Application Security (Application Security) includes measures taken to improve application security, often by detecting, fixing, and preventing security vulnerabilities . Various methods are used to identify vulnerabilities at different stages of the application life cycle , such as design , development , deployment , upgrade, maintenance . Basically, programs show an increase in the number of various kinds of defects and vulnerabilities that over time can cause significant harm to software .
Terms
- Asset A valuable resource, for example: data in a database, money in an account, a file in a file system, or any system resource.
- Vulnerability . A “weak spot” in a program that can be used by threats to gain unauthorized access to an asset.
- Attack The action taken to harm the asset.
- A threat . Anything that could exploit vulnerabilities to gain access, damage, or destroy an asset.
Methods
Different methods allow you to find different classes of security vulnerabilities in the application and are most effective at certain stages of the software life cycle .
- Whitebox ("white box"), or code verification. A security engineer, deeply versed in the application, manually looks through the source code and looks for security flaws. By understanding how the application works, unique vulnerabilities can be found for this software.
- Blackbox Security Check (Black Box). Checking for vulnerabilities only through the use of the application, the source code is not required.
- Revision of design. Before writing code using threat modeling.
- Automated verification. There are many automated tools that check for security flaws, often with a higher false positive rate than human intervention.
- Bug Bounty . This is a program offered by many websites and software developers through which people can gain recognition and reward for finding vulnerabilities.
The proper use of these methods to ensure maximum security throughout the entire software development life cycle is the responsibility of the security team.
Threats to applications (attacks)
In accordance with the templates and experience described in the book Improving Web Application Security, the following are the classes of common application security threats / attacks:
| Category | Threats / Attacks |
|---|---|
| Input Check | Buffer overflow ; crossite scripting ; SQL injection standardization (canonization) |
| Software fraud | An attacker modifies the behavior of an application to perform unauthorized actions by binary correction, code replacement or extension |
| Authentication | Listening to the network; brute force attack ; dictionary search ; cookie playback; credential theft |
| Login | Privilege escalation ; disclosure of confidential data; data falsification |
| Configuration management | Unauthorized access to administration interfaces; unauthorized access to settings files; search for textual configuration data; overly privileged processes and services |
| Confidential information | Access to sensitive code or data in storage; network eavesdropping; malicious code / data injection |
| Session management | Session abduction ; replay attack ; man in the middle attack |
| Cryptography | Non- cryptographically strong key generation or poor key management; weak or non-standard encryption |
| Manipulating Parameters | Manipulation of the query string, form field; cookie manipulation; HTTP header manipulation |
| Exception management | Information disclosure; denial of service (DoS) |
| Audit and Login | The user prohibits the operation; an attacker uses an application without a trace; attacker hides his tracks |
The OWASP community has published a list of the top 10 vulnerabilities of web applications and describes the best security practices for organizations in an effort to create open standards for the industry. [1] The main application security threats as of 2017: [2]
| Category | Threats / Attacks |
|---|---|
| Implementation | SQL injection NoSQL implementation of OS commands; Object Relational Mapping (ORM) LDAP injection |
| Authentication hacking | Credential attacks (database leaks / hacks); brute force attack; weak password |
| Sensitive Data Impact | Weak cryptography lack of encryption |
| External XML Object | Attack an external XML object |
| Access Control Hacking | Incorrect CORS configuration; forced viewing; privilege escalation |
| Incorrect security setting | Uncorrected flaws; inability to set the values of security parameters in the settings; outdated or vulnerable software |
| Cross Site Scripting (XSS) | Reflected (Fickle); Stored (Permanent); DOM models |
| Unsafe deserialization | Change of objects and data structures; data falsification |
| Using components with known vulnerabilities | Outdated software; undetected vulnerabilities; inability to fix basic frameworks |
| Inadequate logging and monitoring | Failure to record verified events; inability to generate clear log messages: inappropriate warnings; inability to detect or warn about active attacks in real time |
Mobile App Protection
In the future, the proportion of mobile devices that provide open platform functionality will continue to grow. The openness of these platforms provides significant opportunities for all parts of the mobile ecosystem, thanks to the possibility of flexible provision of programs and services - options that can be installed, removed or updated many times according to the needs and requirements of the user. However, unrestricted access to mobile resources and APIs by applications of unknown or unreliable origin appears with openness, which can lead to harm to the user, device, network, or all taken together if the appropriate security architectures and network precautions are not used. Application security is provided in one form or another on most mobile devices with an open OS ( Symbian OS , [3] Microsoft , BREW , etc.). In 2017, Google expanded its reward program for vulnerabilities found to cover vulnerabilities discovered in applications developed by third parties and accessible through the Google Play Store. [4] Industry groups have also developed recommendations, including the GSM Association and the Open Mobile Terminal Platform (OMTP). [five]
There are several strategies to improve the security of mobile applications:
- Whitelisting applications
- Transport Security
- Strong authentication and authorization
- Data encryption when writing to memory
- Application sandbox
- Granting API Access to Applications
- Binding processes to a user ID
- Predefined interaction between mobile application and OS
- Require user confirmation to provide privileged / enhanced access to the application
- Proper Session Handling
Application Security Testing
Security testing methods identify vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploit . Ideally, security testing should be carried out throughout the software development life cycle so that vulnerabilities can be timely and thoroughly addressed. Unfortunately, testing is often done at the end of the development cycle. With the growing popularity of DevOps and Continuous delivery as software development and deployment models, [6] continuous security models are becoming increasingly popular. [7]
Vulnerability scanners and, more specifically, web application scanners, also known as penetration testing tools (such as ethical hacker tools), have historically been used by organizations and security consultants to automate HTTP / request / response security testing; however, this does not replace the need for actual verification of the source code. Verification of the application source code can be performed manually or in automatic mode. Given the total size of individual programs (often 500,000 lines of code or more), a person cannot perform a comprehensive analysis of the data necessary to fully verify all possible vulnerabilities manually. For this, automated tools for analyzing the source code are used, followed by filtering and analysis of the results.
There are many varieties of automated tools for identifying vulnerabilities in applications. Some of them require extensive experience in conducting safety reviews, while others are designed for fully automated use. The results depend on the types of information (source files, binaries, HTTP traffic, configurations, libraries, connections) provided to the analyzer, the quality of the analysis and the vulnerabilities covered. Common technologies used to identify application vulnerabilities include:
Static Application Security Testing (SAST) is a technology that is often used as a source code analysis tool. The method analyzes the source code for vulnerabilities before launching the application. This method gives less false positive results, but for most implementations, access to the source code of the application [8] , expert configuration, and large computing power are required.
Dynamic Application Security Testing (DAST) is a technology that can detect visible vulnerabilities by submitting a URL to an automated scanner. This method is easy to scale, easy to integrate and fast. The disadvantages of DAST are the need for expert configuration and a high probability of false positives. [eight]
Online Application Security Testing (IAST) is a solution that evaluates applications internally using software tools. This method allows IAST to take advantage of SAST and DAST, and also provides access to code, HTTP traffic, library information, internal connections, and configuration information. [9] Some IAST products require the application to be attacked, while others can be used during routine quality testing . [10] [11]
Application Security
The development of malicious programs aimed at cyber attacks of customers of companies conducting their commercial activities on the Internet has served as an incentive to change the requirements for web applications since 2007. It is assumed that a significant number of Internet users are compromised by malware and therefore any data sent from infected machines can be malicious. In this regard, more advanced information protection and attack blocking systems are being implemented on the backend than on the client side or the web server . [12] As of 2016, software self-defense technologies were widely used. [8] [13] RASP is implemented together with the environment or implanted in it, which allows to detect and prevent hacker attacks. [14] [15]
Coordinated Vulnerability Detection
The CERT Coordination Center describes the Coordinated Vulnerability Disclosure (CVD) as “the process of reducing the enemy’s advantage while reducing the information security vulnerability” .. [16] CVD is an iterative multi-stage process in which several stakeholders are involved (users, suppliers software, security professionals) that must work together to fix vulnerabilities. Because multiple stakeholders are involved in CVD processes, communication management and vulnerability management are critical to success.
From an operational point of view, many tools and processes can help with CVD. These include bug tracking systems and Bug Bounty programs.
Safety Standards and Requirements
- CERT Code Standard
- CWE [17]
- Safety Technical Manual (STIG)
- ISO / IEC 27034-1: 2011 Information technology - Security techniques - Application security - Part 1: Overview and concepts
- ISO / IEC TR 24772: 2013 Information technology - Programming languages - Guidance to avoiding vulnerabilities in programming languages through language selection and use
- NIST Special Publication 800-53
- OWASP
- PCI DSS Payment Card Industry Data Security Standard
See also
- Database Security
- Information Security
- Safe Development Life Cycle
- Web application
- Web application framework
- Cert
Links
- ↑ What is OWASP, and Why it Matters for AppSec unopened . Contrast Security (February 23, 2017). Date of appeal April 10, 2018.
- ↑ OWASP Top 10 - 2017 . OWASP (2017). Date of appeal April 10, 2018.
- ↑ "Platform Security Concepts" , Simon Higginson.
- ↑ Google launched a new bug bounty program to root out vulnerabilities in third-party apps on Google Play . The Verge (October 22, 2017). Date of appeal June 15, 2018.
- ↑ Application Security Framework . Archived on March 29, 2009. , Open Mobile Terminal Platform
- ↑ DevOps Survey Results: Why Enterprises Are Embracing Continuous Delivery = December 01, 2017 . cloud bees. Date of treatment June 26, 2018.
- ↑ Tapping Hackers for Continuous Security = March 31, 2017 . HackerOne. Date of treatment July 4, 2018.
- ↑ 1 2 3 Interactive Application Security Testing: Things to Know . TATA Cyber Security Community (June 9, 2016).
- ↑ Williams, Jeff I Understand SAST and DAST But What is an IAST and Why Does it Matter? . Contrast Security (2 July 2015). Date of appeal April 10, 2018.
- ↑ Abezgauz, Irene Introduction to Interactive Application Security Testing . Quotium (February 17, 2014).
- ↑ Rohr, Matthias IAST: A New Approach For Agile Security Testing . Secodis (November 26, 2015).
- ↑ Continuing Business with Malware Infected Customers . Gunter Ollmann (October 2008).
- ↑ What is IAST? Interactive Application Security Testing . Veracode
- ↑ IT Glossary: Runtime Application Self-Protection . Gartner.
- ↑ Feiman, Joseph Security Think Tank: RASP - A Must-Have Security Technology . Computer Weekly (June 2012).
- ↑ The CERT Guide to Coordinated Vulnerability Disclosure . Software Engineering Institute, Carnegie Mellon University (August 2017). Date of treatment June 20, 2018.
- ↑ Common Weakness Enumeration (CWE) . Date of treatment December 19, 2018.