Application security
Encyclopedia
Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy
of an application
or the underlying system
(vulnerabilities) through flaws in the design
, development
, deployment
, upgrade, or maintenance
of the application.
Applications only control the use of resources granted
to them, and not which resources are granted to them. They, in turn, determine the use of these resources by users of the application through application security.
Open Web Application Security Project (OWASP
) and Web Application Security Consortium (WASC
) updates on the latest threats which impair web based applications. This aids developers, security testers and architects to focus on better design and mitigation strategy. OWASP Top 10 has become an industrial norm in assessing Web Applications.
Note that this approach is technology / platform independent. It is focused on principles, patterns, and practices.
, etc.). Industry groups have also created recommendations including the GSM Association
and Open Mobile Terminal Platform
(OMTP).
. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle.
Vulnerability scanner
s, and more specifically web application scanners, otherwise known as penetration testing tools (i.e. ethical hacking tools) have been historically used by security organizations within corporations and security consultants to automate the security testing of http request/responses; however, this is not a substitute for the need for actual source code review. Physical code reviews of an application's source code can be accomplished manually or in an automated fashion. Given the common size of individual programs (often 500,000 lines of code or more), the human brain can not execute a comprehensive data flow analysis needed in order to completely check all circuitous paths of an application program to find vulnerability points. The human brain is suited more for filtering, interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to trace every possible path through a compiled code base to find the root cause level vulnerabilities.
The two types of automated tools associated with application vulnerability detection (application vulnerability scanners) are Penetration Testing Tools (often categorized as Black Box Testing
Tools) and static code analysis
tools (often categorized as White Box Testing
Tools). Tools in the Black Box Testing arena include IBM Rational AppScan
, HP Application Security Center
suite of applications (through the acquisition of SPI Dynamics), Nikto (open source). Tools in the static code analysis arena include Veracode
, Pre-Emptive Solutions, and Parasoft
.
Banking and large E-Commerce corporations have been the very early adopter customer profile for these types of tools. It is commonly held within these firms that both Black Box testing and White Box testing tools are needed in the pursuit of application security. Typically sited, Black Box testing (meaning Penetration Testing tools) are ethical hacking tools used to attack the application surface to expose vulnerabilities suspended within the source code hierarchy. Penetration testing tools are executed on the already deployed application. White Box testing (meaning Source Code Analysis tools) are used by either the application security groups or application development groups. Typically introduced into a company through the application security organization, the White Box tools complement the Black Box testing tools in that they give specific visibility into the specific root vulnerabilities within the source code in advance of the source code being deployed. Vulnerabilities identified with White Box testing and Black Box testing are typically in accordance with the OWASP
taxonomy for software coding errors. White Box testing vendors have recently introduced dynamic versions of their source code analysis methods; which operates on deployed applications. Given that the White Box testing tools have dynamic versions similar to the Black Box testing tools, both tools can be correlated in the same software error detection paradigm ensuring full application protection to the client company.
The advances in professional Malware
targeted at the Internet customers of online organizations has seen a change in Web application design requirements since 2007. It is generally assumed that a sizable percentage of Internet users will be compromised through malware
and that any data coming from their infected host may be tainted. Therefore application security has begun to manifest more advanced anti-fraud and heuristic detection systems in the back-office, rather than within the client-side or Web server code.
Security policy
Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls...
of an application
Application software
Application software, also known as an application or an "app", is computer software designed to help the user to perform specific tasks. Examples include enterprise software, accounting software, office suites, graphics software and media players. Many application programs deal principally with...
or the underlying system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
(vulnerabilities) through flaws in the design
Software design
Software design is a process of problem solving and planning for a software solution. After the purpose and specifications of software are determined, software developers will design or employ designers to develop a plan for a solution...
, development
Software engineering
Software Engineering is the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software, and the study of these approaches; that is, the application of engineering to software...
, deployment
Software deployment
Software deployment is all of the activities that make a software system available for use.The general deployment process consists of several interrelated activities with possible transitions between them. These activities can occur at the producer site or at the consumer site or both...
, upgrade, or maintenance
Software maintenance
Software Maintenance in software engineering is the modification of a software product after delivery to correct faults, to improve performance or other attributes....
of the application.
Applications only control the use of resources granted
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
to them, and not which resources are granted to them. They, in turn, determine the use of these resources by users of the application through application security.
Open Web Application Security Project (OWASP
OWASP
The Open Web Application Security Project is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and...
) and Web Application Security Consortium (WASC
WASC
WASC may refer to:* WASC , a radio station licensed to Spartanburg, South Carolina, United States* Web Application Security Consortium* West African School Certificate* Western Association of Schools and Colleges...
) updates on the latest threats which impair web based applications. This aids developers, security testers and architects to focus on better design and mitigation strategy. OWASP Top 10 has become an industrial norm in assessing Web Applications.
Methodology
According to the patterns & practices Improving Web Application Security book, a principle-based approach for application security includes:- Knowing your threats.
- Securing the network, host and application.
- Incorporating security into your software development processSoftware development processA software development process, also known as a software development life cycle , is a structure imposed on the development of a software product. Similar terms include software life cycle and software process. It is often considered a subset of systems development life cycle...
Note that this approach is technology / platform independent. It is focused on principles, patterns, and practices.
Threats, Attacks, Vulnerabilities, and Countermeasures
According to the patterns & practices Improving Web Application Security book, the following terms are relevant to application security:- Asset. A resource of value such as the data in a database or on the file system, or a system resource.
- Threat. A negative effect.
- VulnerabilityVulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
. A weakness that makes a threat possible. - AttackAttackAttack may refer to:* Attack * The Attack , 1960s* Attack Records, label* Offensive * Charge * Attack - Titled works :* The Attack , book* Attack! , 2003...
(or exploit). An action taken to harm an asset. - CountermeasureCountermeasureA countermeasure is a measure or action taken to counter or offset another one. As a general concept it implies precision, and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process...
. A safeguard that addresses a threat and mitigates risk.
Application Threats / Attacks
According to the patterns & practices Improving Web Application Security book, the following are classes of common application security threats / attacks:| Category | Threats / Attacks |
|---|---|
| Input Validation | Buffer overflow Buffer overflow In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety.... ; cross-site scripting Cross-site scripting Cross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same... ; SQL injection SQL injection A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software... ; canonicalization Canonicalization In computer science, canonicalization , is a process for converting data that has more than one possible representation into a "standard", "normal", or canonical form... |
| Authentication Authentication Authentication is the act of confirming the truth of an attribute of a datum or entity... |
Network eavesdropping ; Brute force attack Brute force attack In cryptography, a brute-force attack, or exhaustive key search, is a strategy that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system that would make the task easier... ; dictionary attacks Dictionary attack In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:... ; cookie replay; credential theft |
| Authorization Authorization Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy... |
Elevation of privilege; disclosure of confidential data; data tampering; luring attacks |
| Configuration management Configuration management Configuration management is a field of management that focuses on establishing and maintaining consistency of a system or product's performance and its functional and physical attributes with its requirements, design, and operational information throughout its life.For information assurance, CM... |
Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts |
| Sensitive information Information sensitivity Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others who might have low or unknown trustability or undesirable intentions.... |
Access sensitive data in storage; network eavesdropping; data tampering |
| Session management Session management In human-computer interaction, session management is the process of keeping track of a user's activity across sessions of interaction with the computer system.... |
Session hijacking Session hijacking In computer science, session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a... ; session replay Replay attack A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet... ; man in the middle Man-in-the-middle attack In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other... |
| Cryptography Cryptography Cryptography is the practice and study of techniques for secure communication in the presence of third parties... |
Poor key generation or key management; weak or custom encryption |
| Parameter manipulation | Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation |
| Exception management | Information disclosure; denial of service Denial-of-service attack A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users... |
| Auditing and logging | User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks |
Mobile application security
The proportion of mobile devices providing open platform functionality is expected to continue to increase in future. The openness of these platforms offers significant opportunities to all parts of the mobile eco-system by delivering the ability for flexible program and service delivery options that may be installed, removed or refreshed multiple times in line with the user’s needs and requirements. However, with openness comes responsibility and unrestricted access to mobile resources and APIs by applications of unknown or untrusted origin could result in damage to the user, the device, the network or all of these, if not managed by suitable security architectures and network precautions. Application security is provided in some form on most open OS mobile devices (Symbian OS, Microsoft , BREWBinary Runtime Environment for Wireless
Brew is an application development platform created by Qualcomm, originally for CDMA mobile phones, featuring third party applications such as mobile games. It is offered in some feature phones but not in smart phones...
, etc.). Industry groups have also created recommendations including the GSM Association
GSM Association
The GSM Association is an association of mobile operators and related companies devoted to supporting the standardizing, deployment and promotion of the GSM mobile telephone system...
and Open Mobile Terminal Platform
Open mobile terminal platform
The Open Mobile Terminal Platform was a forum created by mobile network operators to discuss standards with manufacturers of cell phones and other mobile devices. During its lifetime, the OMTP included manufacturers such as Huawei, LG Electronics, Motorola, Nokia, Samsung and Sony...
(OMTP).
Security testing for applications
Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitationExploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle.
Vulnerability scanner
Vulnerability scanner
A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. There are a number of types of vulnerability scanners available today, distinguished from one another by a focus on particular targets...
s, and more specifically web application scanners, otherwise known as penetration testing tools (i.e. ethical hacking tools) have been historically used by security organizations within corporations and security consultants to automate the security testing of http request/responses; however, this is not a substitute for the need for actual source code review. Physical code reviews of an application's source code can be accomplished manually or in an automated fashion. Given the common size of individual programs (often 500,000 lines of code or more), the human brain can not execute a comprehensive data flow analysis needed in order to completely check all circuitous paths of an application program to find vulnerability points. The human brain is suited more for filtering, interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to trace every possible path through a compiled code base to find the root cause level vulnerabilities.
The two types of automated tools associated with application vulnerability detection (application vulnerability scanners) are Penetration Testing Tools (often categorized as Black Box Testing
Black box testing
Black-box testing is a method of software testing that tests the functionality of an application as opposed to its internal structures or workings . Specific knowledge of the application's code/internal structure and programming knowledge in general is not required...
Tools) and static code analysis
Static code analysis
Static program analysis is the analysis of computer software that is performed without actually executing programs built from that software In most cases the analysis is performed on some version of the source code and in the other cases some form of the object code...
tools (often categorized as White Box Testing
White box testing
White-box testing is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality...
Tools). Tools in the Black Box Testing arena include IBM Rational AppScan
IBM Rational AppScan
IBM Rational AppScan is a family of web security testing and monitoring tools from the Rational Software division of IBM. AppScan is intended to test Web applications for security vulnerabilities during the development process, when it is least expensive to fix such problems...
, HP Application Security Center
HP Application Security Center
HP Application Security Center is a set of technology solutions by HP Software Division. Much of the portfolio for this solution suite was from HP's acquisition of SPI Dynamics...
suite of applications (through the acquisition of SPI Dynamics), Nikto (open source). Tools in the static code analysis arena include Veracode
Veracode
Veracode is a Burlington, Massachusetts-based application security company offering a cloud-based platform for application risk management. Veracode was founded in 2006 by a team of application security practitioners from @stake, Guardent, Symantec, and VeriSign to provide an automated third party...
, Pre-Emptive Solutions, and Parasoft
Parasoft
Parasoft is an independent software vendor with headquarters in Monrovia, California. It was founded in 1987 by five graduates of the California Institute of Technology who had been working on Caltech Cosmic Cube....
.
Banking and large E-Commerce corporations have been the very early adopter customer profile for these types of tools. It is commonly held within these firms that both Black Box testing and White Box testing tools are needed in the pursuit of application security. Typically sited, Black Box testing (meaning Penetration Testing tools) are ethical hacking tools used to attack the application surface to expose vulnerabilities suspended within the source code hierarchy. Penetration testing tools are executed on the already deployed application. White Box testing (meaning Source Code Analysis tools) are used by either the application security groups or application development groups. Typically introduced into a company through the application security organization, the White Box tools complement the Black Box testing tools in that they give specific visibility into the specific root vulnerabilities within the source code in advance of the source code being deployed. Vulnerabilities identified with White Box testing and Black Box testing are typically in accordance with the OWASP
OWASP
The Open Web Application Security Project is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and...
taxonomy for software coding errors. White Box testing vendors have recently introduced dynamic versions of their source code analysis methods; which operates on deployed applications. Given that the White Box testing tools have dynamic versions similar to the Black Box testing tools, both tools can be correlated in the same software error detection paradigm ensuring full application protection to the client company.
The advances in professional Malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
targeted at the Internet customers of online organizations has seen a change in Web application design requirements since 2007. It is generally assumed that a sizable percentage of Internet users will be compromised through malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
and that any data coming from their infected host may be tainted. Therefore application security has begun to manifest more advanced anti-fraud and heuristic detection systems in the back-office, rather than within the client-side or Web server code.
Security standards and regulations
- Sarbanes-Oxley ActSarbanes-Oxley ActThe Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
(SOX)
- Health Insurance Portability and Accountability ActHealth Insurance Portability and Accountability ActThe Health Insurance Portability and Accountability Act of 1996 was enacted by the U.S. Congress and signed by President Bill Clinton in 1996. It was originally sponsored by Sen. Edward Kennedy and Sen. Nancy Kassebaum . Title I of HIPAA protects health insurance coverage for workers and their...
(HIPAA)
- IEEE P1074
- ISO/IEC 7064:2003 Information technology -- Security techniques -- Check character systems
- ISO/IEC 9796-2:2002 Information technology -- Security techniques -- Digital signature schemes giving message recovery -- Part 2: Integer factorization based mechanisms
- ISO/IEC 9796-3:2006 Information technology -- Security techniques -- Digital signature schemes giving message recovery -- Part 3: Discrete logarithm based mechanisms
- ISO/IEC 9797-1ISO/IEC 9797-1ISO/IEC 9797-1 Information technology — Security techniques — Message Authentication Codes — Part 1: Mechanisms using a block cipher is an international standard that defines methods for calculating a message authentication code over data.Rather than defining one specific...
:1999 Information technology -- Security techniques -- Message Authentication Codes (MACs) -- Part 1: Mechanisms using a block cipher - ISO/IEC 9797-2:2002 Information technology -- Security techniques -- Message Authentication Codes (MACs) -- Part 2: Mechanisms using a dedicated hash-function
- ISO/IEC 9798-1:1997 Information technology -- Security techniques -- Entity authentication -- Part 1: General
- ISO/IEC 9798-2:1999 Information technology -- Security techniques -- Entity authentication -- Part 2: Mechanisms using symmetric encipherment algorithms
- ISO/IEC 9798-3:1998 Information technology -- Security techniques -- Entity authentication -- Part 3: Mechanisms using digital signature techniques
- ISO/IEC 9798-4:1999 Information technology -- Security techniques -- Entity authentication -- Part 4: Mechanisms using a cryptographic check function
- ISO/IEC 9798-5:2004 Information technology -- Security techniques -- Entity authentication -- Part 5: Mechanisms using zero-knowledge techniques
- ISO/IEC 9798-6:2005 Information technology -- Security techniques -- Entity authentication -- Part 6: Mechanisms using manual data transfer
- ISO/IEC 14888-1:1998 Information technology -- Security techniques -- Digital signatures with appendix -- Part 1: General
- ISO/IEC 14888-2:1999 Information technology -- Security techniques -- Digital signatures with appendix -- Part 2: Identity-based mechanisms
- ISO/IEC 14888-3:2006 Information technology -- Security techniques -- Digital signatures with appendix -- Part 3: Discrete logarithm based mechanisms
- ISO/IEC 17799:2005 Information technology -- Security techniques -- Code of practice for information security management
- ISO/IEC 24762:2008 Information technology -- Security techniques -- Guidelines for information and communications technology disaster recovery services
- ISO/IEC 27006:2007 Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems
- Gramm-Leach-Bliley ActGramm-Leach-Bliley ActThe Gramm–Leach–Bliley Act , also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress...
- PCI Data Security Standard (PCI DSSPCI DSSThe Payment Card Industry Data Security Standard is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards....
)
See also
- CountermeasureCountermeasureA countermeasure is a measure or action taken to counter or offset another one. As a general concept it implies precision, and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process...
- Data securityData securityData security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data. Data security is part of the larger practice of Information security.- Disk Encryption...
- Database securityDatabase securityDatabase security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability...
- Information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- Trustworthy Computing Security Development LifecycleTrustworthy Computing Security Development LifecycleThe Microsoft Security Development Lifecycle is a software development process used and proposed by Microsoft to reduce software maintenance costs and increase reliability of software concerning software security related bugs. It is based on the classical spiral model.- Versions :- Further reading...
- Web applicationWeb applicationA web application is an application that is accessed over a network such as the Internet or an intranet. The term may also mean a computer software application that is coded in a browser-supported language and reliant on a common web browser to render the application executable.Web applications are...
- Web application frameworkWeb application frameworkA web application framework is a software framework that is designed to support the development of dynamic websites, web applications and web services. The framework aims to alleviate the overhead associated with common activities performed in Web development...
- XACMLXACMLXACML stands for eXtensible Access Control Markup Language. The standard defines a declarative access control policy language implemented in XML and a processing model describing how to evaluate authorization requests according to the rules defined in policies.As a published standard...
- HERAS-AFHERAS-AF- The HERASAF Project :HERASAF is a well established open-source project hosted and supported by the University of Applied Sciences Rapperswil in Switzerland.The project maintains three main targets:...
External links
- Open Web Application Security Project
- The Web Application Security Consortium
- The Microsoft Security Development Lifecycle (SDL)
- patterns & practices Security Guidance for Applications
- QuietMove Web Application Security Testing Plug-in Collection for FireFox
- Advantages of an integrated security solution for HTML and XML
- Security Solutions
- patterns & practices Application Security Methodology
- Understanding the Windows Mobile Security Model, Windows Mobile Security]
- Network Security Testing