Application security

Last updated

Application security (short AppSec) includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance. [1]

Contents

Web application security is a branch of information security that deals specifically with the security of websites, web applications, and web services. At a high level, web application security draws on the principles of application security but applies them specifically to the internet and web systems. [2] [3] The application security also concentrates on mobile apps and their security which includes iOS and Android Applications

Web Application Security Tools are specialized tools for working with HTTP traffic, e.g., Web application firewalls.

Approaches

Different approaches will find different subsets of the security vulnerabilities lurking in an application and are most effective at different times in the software lifecycle. They each represent different tradeoffs of time, effort, cost and vulnerabilities found.

Security threats

The Open Web Application Security Project (OWASP) provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2017 results from recent research based on comprehensive data compiled from over 40 partner organizations. This data revealed approximately 2.3 million vulnerabilities across over 50,000 applications. [4] According to the OWASP Top 10 - 2021, the ten most critical web application security risks include: [5]

  1. Broken access control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentification Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures*
  10. Server-Side Request Forgery (SSRF)*

Tooling for security testing

Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire Software Development Life Cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner.

There are many kinds of automated tools for identifying vulnerabilities in applications. Common tool categories used for identifying application vulnerabilities include:

Resin is a new tool for improving application security and reducing vulnerabilities. It allows developers to specify rules about how data should flow through an application to prevent security issues. This is done using policy objects to define the rules, data tracking to monitor the data flow, and filter objects to check the rules at specific points in the data flow. [12]

Security standards and regulations

See also

Related Research Articles

In computer science, static program analysis is the analysis of computer programs performed without executing them, in contrast with dynamic program analysis, which is performed on programs during their execution.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

Web development is the work involved in developing a website for the Internet or an intranet. Web development can range from developing a simple single static page of plain text to complex web applications, electronic businesses, and social network services. A more comprehensive list of tasks to which Web development commonly refers, may include Web engineering, Web design, Web content development, client liaison, client-side/server-side scripting, Web server and network security configuration, and e-commerce development.

Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce code into a vulnerable computer program and change the course of execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate.

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.

A penetration test, colloquially known as a pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

The Open Worldwide Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security. The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

<span class="mw-page-title-main">Metasploit</span> Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7.

Security testing is a process intended to detect flaws in the security mechanisms of an information system and as such help enable it to protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

A dynamic application security testing (DAST) is a non functional testing process where one can assess an application using certain techniques and the end result of such testing process covers security weaknesses and vulnerabilities present in an application. This testing process can be carried out either in manual way or by using automated tools. Manual assessment of an application involves a more human intervention to identify the security flaws which might slip from an automated tool. Usually business logic errors, race condition checks, and certain zero day vulnerabilities can only be identified using manual assessments.

HCL AppScan is a family of desktop and web security testing and monitoring tools, formerly a part of the Rational Software division of IBM. In July 2019, the product was acquired by HCLTech and is currently marketed under HCLSoftware, a product development division of HCLTech.

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration. They can introduce a performance degradation without proper configuration and tuning from Cyber Security specialist. However, most of the major financial institutions utilize WAFs to help in the mitigation of web application 'zero-day' vulnerabilities, as well as hard to patch bugs or weaknesses through custom attack signature strings.

Approov (formerly CriticalBlue) is a Scottish software company based in Edinburgh that is primarily active in two areas of technology: anti-botnet and automated threat prevention for mobile businesses, and software optimization tools and services for Android and Linux platforms.

ZAP, formerly known as OWASP ZAP, is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.

Code Dx, Inc. was an American software technology company active from 2015 to 2021. The company's flagship product, Code Dx, is a vulnerability management system that combines and correlates the results generated by a wide variety of static and dynamic testing tools. In 2021, the company was acquired by Synopsys.

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.

Checkmarx is an enterprise application security company headquartered in Atlanta, Georgia in the United States. Founded in 2006, the company provides application security testing (AST) solutions that embed security into every phase of the software development lifecycle (SDLC), an approach to software testing known as "shift everywhere."

Interactive application security testing is a security testing method that detects software vulnerabilities by interaction with the program coupled with observation and sensors. The tool was launched by several application security companies. It is distinct from static application security testing, which does not interact with the program, and dynamic application security testing, which considers the program as a black box. It may be considered a mix of both.

References

  1. Happe, Andreas (3 June 2021). "What is AppSec anyways?". snikt.net.
  2. "Web Application Security Overview". 2015-10-23.
  3. Shuaibu, Bala Musa; Norwawi, Norita Md; Selamat, Mohd Hasan; Al-Alwani, Abdulkareem (2013-01-17). "Systematic review of web application security development model". Artificial Intelligence Review. 43 (2): 259–276. doi:10.1007/s10462-012-9375-6. ISSN   0269-2821. S2CID   15221613.
  4. Korolov, Maria (Apr 27, 2017). "Latest OWASP Top 10 looks at APIs, web apps: The new OWASP Top 10 list is out, and while most of it remains the same, there are new additions focusing on web applications and APIs". CSO. ProQuest   1892694046.
  5. "OWASP Top 10 - 2021: The Ten Most Critical Web Application Security Risks". Open Web Application Security Project. 2021. Retrieved January 11, 2022.
  6. "Web Application Vulnerability Scanners". NIST.
  7. "Fuzzing". OWASP.
  8. Williams, Jeff (2 July 2015). "I Understand SAST and DAST But What is an IAST and Why Does it Matter?". Contrast Security. Retrieved 10 April 2018.
  9. Velasco, Roberto (7 May 2020). "What is IAST? All About Interactive Application Security Testing". Hdiv Security. Retrieved 7 May 2020.
  10. Abezgauz, Irene (February 17, 2014). "Introduction to Interactive Application Security Testing". Quotium. Archived from the original on April 3, 2018. Retrieved January 25, 2018.
  11. Rohr, Matthias (November 26, 2015). "IAST: A New Approach For Agile Security Testing". Secodis.
  12. Yip, Alexander; Wang, Xi; Zeldovich, Nickolai; Kaashoek, M. Frans (2009-10-11). "Improving application security with data flow assertions". Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. SOSP '09. New York, NY, USA: Association for Computing Machinery. pp. 291–304. doi:10.1145/1629575.1629604. hdl: 1721.1/67015 . ISBN   978-1-60558-752-3. S2CID   7189495.
  13. "OWASP Application Security Verification Standard".


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.