Application security is a catch-all term that encompasses any security measures deployed at the application level of an organisation's technology stack. Application security can have hardware, software and procedural components to prevent sensitive data or secret code from being stolen by cyber attackers.
Application security features, sometimes known as countermeasures, come in all shapes and sizes. An example of a hardware countermeasure could be a router that sits between the application server and the internet and prevents the server's IP address from becoming exposed online. Software countermeasures can include application firewalls that specify which installed programs are permitted to access files within the application.
Application security technologies are evolving rapidly to keep up with ongoing changes in how organisations deploy applications. In the past, software developers needed to secure their products completely before shipping to the customer, so security had to be incorporated into every step of the design process. Today, many applications are deployed in web-based or cloud environments and frequently accessed via the internet. This presents an entirely different set of vulnerabilities for application engineers and IT security analysts to deal with through application security.
How Application Security Works
Application security incorporates network security, content security and endpoint security to ensure that an application and its contents are safe from cyber-attacks. Today's applications must be continuously monitored to ensure their security status is adequately managed. This is especially true for applications that are accessed via the internet. Web-based content management systems, database tools and SaaS applications are attractive targets for cyber attackers for three reasons:
- They often contain sensitive data, including medical records or credit card information, stolen by infiltrating and manipulating the source code.
- The complexity of web-based applications today increases the probability that cyber attackers can find a vulnerability within the code.
- Attacks can be scripted, automated and delivered against many targets at once, especially with botnets.
To secure their web applications against cyberattacks, application security experts engage in a four-stage, iterative cycle of application security management.
Security analysts assess the current security posture of the application by discovering the servers hosting the application and related databases, testing the configuration to determine whether any vulnerabilities exist, evaluating the risks associated with the openness and examining how the data and applications are used. This assessment determines what types of security controls should be implemented to mitigate known vulnerabilities.
Set Policies and Controls
Once analysts have fully assessed the security of an application, the next step is to implement remedial policies to compensate for known vulnerabilities. New approaches and controls can include various countermeasures, including hardware or software implementations and authentication procedures.
Monitor and Enforce
Once new policies and controls have been deployed to help manage application security, security analysts must continually enforce the policies while monitoring usage of the application and database to ensure that the new controls are not negatively impacting users. If an organisation is working towards compliance with a published data standard, it needs to have a comprehensive audit process that can be used to verify data activity and integrity independently.
Security analysts measure the performance of their implemented security controls against defined KPIs to determine whether the implemented policies are adequately protecting the application. The measurement of application security also includes an analysis of security events to assess how the implemented countermeasures function in an actual or simulated cyber attack.
Why Application Security Is Important
According to Veracode’s State of Software Security Vol. 10 reports, 83% of the 85,000 applications it tested had at least one security flaw. Many had much more, as their research found a total of 10 million spots, and 20% of all apps had at least one high severity flaw. Not all of those flaws present a significant security risk, but the sheer number is troubling.
The faster and sooner the software development process you can find and fix security issues, the safer your enterprise will be. Because everyone makes mistakes, the challenge is to find those mistakes in a timely fashion. For example, a standard coding error could allow unverified inputs. This mistake can turn into SQL injection attacks and then data leaks if a hacker finds them.
Application security tools that integrate into your application development environment can make this process and workflow more superficial and more effective. These tools are also helpful for compliance audits since they can save time and expense by catching problems before the auditors see them.
The rapid growth in the application security segment has been helped by the changing nature of how enterprise apps are being constructed in the last several years. Gone are the days where an IT shop would take months to refine requirements, build and test prototypes, and deliver a finished product to an end-user department. The idea almost seems quaint nowadays.
Instead, we have new working methods, called continuous deployment and integration, that refine an app daily, in some cases hourly. This means that security tools have to work in this ever-changing world and find issues with code quickly.
Gartner, in its report on the app security hype cycle (updated September 2018), said that IT managers “need to go beyond identifying common application development security errors and protecting against common attack techniques.” They offer more than a dozen different categories of products and describe where in their “hype cycle” they are located.
Many of these categories are still emerging and employ relatively new products. This shows how quickly the market is evolving as threats become more complex, more challenging to find, and more potent in their potential damage to your networks, data, and corporate reputation.
Most Common Software Weaknesses
One way to keep aware of the software vulnerabilities that attackers are likely to exploit is MITRE's annual CWE Most Dangerous Software Weaknesses list. MITRE tracks CWEs (Common Weakness Enumeration), assigning them a number much as they do with its database of Common Vulnerabilities and Exposures (CVEs). Each weakness is rated depending on the frequency that it is the root cause of a vulnerability and the severity of its exploitation.
Below are the top 10 CWEs in MITRE's 2020 CWE top 25 with scores:
- Cross-site scripting (46.82)
- Out-of-bounds write (46.17)
- Improper input validation (33.47)
- Out-of-bounds read (26.5)
- Improper restriction of operations within the bounds of a memory buffer (23.73)
- SQL injection (20.69)
- Exposure of sensitive information to an unauthorised actor (19.16)
- Use after free (18.87)
- Cross-site request forgery (CSRF) (17.29)
- OS command injection (16.44)
Application Security Tools
While there are numerous application security software product categories, the meat of the matter has to do with two: security testing tools and application shielding products. The former is a more mature market with dozens of well-known vendors. Some of them are lions of the software industry, such as IBM, CA and MicroFocus. These tools are good enough. Magic Quadrant and classified their importance and success. Review sites such as IT Central Station have been able to survey and rank these vendors, too.
Gartner categorises the security testing tools into several broad buckets, and they are somewhat helpful for how you decide what you need to protect your app portfolio:
- Static testing, which analyses code at fixed points during its development. This is useful for developers to check their code as they write it to ensure that security issues are being introduced during development.
- Dynamic testing, which analyses running code. This is more useful as it can simulate attacks on production systems and reveal more complex attack patterns that use a combination of techniques.
- Interactive testing, which combines elements of both static and dynamic testing.
- Mobile testing is designed specifically for mobile environments and can examine how an attacker can leverage the mobile OS and the apps running on them in its entirety.
Another way to look at the testing tools is how they are delivered, either via an on-premises tool or via a SaaS-based subscription service where you submit your code for online analysis. Some even do both.
One caveat is the programming languages supported by each testing vendor. Some limit their tools to just one or two languages. Others are more involved in the Microsoft .Net universe. The same goes for integrated development environments (IDEs): some tools operate as plug-ins or extensions to these IDEs, so testing your code is as simple as clicking on a button.
Another issue is whether any tool is isolated from other testing results or incorporated into its analysis. IBM’s is one of the few that can import findings from manual code reviews, penetration testing, vulnerability assessments and competitors’ tests. This can be helpful, particularly if you have multiple tools that you need to keep track of.
Let’s not forget about app shielding tools. The main objective of these tools is to harden the application so that attacks are more challenging to carry out. This is less charted territory. Here you’ll find a vast collection of smaller, point products that in many cases have limited history and customer bases. The goal of these products is to do more than just test for vulnerabilities and actively prevent your apps from corruption or compromise. They encompass a few different broad categories:
- Runtime application self-protection (RASP): These tools could be considered a combination of testing and shielding. They provide a measure of protection against possible reverse-engineering attacks. RASP tools are continuously monitoring the behaviour of the app, which is useful particularly in mobile environments when apps can be rewritten, run on a rooted phone or have privilege abuse to turn them into doing nefarious things. RASP tools can send alerts, terminate errant processes, or terminate the app itself if found compromised.
RASP will likely become the default on many mobile development environments and built-in as part of other mobile app protection tools. Expect to see more alliances among software vendors that have solid RASP solutions.
- Code obfuscation: Hackers often use obfuscation methods to hide their malware, and new tools allow developers to help protect their code from being attacked.
- Encryption and anti-tampering tools: These are other methods that can be used to keep the bad guys from gaining insights into your code.
- Threat detection tools: These tools examine the environment or network where your apps are running and make an assessment about potential threats and misused trust relationships. Some tools can provide device “fingerprints” to determine whether a mobile phone has been rooted or otherwise compromised.
A network firewall is not technically an application layer countermeasure, but it plays a vital role in stopping inevitable cyberattacks. A network firewall controls access to a secure local area network, protecting it from unauthorised access and controlling inbound and outbound communications concerning the web.
Web Application Firewall
Application firewalls are positioned closer to the application than network firewalls. They are instrumental as countermeasures against several common types of security threats, including SQL injection attacks, cross-site scripting (XXS) attacks and Distributed Denial of Service (DDoS) attacks.
Encryption is a data security countermeasure that encrypts sensitive data at the application level to ensure that only authorised parties can read it. When encryption is implemented at the encryption layer, security analysts ensure that sensitive data is protected before moving to storage in a database or cloud environment.
Access controls are a procedural tool used by security experts to minimise the risk of unauthorised access to the sensitive data contained within an application. The basic premise of access control is to ensure that the identity and authorisation status are duly authenticated before they can be permitted to access sensitive data. Organisations may also use physical tools to limit application access, such as restricting and monitoring the server room where the application database is hosted.
SSL inspection is a security tool that investigates encrypted web traffic between the application and the internet to determine whether those communications may contain viruses or malware.
Application Security Challenges
Part of the problem is that IT has to satisfy several different masters to secure their apps. They first have to keep up with the evolving security and application development tools market, but that is just the entry point.
IT also has to anticipate the business needs as more enterprises dive deeper into digital products and their application portfolio needs evolve to more complex infrastructure. They also have to understand how SaaS services are constructed and secured. This has been an issue, as a recent survey of 500 IT managers has found the average level of software design knowledge has been lacking. The report states, “CIOs may find themselves in the hot seat with senior leadership as they are held accountable for reducing complexity, staying on budget and how quickly they are modernising to keep up with business demands.”
Finally, the responsibility for application security could be spread across several different teams within your IT operations: The network folks could be responsible for running the web app firewalls and other network-centric tools, the desktop folks could be responsible for running endpoint-oriented tests, and various development groups could have other concerns. This makes it hard to suggest one tool that will fit everyone’s needs, which is why the market has become so fragmented.
Application Security Trends
In January 2019, Imperva published its State of Web Application Vulnerabilities 2018. The overall findings were positive. While the number of web application vulnerabilities continues to grow, that growth is slowing.
That's due primarily to a decline in IoT vulnerabilities--only 38 new ones reported in 2018 versus 112 in 2017. API vulnerabilities, on the other hand, increased by 24% in 2018 but at less than half the 56% growth rate of 2017.
Another area seeing more vulnerabilities emerge, according to the Imperva report, is in content management systems, WordPress in particular. That platform saw a 30% increase in the number of reported vulnerabilities.
The report noted that the Drupal content management system, despite being far less prevalent than WordPress, is becoming a target for attackers because of two vulnerabilities: Drupalgeddon2 (CVE-2018-7600) and Drupalgeddon3 (CVE-2018-7602). Both allow attacks to connect to back-end databases, scan and infect networks and clients with malware, or mine cryptocurrencies. Imperva claims to have blocked more than a half-million of attacks that use these vulnerabilities in 2018.
The Veracode report shows that the most common types of flaws are:
- Information leakage (64%)
- Cryptographic issues (62%)
- CRLF injection (61%)
- Code quality (56%)
- Insufficient input validation (48%)
- Cross-site scripting (47%)
- Directory traversal (46%)
- Credentials management (45%)
(Percentages represent the prevalence in the applications tested.) The rate of occurrence for all the above flaws has increased since Veracode began tracking them ten years ago.
One positive trend that the Veracode study found was that application scanning makes a big difference in fix rate and time to fix application flaws. Overall fix rates, especially for high-severity defects, are improving. The general fix rate is 56%, up from 52% in 2018, and the highest severity flaws are fixed at a rate of 75.7%. A DevSecOps approach with frequent scanning and testing of software will drive down the time to correct defects. The median time to repair applications scanned 12 times or fewer per year was 68 days, while an average scan rate of daily or more lowered that rate to 19 days.
Application Security Testing Methods
Software developers use different types of application security testing tools to evaluate the security posture of their software at various points in the development life cycle.
Static testing is used by software engineers to analyse code in development and ensure that security vulnerabilities are not being introduced. Dynamic testing tools analyse running code, simulating attacks on the production environment and collecting data on the results for security analysts to review. There are also interactive testing tools for app developers that combine elements of both dynamic and static testing.
The Continuous Process Of Application Security
While DAST and RASP are only two parts of a complete application security plan, they represent two critical sides of a continuous process.
DAST is a proactive solution used to scan an application in the running environment. It’s used during the build and test phases and can carry on into delivery and production. DAST simulates attacker behaviour to look for the app’s behavioural weaknesses.