Application security is critical. In this blog, we look at application security, discuss the STRIDE method, and go over the the top vulnerabilities as listed by OWASP. At the end of the article, we discuss how to ensure your infrastructure protected from future vulnerabilities.
But first, what is application security?
Application security is the process of making applications secure. This typically involves following security best practices, as well as addingsecurity features to software.
Maintaining application security is critical. Any breach can compromise your customers’ sensitive information, damage your organization’s reputation, jeopardize regulatory compliance, and result in massive fines.
To help ensure your applications meet the level of security your organization requires, you need to understand the:
Get an Overview of Application Security Best PracticesWant to learn the basics of good application security? This webinar features in-depth discussion on the basics of application security.
Want to learn the basics of good application security? This webinar features in-depth discussion on the basics of application security.
Threat modeling is the process for identifying and prioritizing potential threats to your application, from an attacker’s perspective. To complete this step, you will need to ask questions such as:
STRIDE threat modeling is a popular approach that stands for:
After categorizing all potential threats, it is important to assess all risks, based on:
This exercise will determine which threats are the most urgent to address.
One of the most common mnemonic frameworks for risk assessment is DREAD, which stands for:
When you use the DREAD framework, you rank each characteristic on a scale of 1-10 or 1-5, depending on your preference. Keep in mind that the scale is subjective and will differ from one organization to another. The five rankings are added up for a final score to determine severity.
In addition to using the STRIDE and DREAD frameworks to understand and assess your risks, it is also helpful to use guidelines from the Open Web Application Security Project Foundation (OWASP).
The Open Web Application Security Project Foundation, or OWASP, is a non-profit organization aimed at spreading awareness of software security across the globe.
In 2017, OWASP shared the OWASP Top 10 list of the most common and critical security risks seen in web applications today. It is a good idea to review the list to ensure you are aware of potential threats and recommendations for prevent them.
Each threat is ranked for applications’ threat agents, exploitability, prevalence, detectability, technical impact, and business impact.
Injection flaws occur when hostile, untrusted data is sent to an interpreter as part of a command or query, tricking the interpreter into executing unintended commands or accessing data without proper authorization.
Often found in SQL, LDAP, and XPathqueries, injection is highly prevalent, exploitable, and detectable. You can detect these flaws by examining code, so be sure to regularly scan your code.
Broken authentication occurs when functions related to authentication and session management are implemented incorrectly, allowing attackers to compromise passwords or keys. Attackers can also exploit authentication and session-management errors to assume a user’s identity, temporarily or permanently.
The exploitability and technical impacts of broken authentication are high, with moderate prevalence and detectability. An easy way to help prevent broken authentication is by using multi-factor authentication and avoiding the use of vulnerable passwords.
Many web applications and APIs fail to properly protect sensitive data, including financial, healthcare, and other personal information. When proper security measures are not in place, attackers can access, steal, and modify data to conduct fraud, identity theft, or other crimes.
Encrypting data both at rest and in transit, and salting passwords, can help combat this risk.
External entities (XXE) refer to the attackers actively seeking access to sensitive data. They look for vulnerabilities to exploit, including older or poorly-configured XML files that can be hacked to access internal ports and file shares — and enable remote code execution and denial-of-service attacks. Although the impact of any breach is significant, IT teams can detect the activities of external attackers using tools such as SAST and DAST, which inspect dependencies and configurations.
Broken access control means a failure to enforce restrictions on authenticated users, including what actions they are allowed to take and which systems and data they are allowed to access. Attackers take advantage of these flaws to access users’ accounts, view sensitive files, change access rights, and modify data. The impact of broken access control can range from moderate to severe, especially if an attacker gains administrative privileges and proceeds to access, create, update, and delete business records. Manual testing can help to detect broken access control.
Security misconfiguration includes insecure default configurations, incomplete or ad-hoc configurations, unprotected cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Such errors can occur at any level of your application stack, including operating systems, frameworks, libraries, and applications. And these types of errors can compromise your entire system. Security misconfiguration is extremely prevalent, detectable, and exploitable. Search engines and automated scanners can pick up these misconfigurations.
Also referred to as XSS, cross-site scripting flaws occur when an application includes untrusted data in a new web page without proper validation or escaping. When this happens, attackers can execute scripts in the victim’s browser, hijack a user session, deface a website, or redirect users to malicious sites. Many applications and web servers do a good job mitigating XSS, so these types of errors are less prevalent and highly detectable.
Insecure deserialization often leads to remote code execution, and can be used to perform replay attacks, injection attacks, and privilege escalation attacks. While it’s harder to exploit and isn’t as common as other types of security issues, insecure deserialization is also harder to detect — and the technical impact can be serious. Some tools have been developed to discover deserialization flaws, but human assistance is often needed for validation.
One of the biggest security issues today comes from people running components with known, unpatched vulnerabilities. Components — such as video players — have the same privileges as their applications. So running them when they have an open vulnerability opens your applications and APIs to attacks.
This is the most prevalent security issue because it is often difficult for IT teams to keep track of the internal frameworks and required updates for all systems across an organization. Prevention requires knowing what components are used across your organization and when they have updates, so you can install patches as soon as they are available.
The average time it takes for a company to discover a data breach is over 200 days. That’s because many organizations lack effective monitoring and logging solutions that flag potential risks. In addition, many IT teams lack effective processes for investigating potential issues, which prolongs the time to detection. The longer a breach is left undiscovered, the more time hackers have to pivot to other systems — and tamper and destroy data.
This issue is highly prevalent, and the technical impact varies considerably. However, you can reduce time to detection by improving your monitoring and penetration testing to ensure your logs contain the right amount of detail to detect a breach.
To reduce the risk of security threats, you can also take the following steps:
The Enterprise Architects at OpenLogic can help your team to discover existing security flaws in your infrastructure, and help safeguard your organization from vulnerabilities like those mentioned above. Talk with an exper today to see how OpenLogic can help.
TALK TO AN EXPERT
Looking for additional information? Be sure to watch the Application Security Basics webinar facilitated by John Saboe, an open source software Enterprise Architect at OpenLogic by Perforce. In it, he reviews security risks and explains how to use the OWASP Top 10 threat model to improve your organization’s IT security.