Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use. Also, it is a way to ensure the confidentiality, integrity, and availability of information. If we examine Cybersecurity with a systematic approach, it is formed of more than one component and all these elements are of great importance in todays world. Application Security (or AppSec) is one of the most important components of Cybersecurity, providing data security within the application and preventing unauthorized users from accessing it.
Application Security focuses on protecting applications and protocols by identifying application functionality and usage methods, data flow in the application, business logic, access controls and authorization flaws. An important aspect of Application Security is to follow the Secure Application Development Guidelines set in the development phase of the application. For example, developers need to use secure application development methods to ensure that custom business applications are not vulnerable to common application attacks, such as SQL Injection (SQLi), Cross-Site Scription (XSS), etc.
Application Security focuses on protecting applications and protocols by identifying application functionality and usage methods, data flow in the application, business logic, access controls and authorization flaws.
AppSec is one of the most important parts of the System Development Life Cycle (SDLC) process. Regardless of the SDLC or DevOps methodology you are using; security plays a role in all phases of the process. For example, when a project is in the design phase, you have to do threat modeling. In the development phase, you can use IDE plugins to review the code in real-time and provide feedback to developers regarding best practices and their code quality.
In the QA/Testing phase, security testing should be part of the test scenarios and Dynamic and Static Application Security Testing (DAST and SAST) should be performed as early in the process. During the User Acceptance Testing (UAT), further automated scanning of the web application, API, cloud infrastructure is a must. Before releasing an application to production, a Penetration Testing (PenTest) should be performed to test your application security from the perspective of an attacker.
However, we often see that AppSec activities are postponed until the very end of the project after the application is released. If the security weaknesses in your application are discovered at the very end after the product is already released, fixing these issues can be very costly. It is always more expensive to “bolt-on” security after the fact vs incorporating AppSec into your process from the very early phases. And in the worst-case scenario, lack of AppSec in your DevOps process can result in an incident where your customer data is exposed.
In order to prevent this situation, the AppSec activities need to be formalized and the project teams should be given the education and resources they need to make sure security is baked-into your application and all phases of the DevOps process.
The following diagram shows the Secure web application development phases:
Secure Web Application Development Phases
Applications typically consist of links between data and the user. They allow complex operations to be simplified by using workflows to empower the user to accomplish a task more efficiently. Nowadays, applications are encountered in many different categories like:
- Social networks,
- Banking, trading and investing,
- Collaboration (email, project management, document management, etc.).
- Video conferencing, online events, and more…
An application must be designed and developed based on the sensitivity of the data that it processes. If the data is classified as public, it can be accessed without user authentication. According to the importance and sensitivity of the data processed by the application, suitable authentication, authorization, and protection of data in storage or transit should be implemented. To ensure the security of the software and related sensitive data, an assessment must be performed at each stage of the SDLC. This assessment provides the opportunity to develop the software more securely by seeing potential threats.
In the diagram below you can see the security challenges for a typical application:
Security Challenges for a Typical Application
Day by day, application security is reaching the level of importance it needs. Lets examine the history of application security by looking at notable events in time:
In the 70s and 80s, code security and application security were not perceived as a risk. At the time, most computer risks were about insider threats such as physical security, theft, and access to confidential documents. Before computer use, encryption and decryption of messages were the most important problems.
In 1971, a researcher named Bob Thomas wrote a computer program called The Creeper that jumped between network nodes and left the message "I AM THE CREATOR: GET ME IF YOU CAN" on each of the machines. After Creeper spread to ARPANET, Ray Tomlinson wrote the program that erased The Creeper message and named it “The Reaper”.
In the early 2000s, ways to protect against web attacks started to be found and implemented. The Open Web Application Security Project ( OWASP) was established in 2001 and played a significant role in advancing awareness, tools, and standards in application security.
OWASP is a non-profit community organization with a purpose to make the Web and all data belonging to users more secure. It is independent of the technologies used in the application and does not specifically provide any support for any technology. It covers PHP equally as well as ASP.NET or Python. The OWASP community continues to grow with the contribution of the security community.
OWASP is a non-profit community organization with a purpose to make the Web and all data belonging to users more secure.
The OWASP Top 10 is one of the most well-known projects of OWASP and is a standard framework to evaluate the security risks of applications. OWASP Top 10 covers the most critical 10 application security risk, with accompanying standards and tools on how to test, remediate and educate the community, such as OWASP Web Security Testing Guide (WSTG), Mobile Security Testing Guide (MSTG), Cheat Sheet series, and many more. Together with tools such as the OWASP Zap Proxy, security practitioners can utilize OWASP guidance to test and identify security weaknesses like server-based vulnerabilities and application based vulnerabilities. Some of the vulnerabilities known as application vulnerabilities are Cross-Site Scripting (XSS), SQL Injection (SQLi), Insecure Direct Object References(IDOR)
In the next few weeks, we will go into more detail about what OWASP is, OWASP Top 10 Web Application Security Risks, and other OWASP projects.