Application Security Introduction
Everyone talks about application security, or AppSec, these days. AppSec can be a very daunting feat to take on which requires coordination between technical experts and teams throughout an organization in order to do efficiently (including some potential hiccups, of course).
Application security is the process of protecting applications from weaknesses throughout the application lifecycle. It is its own beast which requires continuous work and effort to assess your applications threats (threat modeling), vulnerabilities (penetration testing and source code scanning) and overall application security risk posture.
This post will aim to cover the basics of the vast AppSec landscape and how they fit together. This is a massive undertaking on its own so we will just cover some of the basic of common AppSec services that may be priority for your organization to implement or focus on. Let’s get started.
AppSec at a Glance
First off, it is important to understand the type of applications supported and their corresponding teams within the organization. Some questions you should ask yourself include:
- Who oversees developing applications, and do they develop with security in mind?
- Who supports and patches the applications?
- Is there already ongoing security testing happening?
These are all critical questions which can help you get started with application security and prioritizing your security objectives. Don’t try to take on too much all at once as this will cause critical pillars of the program to be lacking. Start simple and build your way up.
Below is a list of various common AppSec services which is in no way a complete list. These are just the basics to help us get started by introducing some of the main pieces of an AppSec program
1. Penetration Testing
One of the main goals of application security is to catch vulnerabilities in web or mobile applications before they are internally or publicly available and widespread. This is where penetration testing comes in to help discovery of vulnerabilities within these built applications.
Application penetration testing can help identify critical flaws in exposed applications which, in the wrong hands, can affect the confidentiality, integrity and availability of applications and their data. Penetration testing is the proactive approach to discover these flaws and provide recommendations in order to remediate them.
When penetration testing is built into an AppSec program, it can be a key component by contributing to the secure Software Development Life Cycle (SDLC) by continuously testing and identifying security flaws in applications during development and on an ongoing basis. This will help prevent gaping bugs or flaws in applications before being published to production which can also save money from additional patching and coding down the road.
OWASP is the most popular framework for both application and mobile penetration testing which can be used to assess and remediate application vulnerabilities.
2. Source Code Scanning - SAST vs DAST
Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) are both very different forms of application security scanning. There is also Interactive Application Security Testing (IAST) which is a hybrid approach, but we'll just cover the first two for now.
SAST uses source code scanning tools and solutions to analyze application code in order to identify vulnerabilities. This is known as white box testing since the application source code is available to the tester. SAST solutions can easily be integrated into development environments to support all stages of a secure SDLC. This will greatly help assess the code while it’s being written to discover security issues before they are published.
SAST tools can precisely find coding issues and their exact location within developer’s code to effectively provide remediation solutions on any discovered issues. This will exceptionally speed up the remediation commitment later on by identifying and fixing the root causes of vulnerabilities during development.
DAST uses application scanning solutions in order to scan existing applications by analyzing HTTP requests and responses when interacting with the app in an automated process. This is known as black box testing as the tester does not have access to application source code and will also simulate parts of a penetration test by interacting with the app. DAST tools will crawl existing applications using HTTP requests and supplied data to discover application flaws that may be present.
DAST is limited when it comes to SDLC since it can only assess compiled applications within QA or Production environments. It also can’t detect design flaws or non-reflective vulnerabilities which don’t replay responses when executed such as Cross-Site Scripting.
A strong AppSec program utilizes a hybrid approach of both SAST and DAST to attempt discovery of flaws during the development process and scan existing applications for hidden vulnerabilities.
3. Threat Modeling
Threat modeling is the process of identifying threats, risks and their corresponding remediations of any type of asset which contains value. For example, a company may want to perform threat modeling on their online banking application since it is a high valued application containing critical customer data. If an attack and leak were to occur, the company could have their public reputation greatly impacted and be required to spend weeks or months of time investigating and patching the attack depending on its severity. Therefore, companies perform threat modeling – to figure out who their potential attackers are, what are the threats or worries, and what actions can be taken to resolve them.
Threat modeling can help build a more integrated and strengthened AppSec program to design and build applications more securely, identifying threats early on, managing and prioritizing business or application risks, and identifying different types of AppSec services and priorities that are required in order to build a stronger program. These all contribute to strengthening defense in depth across an organization's application security program.
Secure Development Integration with SDLC
Security should be integrated as early as possible within the SDLC process. This will aim to minimize any missing gaps of security throughout the lifecycle to ensure the problems get discovered as early on in development. This will help mitigate long term risk exposure or potential data leaks and prevent additional coding for later patching and remediation.
It is much simpler and cheaper to patch issues throughout the development lifecycle instead of going back on a production application much later and attempting to fix issues for newer releases. As a result of secure SDLC, your applications will be tested thoroughly on each stage throughout the SDLC process which will minimize vulnerabilities and cost of additional maintenance or coding when they inevitably arise. This can include a combination of any or all of the above AppSec services mentioned as well as many other services that may be beneficial and suitable for your organization in order to securely develop, manage and monitor your applications.
Each organization is different and has their own needs and priorities in terms of security. Nothing is a “one size fits all” solution when it comes to AppSec. By using the mentioned services above, putting priority on the important ones suitable for your organization, and utilizing additional tools or solutions, your company will have a much more wholesome AppSec program supporting defense in depth which can mitigate risks wherever possible.