processor, a spreadsheet, an accounting application, a web browser, an email client, a media player, a file viewer, an aeronautical flight simulator, a console game or a photo editor. The collective noun application software refers to all applications collectively. This contrasts with system software, which is mainly involved with running the computer.


Different techniques are used to surface such security vulnerabilities at different stages of an applications lifecycle such as design, development, deployment, upgrade, maintenance.

In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

Software design is the process by which an agent creates a specification of a software artifact, intended to accomplish goals, using a set of primitive components and subject to constraints. Software design may refer to either "all the activity involved in conceptualizing, framing, implementing, commissioning, and ultimately modifying complex systems" or "the activity following requirements specification and before programming, as ... [in] a stylized software engineering process."

Software development is the process of conceiving, specifying, designing, programming, documenting, testing, and bug fixing involved in creating and maintaining applications, frameworks, or other software components. Software development is a process of writing and maintaining the source code, but in a broader sense, it includes all that is involved between the conception of the desired software through to the final manifestation of the software, sometimes in a planned and structured process. Therefore, software development may include research, new development, prototyping, modification, reuse, re-engineering, maintenance, or any other activities that result in software products.

An always evolving but largely consistent set of common security flaws are seen across different applications, see common flaws.



Different techniques will find different subsets of the security vulnerabilities lurking in an application and are most effective at different times in the software lifecycle. They each represent different tradeoffs of time, effort, cost and vulnerabilities found.

Threat modeling is a process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view. The purpose of threat modeling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like “Where are the high-value assets?”, “Where am I most vulnerable to attack?”, “What are the most relevant threats?”, and “Is there an attack vector that might go unnoticed?”.

A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Bug bounty programs have been implemented by a large numbers of organizations, including Mozilla, Facebook, Yahoo!, Google, Reddit, Square, and Microsoft. Companies outside the technology industry, including traditionally conservative organizations like the United States Department of Defense, have started using bug bounty programs. The Pentagon’s use of bug bounty programs is part of a posture shift that has seen several US Government Agencies reverse course from threatening white hat hackers with legal recourse to inviting them to participate as part of a comprehensive vulnerability disclosure framework or policy.

Utilizing these techniques appropriately throughout the software development life cycle (SDLC) to maximize security is the role of an application security team.

Application threats / attacks

According to the patterns & practices Improving Web Application Security book, the following are classes of common application security threats / attacks:

CategoryThreats / Attacks
Input Validation Buffer overflow; cross-site scripting; SQL injection; canonicalization
Software Tampering Attacker modifies an existing application's runtime behavior to perform unauthorized actions; exploited via binary patching, code substitution, or code extension
Authentication Network eavesdropping; Brute force attack; dictionary attacks; cookie replay; credential theft
Authorization Elevation of privilege; disclosure of confidential data; data tampering; luring attacks
Configuration management Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts
Sensitive information Access sensitive code or data in storage; network eavesdropping; code/data tampering
Session management Session hijacking; session replay; man in the middle
Cryptography Poor key generation or key management; weak or custom encryption
Parameter manipulationQuery string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation
Exception managementInformation disclosure; denial of service
Auditing and loggingUser denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks

The OWASP community publishes a list of the top 10 vulnerabilities for web applications and outlines best security practices for organizations and while aiming to create open standards for the industry. [1] [ promotional source? ] As of 2017, the organization lists the top application security threats as: [2]

CategoryThreats / Attacks
InjectionSQL injection; NoSQL; OS Command; Object-relational mapping; LDAP injection
Broken authentication Credential stuffing; brute force attacks; weak passwords
Sensitive data exposureWeak cryptography; un-enforced encryption
XML external entities XML external entity attack
Broken access controlCORS misconfiguration; force browsing; elevation of privilege
Security misconfigurationUnpatched flaws; failure to set security values in settings; out of date or vulnerable software
Cross-site scripting (XSS)Reflected XSS; Stored XSS; DOM XSS
Insecure deserializationObject and data structure is modified; data tampering
Using components with known vulnerabilitiesOut of date software; failure to scan for vulnerabilities; failure to fix underlying platform frameworks; failure to updated or upgraded library compatibility
Insufficient logging & monitoringFailure to log auditable events; failure to generate clear log messages: inappropriate alerts; failure to detect or alert for active attacks in or near real-time

Mobile application security

The proportion of mobile devices providing open platform functionality is expected to continue to increase in future. The openness of these platforms offers significant opportunities to all parts of the mobile eco-system by delivering the ability for flexible program and service delivery= options that may be installed, removed or refreshed multiple times in line with the user's needs and requirements. However, with openness comes responsibility and unrestricted access to mobile resources and APIs by applications of unknown or untrusted origin could result in damage to the user, the device, the network or all of these, if not managed by suitable security architectures and network precautions. Application security is provided in some form on most open OS mobile devices (Symbian OS, [3] Microsoft, [ citation needed ] BREW, etc.). In 2017, Google expanded their Vulnerability Reward Program to cover vulnerabilities found in applications developed by third parties and made available through the Google Play Store. [4] Industry groups have also created recommendations including the GSM Association and Open Mobile Terminal Platform (OMTP). [5]

There are several strategies to enhance mobile application security including:

Security testing for applications

Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle. With the growth of Continuous delivery and DevOps as popular software development and deployment models, [6] [ promotional source? ] continuous security models are becoming more popular. [7] [ promotional source? ] [8] [ promotional source? ]

Vulnerability scanners, and more specifically web application scanners, otherwise known as penetration testing tools (i.e. ethical hacking tools) have been historically used by security organizations within corporations and security consultants to automate the security testing of http request/responses; however, this is not a substitute for the need for actual source code review. Physical code reviews of an application's source code can be accomplished manually or in an automated fashion. Given the common size of individual programs (often 500,000 lines of code or more), the human brain cannot execute a comprehensive data flow analysis needed in order to completely check all circuitous paths of an application program to find vulnerability points. The human brain is suited more for filtering, interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to trace every possible path through a compiled code base to find the root cause level vulnerabilities.

There are many kinds of automated tools for identifying vulnerabilities in applications. Some require a great deal of security expertise to use and others are designed for fully automated use. The results are dependent on the types of information (source, binary, HTTP traffic, configuration, libraries, connections) provided to the tool, the quality of the analysis, and the scope of vulnerabilities covered. Common technologies used for identifying application vulnerabilities include:

Static Application Security Testing (SAST) is a technology that is frequently used as a Source Code Analysis tool. The method analyzes source code for security vulnerabilities prior to the launch of an application and is used to strengthen code. This method produces fewer false positives but for most implementations requires access to an application's source code [9] and requires expert configuration and lots of processing power. [10] [ promotional source? ]

Dynamic Application Security Testing (DAST) is a technology, which is able to find visible vulnerabilities by feeding a URL into an automated scanner. This method is highly scalable, easily integrated and quick. DAST's drawbacks lie in the need for expert configuration and the high possibility of false positives and negatives. [9]

Interactive Application Security Testing (IAST) is a solution that assesses applications from within using software instrumentation. This technique allows IAST to combine the strengths of both SAST and DAST methods as well as providing access to code, HTTP traffic, library information, backend connections and configuration information. [11] Some IAST products require the application to be attacked, while others can be used during normal quality assurance testing. [12] [ promotional source? ] [13] [ promotional source? ]

Security protection for applications

The advances in professional Malware targeted at the Internet customers of online organizations have seen a change in Web application design requirements since 2007. It is generally assumed that a sizable percentage of Internet users will be compromised through malware and that any data coming from their infected host may be tainted. Therefore, application security has begun to manifest more advanced anti-fraud and heuristic detection systems in the back-office, rather than within the client-side or Web server code. [14] [ promotional source? ] As of 2016, runtime application self-protection (RASP) technologies have been developed. [9] [15] RASP is a technology deployed within or alongside the application runtime environment that instruments an application and enables detection and prevention of attacks. [16] [17]

Coordinated vulnerability disclosure

The CERT Coordination Center describes Coordinated Vulnerability Disclosure (CVD) as a “process for reducing adversary advantage while an information security vulnerability is being mitigated.” [18] CVD is an iterative, multi-phase process that involves multiple stakeholders (users, vendors, security researchers) who may have different priorities and who must work together to resolve the vulnerability. Because CVD processes involve multiple stakeholders, managing communication about the vulnerability and its resolution is critical to success.

From an operational perspective, many tools and processes can aid in CVD. These include email and web forms, bug tracking systems and Coordinated vulnerability platforms. [19]

Security standards and regulations

See also

Related Research Articles

In software testing, test automation is the use of software separate from the software being tested to control the execution of tests and the comparison of actual outcomes with predicted outcomes. Test automation can automate some repetitive but necessary tasks in a formalized testing process already in place, or perform additional testing that would be difficult to do manually. Test automation is critical for continuous delivery and continuous testing.

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, e.g., in a file format or protocol and distinguishes valid from invalid input. An effective fuzzer generates semi-valid inputs that are "valid enough" in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are "invalid enough" to expose corner cases that have not been properly dealt with.

The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

Mobile app development is the act or process by which a mobile app is developed for mobile devices, such as personal digital assistants, enterprise digital assistants or mobile phones. These applications can be pre-installed on phones during manufacturing platforms, or delivered as web applications using server-side or client-side processing to provide an "application-like" experience within a Web browser. Application software developers also must consider a long array of screen sizes, hardware specifications, and configurations because of intense competition in mobile software and changes within each of the platforms. Mobile app development has been steadily growing, in revenues and jobs created. A 2013 analyst report estimates there are 529,000 direct app economy jobs within the EU 28 members, 60% of which are mobile app developers.

A Dynamic Application Security Testing (DAST) tool is a program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test. Unlike Static Application Security Testing tools, DAST tools do not have access to the source code and therefore detect vulnerabilities by actually performing attacks.

ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server, Microsoft IIS and NGINX. It is a free software released under the Apache license 2.0.

Parasoft is an independent software vendor specializing in automated software testing and application security with headquarters in Monrovia, California. It was founded in 1987 by four graduates of the California Institute of Technology who planned to commercialize the parallel computing software tools they had been working on for the Caltech Cosmic Cube, which was the first working hypercube computer built.

Web application security is a branch of information security that deals specifically with security of websites, web applications and web services. At a high level, web application security draws on the principles of application security but applies them specifically to internet and web systems.

Opa (programming language) programming language

Opa is an open-source programming language for developing scalable web applications.

IBM Security AppScan, previously known as IBM Rational AppScan, is a family of web security testing and monitoring tools from the Rational Software division of IBM. AppScan is intended to test Web applications for security vulnerabilities during the development process, when it is least expensive to fix such problems. The product learns the behavior of each application, whether an off-the-shelf application or internally developed, and develops a program intended to test all of its functions for both common and application-specific vulnerabilities.

Burp Suite graphical tool for testing Web application security

Burp or Burp Suite is a graphical tool for testing Web application security. The tool is written in Java and developed by PortSwigger Web Security.

A web application firewall filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.

OWASP ZAP is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.

RIPS is a static code analysis software for the automated detection of security vulnerabilities in PHP and Java applications. The initial tool was written by Johannes Dahse and released during the Month of PHP Security in May 2010 as open-source software. The open-source version is released under the Lesser GNU General Public License and was maintained until 2013.

Code Dx refers to both a software company and its flagship product, a vulnerability management system that combines and correlates the results generated by a wide variety of static and dynamic testing tools.

sqlmap is an open source software that is used to detect and exploit database vulnerabilities and provides options for injecting malicious codes into them.

Runtime application self-protection (RASP) is a security technology that uses runtime instrumentation to detect and block computer attacks by taking advantage of information from inside the running software. The technology differs from perimeter-based protections such as firewalls, that can only detect and block attacks by using network information without contextual awareness. RASP technology is said to improve the security of software by monitoring its inputs, and blocking those that could allow attacks, while protecting the runtime environment from unwanted changes and tampering. RASP-protected applications rely less on external devices like firewalls to provide runtime security protection. When a threat is detected RASP can prevent exploitation and possibly take other actions, including terminating a user's session, shutting the application down, alerting security personnel and sending a warning to the user. RASP aims to close the gap left by application security testing and network perimeter controls, neither of which have enough insight into real-time data and event flows to either prevent vulnerabilities slipping through the review process or block new threats that were unforeseen during development.


  1. "What is OWASP, and Why it Matters for AppSec". Contrast Security. 23 February 2017. Retrieved 10 April 2018.
  2. "OWASP Top 10 - 2017" (PDF). OWASP. 2017. Retrieved 10 April 2018.
  3. "Platform Security Concepts", Simon Higginson.
  4. "Google launched a new bug bounty program to root out vulnerabilities in third-party apps on Google Play". The Verge. 22 October 2017. Retrieved 15 June 2018.
  5. "Application Security Framework". Archived from the original on March 29, 2009., Open Mobile Terminal Platform
  6. "DevOps Survey Results: Why Enterprises Are Embracing Continuous Delivery=01 December 2017". cloud bees. Retrieved 26 June 2018.
  7. "Continuous Security in a DevOps World=5 July 2016". RMLL Conference 2016. Retrieved 4 July 2018.
  8. "Tapping Hackers for Continuous Security=31 March 2017". HackerOne. Retrieved 4 July 2018.
  9. 1 2 3 "Interactive Application Security Testing : Things to Know". TATA Cyber Security Community. June 9, 2016.
  10. Williams, Jeff (22 September 2015). "Why It's Insane to Trust Static Analysis". DARKReading. Retrieved 10 April 2018.
  11. Williams, Jeff (2 July 2015). "I Understand SAST and DAST But What is an IAST and Why Does it Matter?". Contrast Security. Retrieved 10 April 2018.
  12. Abezgauz, Irene (February 17, 2014). "Introduction to Interactive Application Security Testing". Quotium.
  13. Rohr, Matthias (November 26, 2015). "IAST: A New Approach For Agile Security Testing". Secodis.
  14. "Continuing Business with Malware Infected Customers". Gunter Ollmann. October 2008.
  15. "What is IAST? Interactive Application Security Testing". Veracode.
  16. "IT Glossary: Runtime Application Self-Protection". Gartner.
  17. Feiman, Joseph (June 2012). "Security Think Tank: RASP - A Must-Have Security Technology". Computer Weekly.
  18. "The CERT Guide to Coordinated Vulnerability Disclosure". Software Engineering Institute, Carnegie Mellon University. August 2017. Retrieved 20 June 2018.
  19. "The CERT Guide to Coordinated Vulnerability Disclosure". Software Engineering Institute, Carnegie Mellon University. August 2017. Retrieved 20 June 2018.