Application security

From Wikipedia, the free encyclopedia

Jump to navigationJump to search

Part of a series onInformation security

Related security categories

• Automotive security
• Cybercrime 
  • Cybersex trafficking
  • Computer fraud
• Cybergeddon
• Cyberterrorism
• Cyberwarfare
• Electronic warfare
• Information warfare
• Internet security
• Mobile security
• Network security
• Copy protection
• Digital rights management

Threats

• Adware
• Advanced persistent threat
• Arbitrary code execution
• Backdoors
• Hardware backdoors
• Code injection
• Crimeware
• Cross-site scripting
• Cryptojacking malware
• Botnets
• Data breach
• Drive-by download
• browser helper objects
• Computer crime
• Viruses
• Data scraping
• Denial of service
• Eavesdropping
• Email fraud
• Email spoofing
• Exploits
• Keyloggers
• Logic bombs
• Time bombs
• Fork bombs
• Zip bombs
• Fraudulent dialers
• Malware
• Payload
• Phishing
• Polymorphic engine
• Privilege escalation
• Ransomware
• Rootkits
• Bootkits
• Scareware
• Shellcode
• Spamming
• Social engineering (security)
• Screen scraping
• Spyware
• Software bugs
• Trojan horses
• Hardware Trojans
• Remote access trojans
• Vulnerability
• Web shells
• Wiper
• Worms
• SQL injection
• Rogue security software
• Zombie

Defenses

• Application security 
  • Secure coding
  • Secure by default
  • Secure by design 
    • Misuse case
• Computer access control 
  • Authentication 
    • Multi-factor authentication
  • Authorization
• Computer security software 
  • Antivirus software
  • Security-focused operating system
• Data-centric security
• Code obfuscation
• Encryption
• Firewall
• Intrusion detection system 
  • Host-based intrusion detection system (HIDS)
  • Anomaly detection
• Security information and event management
• Mobile secure gateway
• Runtime application self-protection

• v
• t
• e

Application security (short AppSec) includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.[1]

Contents

• 1Approaches
• 2Web application security
  • 2.1Security threats
• 3Tooling for Security Testing
• 4Security standards and regulations
• 5See also
• 6References

Approaches[edit]

Different approaches will find different subsets of the security vulnerabilities lurking in an application and are most effective at different times in the software lifecycle. They each represent different tradeoffs of time, effort, cost and vulnerabilities found.

• Design review. Before code is written the application's architecture and design can be reviewed for security problems. A common technique in this phase is the creation of a threat model.
• Whitebox security review, or code review. This is a security engineer deeply understanding the application through manually reviewing the source code and noticing security flaws. Through comprehension of the application vulnerabilities unique to the application can be found.
• Blackbox security audit. This is only through use of an application testing it for security vulnerabilities, no source code required.
• Automated Tooling. Many security tools can automated through inclusion into the development or testing environment. Examples of those are automated DAST/SAST tools that are integrated into code editor or CI/CD platforms.
• Coordinated vulnerability platforms. These are hacker-powered application security solutions offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs.

Web application security[edit]

Web application security is a branch of information security that deals specifically with security of websites, web applications and web services. At a high level, web application security draws on the principles of application security but applies them specifically to internet and web systems.[2][3]

Web Application Security Tools are specialized tools for working with HTTP traffic, e.g., Web application firewalls.

Security threats[edit]

The Open Web Application Security Project (OWASP) provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2017 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations. From this data, approximately 2.3 million vulnerabilities were discovered across over 50,000 applications.[4] According to the OWASP Top 10 - 2017, the ten most critical web application security risks include:[5]

1. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML external entities (XXE)
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components with known vulnerabilities
10. Insufficient logging and monitoring

Tooling for Security Testing[edit]

Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire Software Development Life Cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner.

There are many kinds of automated tools for identifying vulnerabilities in applications. Common tool categories used for identifying application vulnerabilities include:

• Static Application Security Testing (SAST) analyzes source code for security vulnerabilities during an application's development. Compared to DAST, SAST can be utilized even before the application is in an executable state. As SAST has access to the full source-code it is a white-box approach. This can yield more detailed results but can result in many false-positives that need to be manually verified.
• Dynamic Application Security Testing (DAST, often called Vulnerability scanners) automatically detects vulnerabilities by crawling and analyzing web sites. This method is highly scalable, easily integrated and quick. DAST tools are well suited for dealing with low-level attacks such as injection flaws but are not well suited to detect high-level flaws, e.g., logic or business-logic flaws.[6] Fuzzing,[7] tools are commonly used for input testing.
• Interactive Application Security Testing (IAST) assesses applications from within using software instrumentation. This combines the strengths of both SAST and DAST methods as well as providing access to code, HTTP traffic, library information, backend connections and configuration information.[8] [9] Some IAST products require the application to be attacked, while others can be used during normal quality assurance testing.[10][promotional source?][11][promotional source?]
• Runtime application self-protection augment existing applications to provide intrusion detection and prevention from within an application runtime.
• Dependency scanners (also called Software Composition Analysis) try to detect usage of software components with known vulnerabilities. These tools can either work on-demand, e.g., during the source code build process, or periodically.