Application security explained

Application security (short AppSec) includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.[1]

Web application security is a branch of information security that deals specifically with the security of websites, web applications, and web services. At a high level, web application security draws on the principles of application security but applies them specifically to the internet and web systems.[2] [3] The application security also concentrates on mobile apps and their security which includes iOS and Android Applications

Web Application Security Tools are specialized tools for working with HTTP traffic, e.g., Web application firewalls.

Approaches

Different approaches will find different subsets of the security vulnerabilities lurking in an application and are most effective at different times in the software lifecycle. They each represent different tradeoffs of time, effort, cost and vulnerabilities found.

Security threats

The Open Web Application Security Project (OWASP) provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2017 results from recent research based on comprehensive data compiled from over 40 partner organizations. This data revealed approximately 2.3 million vulnerabilities across over 50,000 applications.[4] According to the OWASP Top 10 - 2021, the ten most critical web application security risks include:[5]

  1. Broken access control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentification Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures*
  10. Server-Side Request Forgery (SSRF)*

Tooling for security testing

Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire Software Development Life Cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner.

There are many kinds of automated tools for identifying vulnerabilities in applications. Common tool categories used for identifying application vulnerabilities include:

Resin is a new tool for improving application security and reducing vulnerabilities. It allows developers to specify rules about how data should flow through an application to prevent security issues. This is done using policy objects to define the rules, data tracking to monitor the data flow, and filter objects to check the rules at specific points in the data flow.[12]

Security standards and regulations

See also

Notes and References

  1. Web site: Happe. Andreas. 3 June 2021. What is AppSec anyways?. snikt.net.
  2. Web site: 2015-10-23 . Web Application Security Overview .
  3. Shuaibu . Bala Musa . Norwawi . Norita Md . Selamat . Mohd Hasan . Al-Alwani . Abdulkareem . 2013-01-17 . Systematic review of web application security development model . Artificial Intelligence Review . 43 . 2 . 259–276 . 10.1007/s10462-012-9375-6 . 0269-2821 . 15221613.
  4. Korolov. Maria. Apr 27, 2017. Latest OWASP Top 10 looks at APIs, web apps: The new OWASP Top 10 list is out, and while most of it remains the same, there are new additions focusing on web applications and APIs. CSO. .
  5. Web site: 2021. OWASP Top 10 - 2021: The Ten Most Critical Web Application Security Risks. January 11, 2022. Open Web Application Security Project.
  6. News: Web Application Vulnerability Scanners . NIST .
  7. News: Fuzzing . OWASP .
  8. Web site: I Understand SAST and DAST But What is an IAST and Why Does it Matter?. Contrast Security. Jeff. Williams. 2 July 2015. 10 April 2018.
  9. Web site: What is IAST? All About Interactive Application Security Testing. Hdiv Security. Roberto. Velasco. 7 May 2020. 7 May 2020.
  10. Web site: Introduction to Interactive Application Security Testing. Quotium. Irene. Abezgauz. February 17, 2014. January 25, 2018. April 3, 2018. https://web.archive.org/web/20180403193750/http://www.quotium.com/resources/interactive-application-security-testing/. dead.
  11. Web site: IAST: A New Approach For Agile Security Testing. Secodis. Matthias . Rohr. November 26, 2015.
  12. Book: Yip . Alexander . Wang . Xi . Zeldovich . Nickolai . Kaashoek . M. Frans . Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles . Improving application security with data flow assertions . 2009-10-11 . https://doi.org/10.1145/1629575.1629604 . SOSP '09 . New York, NY, USA . Association for Computing Machinery . 291–304 . 10.1145/1629575.1629604 . 978-1-60558-752-3. 1721.1/67015 . 7189495 . free .
  13. Web site: OWASP Application Security Verification Standard.