Application security

Last updated November 25, 2024

Application security (short AppSec) includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.^[1]

Web application security is a branch of information security that deals specifically with the security of websites, web applications, and web services. At a high level, web application security draws on the principles of application security but applies them specifically to the internet and web systems.^[2]^[3] The application security also concentrates on mobile apps and their security which includes iOS and Android Applications

Web Application Security Tools are specialized tools for working with HTTP traffic, e.g., Web application firewalls.

Approaches

Different approaches will find different subsets of the security vulnerabilities lurking in an application and are most effective at different times in the software lifecycle. They each represent different tradeoffs of time, effort, cost and vulnerabilities found.

Design review. Before code is written the application's architecture and design can be reviewed for security problems. A common technique in this phase is the creation of a threat model.
Whitebox security review, or code review. This is a security engineer deeply understanding the application through manually reviewing the source code and noticing security flaws. Through comprehension of the application, vulnerabilities unique to the application can be found.
Blackbox security audit. This is only through the use of an application testing it for security vulnerabilities, no source code is required.
Automated Tooling. Many security tools can be automated through inclusion into the development or testing environment. Examples of those are automated DAST/SAST tools that are integrated into code editor or CI/CD platforms.
Coordinated vulnerability platforms. These are hacker-powered application security solutions offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs.

Security threats

The Open Worldwide Application Security Project (OWASP) provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2017 results from recent research based on comprehensive data compiled from over 40 partner organizations. This data revealed approximately 2.3 million vulnerabilities across over 50,000 applications.^[4] According to the OWASP Top 10 - 2021, the ten most critical web application security risks include:^[5]

Broken access control
Cryptographic failures
Injection
Insecure design
Security misconfiguration
Vulnerable and outdated components
Identification and authentification failures
Software and data integrity failures
Security logging and monitoring failures*
Server-side request forgery (SSRF)*

Security controls

The OWASP Top 10 Proactive Controls 2024 is a list of security techniques every software architect and developer should know and heed.

The current list contains:

Implement access control
Use cryptography the proper way
Validate all input & handle exceptions
Address security from the start
Secure by default configurations
Keep your components secure
Implement digital identity
Use browser security features
Implement security logging and monitoring
Stop server-side request forgery

Tooling for security testing

Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner.

There are many kinds of automated tools for identifying vulnerabilities in applications. Common tool categories used for identifying application vulnerabilities include:

Static application security testing (SAST) analyzes source code for security vulnerabilities during an application's development. Compared to DAST, SAST can be utilized even before the application is in an executable state. As SAST has access to the full source code it is a white-box approach. This can yield more detailed results but can result in many false positives that need to be manually verified.
Dynamic application security testing (DAST, often called vulnerability scanners) automatically detects vulnerabilities by crawling and analyzing websites. This method is highly scalable, easily integrated and quick. DAST tools are well suited for dealing with low-level attacks such as injection flaws but are not well suited to detect high-level flaws, e.g., logic or business logic flaws.^[6] Fuzzing tools are commonly used for input testing.^[7]
Interactive application security testing (IAST) assesses applications from within using software instrumentation. This combines the strengths of both SAST and DAST methods as well as providing access to code, HTTP traffic, library information, backend connections and configuration information.^[8]^[9] Some IAST products require the application to be attacked, while others can be used during normal quality assurance testing.^[10]^{[ promotional source? ]}^[11]^{[ promotional source? ]}
Runtime application self-protection augments existing applications to provide intrusion detection and prevention from within an application runtime.
Dependency scanners (also called software composition analysis) try to detect the usage of software components with known vulnerabilities. These tools can either work on-demand, e.g., during the source code build process, or periodically.

Security standards and regulations

CERT Secure Coding standard
ISO/IEC 27034-1:2011 Information technology — Security techniques — Application security -- Part 1: Overview and concepts
ISO/IEC TR 24772:2013 Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use
NIST Special Publication 800-53
OWASP ASVS: Web Application Security Verification Standard^[12]

Related Research Articles

In computer science, static program analysis is the analysis of computer programs performed without executing them, in contrast with dynamic program analysis, which is performed on programs during their execution in the integrated environment.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

In programming and software development, fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, e.g., in a file format or protocol and distinguishes valid from invalid input. An effective fuzzer generates semi-valid inputs that are "valid enough" in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are "invalid enough" to expose corner cases that have not been properly dealt with.

The Open Worldwide Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security. The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

<span class="mw-page-title-main">Metasploit</span> Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company, Rapid7.

Security testing is a process intended to detect flaws in the security mechanisms of an information system and as such help enable it to protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

Software security assurance is a process that helps design and implement software that protects the data and resources contained in and controlled by that software. Software is itself a resource and thus must be afforded appropriate security.

Dynamic application security testing (DAST) represents a non-functional testing process to identify security weaknesses and vulnerabilities in an application. This testing process can be carried out either manually or by using automated tools. Manual assessment of an application involves human intervention to identify the security flaws which might slip from an automated tool. Usually business logic errors, race condition checks, and certain zero-day vulnerabilities can only be identified using manual assessments.

DevOps is a methodology in the software development and IT industry. Used as a set of practices and tools, DevOps integrates and automates the work of software development (Dev) and IT operations (Ops) as a means for improving and shortening the systems development life cycle. DevOps is complementary to agile software development; several DevOps aspects came from the agile way of working.

w3af Open-source web application security scanner

w3af is an open-source web application security scanner. The project provides a vulnerability scanner and exploitation tool for Web applications. It provides information about security vulnerabilities for use in penetration testing engagements. The scanner offers a graphical user interface and a command-line interface.

Opa is a programming language for developing scalable web applications. It is free and open-source software released under a GNU Affero General Public License (AGPLv3), and an MIT License.

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration. Most of the major financial institutions utilize WAFs to help in the mitigation of web application 'zero-day' vulnerabilities, as well as hard to patch bugs or weaknesses through custom attack signature strings.

<span class="mw-page-title-main">ZAP (software)</span> Open-source web application security scanner

ZAP is a dynamic application security testing tool published under the Apache License. When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including HTTPS encrypted traffic. It can also run in a daemon mode which is then controlled via a REST-based API.

Code Dx, Inc. was an American software technology company active from 2015 to 2021. The company's flagship product, Code Dx, is a vulnerability management system that combines and correlates the results generated by a wide variety of static and dynamic testing tools. In 2021, the company was acquired by Synopsys.

Runtime application self-protection (RASP) is a security technology that uses runtime instrumentation to detect and block computer attacks by taking advantage of information from inside the running software. The technology differs from perimeter-based protections such as firewalls, that can only detect and block attacks by using network information without contextual awareness. RASP technology is said to improve the security of software by monitoring its inputs, and blocking those that could allow attacks, while protecting the runtime environment from unwanted changes and tampering. RASP-protected applications rely less on external devices like firewalls to provide runtime security protection. When a threat is detected RASP can prevent exploitation and possibly take other actions, including terminating a user's session, shutting the application down, alerting security personnel and sending a warning to the user. RASP aims to close the gap left by application security testing and network perimeter controls, neither of which have enough insight into real-time data and event flows to either prevent vulnerabilities slipping through the review process or block new threats that were unforeseen during development.

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.

Interactive application security testing is a security testing method that detects software vulnerabilities by interaction with the program coupled with observation and sensors. The tool was launched by several application security companies. It is distinct from static application security testing, which does not interact with the program, and dynamic application security testing, which considers the program as a black box. It may be considered a mix of both.

Burp Suite is a proprietary software tool for security assessment and penetration testing of web applications. It was initially developed in 2003-2006 by Dafydd Stuttard to automate his own security testing needs, after realizing the capabilities of automatable web tools like Selenium. Stuttard created the company PortSwigger to flagship Burp Suite's development. A community, professional, and enterprise version of this product are available.

References

↑ Happe, Andreas (3 June 2021). "What is AppSec anyways?". snikt.net.
↑ "Web Application Security Overview". 2015-10-23.
↑ Shuaibu, Bala Musa; Norwawi, Norita Md; Selamat, Mohd Hasan; Al-Alwani, Abdulkareem (2013-01-17). "Systematic review of web application security development model". Artificial Intelligence Review. 43 (2): 259–276. doi:10.1007/s10462-012-9375-6. ISSN 0269-2821. S2CID 15221613.
↑ Korolov, Maria (Apr 27, 2017). "Latest OWASP Top 10 looks at APIs, web apps: The new OWASP Top 10 list is out, and while most of it remains the same, there are new additions focusing on web applications and APIs". CSO. ProQuest 1892694046.
↑ "OWASP Top 10 - 2021: The Ten Most Critical Web Application Security Risks". Open Web Application Security Project. 2021. Retrieved January 11, 2022.
↑ "Web Application Vulnerability Scanners". NIST.
↑ "Fuzzing". OWASP.
↑ Williams, Jeff (2 July 2015). "I Understand SAST and DAST But What is an IAST and Why Does it Matter?". Contrast Security. Retrieved 10 April 2018.
↑ Velasco, Roberto (7 May 2020). "What is IAST? All About Interactive Application Security Testing". Hdiv Security. Retrieved 7 May 2020.
↑ Abezgauz, Irene (February 17, 2014). "Introduction to Interactive Application Security Testing". Quotium. Archived from the original on April 3, 2018. Retrieved January 25, 2018.
↑ Rohr, Matthias (November 26, 2015). "IAST: A New Approach For Agile Security Testing". Secodis.
↑ "OWASP Application Security Verification Standard".

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Happe, Andreas (3 June 2021). "What is AppSec anyways?". snikt.net.

[2] "Web Application Security Overview". 2015-10-23.

[3] Shuaibu, Bala Musa; Norwawi, Norita Md; Selamat, Mohd Hasan; Al-Alwani, Abdulkareem (2013-01-17). "Systematic review of web application security development model". Artificial Intelligence Review. 43 (2): 259–276. doi:10.1007/s10462-012-9375-6. ISSN 0269-2821. S2CID 15221613.

[4] Korolov, Maria (Apr 27, 2017). "Latest OWASP Top 10 looks at APIs, web apps: The new OWASP Top 10 list is out, and while most of it remains the same, there are new additions focusing on web applications and APIs". CSO. ProQuest 1892694046.

[5] "OWASP Top 10 - 2021: The Ten Most Critical Web Application Security Risks". Open Web Application Security Project. 2021. Retrieved January 11, 2022.

[6] "Web Application Vulnerability Scanners". NIST.

[7] "Fuzzing". OWASP.

[8] Williams, Jeff (2 July 2015). "I Understand SAST and DAST But What is an IAST and Why Does it Matter?". Contrast Security. Retrieved 10 April 2018.

[9] Velasco, Roberto (7 May 2020). "What is IAST? All About Interactive Application Security Testing". Hdiv Security. Retrieved 7 May 2020.

[10] Abezgauz, Irene (February 17, 2014). "Introduction to Interactive Application Security Testing". Quotium. Archived from the original on April 3, 2018. Retrieved January 25, 2018.

[11] Rohr, Matthias (November 26, 2015). "IAST: A New Approach For Agile Security Testing". Secodis.

[12] "OWASP Application Security Verification Standard".

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electromagnetic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Bombs Fork Logic Time Zip Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Fraudulent dialers Hacktivism Infostealer Insecure direct object reference Keystroke loggers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Obfuscation (software) Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Information security management Information risk management Security information and event management (SIEM) Runtime application self-protection Site isolation