Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Application Security Guide for Beginners

2,817 views

Published on

This beginner’s guide to application security focuses on the main concepts and keywords used in the Application Security domain. From a secure software development lifecycle (SDLC) to the top threats facing applications and their impacts, this guide covers it all!

This guide is divided into the following categories:
-Code DevelopmentMethodologies
-Code
-Application SecuritySolutions
-Common threats and their impacts

Published in: Technology

Application Security Guide for Beginners

  1. 1. Application Security Guide for Beginners.
  2. 2. INTRODUCTION This beginner’s guide to application security focuses on the main concepts and keywords used in the Application Security domain. This guide is divided into the following categories: Code 2 ApplicationSecuritySolutions CodeDevelopmentMethodologies Commonthreatsandtheir impacts
  3. 3. WHAT IS SDLC? Most organizations develop applications according to a clear process by which each application is designed, developed, tested, and deployed. This sequence is called the software development lifecycle, orSDLC. SDLCshapesthe way applications are built and defines the processes and milestones an application needs to pass before going to the next stageof development. WHATISASECURESDLC? Secure SDLC is a process where security touch points are added to each stage of the SDLC.SecureSDLCapplies security best practices to ensure that applications are secure upon release while fitting into any developer’scontinuousintegrationworkflow. Secure SDLCProcess 1 32 Risk Assessment ThreatModeling &DesignReview Static Analysis SecurityTesting &CodeReview SecurityAssessment& SecureConfiguration 4 5 SDLCProcess 1 32 4 5 Requirements Design Development Testing Deployment 3 5
  4. 4. STATIC APPLICATION SECURITY TESTING WITH SECURE SDLC Static Applications Security Testing (SAST) is one of the driving forces behind the secure SDLC. SAST empowers developers to deliver secure applications by seamlessly integrating with their development processes andenvironments. In a secure SDLC, SAST solutions detect vulnerabilities which may expose the application to security risksandbreaches. 6 7 SASTIntegration Points
  5. 5. <CODE DEVELOPMENT METHODOLOGIES/>
  6. 6. Processfor planning, creating, testing and deploying anapplication. Software Development Life Cycle (SDLC) Alternative to traditional project management wherethe emphasisisplaced onempowering people to collaborate and make team decisions in addition to continuous planning, testing andintegration. AGILE Model 10 11
  7. 7. Sequential design process, used in software development processes, in which progress is seen as flowing steadily downwards (like a waterfall) through the phasesof requirement, design, development andtesting. Waterfall Model Development method that uses minimal planning in favor of rapid prototyping. A prototype is equivalent to a component of theproduct. Rapid Application Development (RAD) 12 13
  8. 8. <CODE/>
  9. 9. Collectionof sourcecodethat isusedto build a particular software system, application or softwarecomponent. Codebase (or code base) Frameworksarefairly largepre-madepieces of code. Thedevelopers write their code on top of the framework. Notableexamples: Struts Telerik GWT Frameworks 16 17
  10. 10. Atool designed to automate the process of program compilation. Build systems come in various forms and are used for a variety of software buildtasks. Notableexamples: Jenkins AnthillPro Build Systems (or Build Server, Build Automation) File archive or web hosting facility where large amounts of software source code are kept either publicly or privately. Archived files may also beversioned. Notable examples: Source Code Repository 18 19 TFS GIT Perforce SVN
  11. 11. Software application that keeps track of reported bugs, issuesor tasks ina project. Notableexamples: TFS Jira HP-QC Bug Tracking Systems (Issue Tracking Systems) Modern interpretation of service-oriented architectures used to build distributed software systems.Processesthat communicate with eachother over the network in order to fulfill atask. Example: Microservices can be found in Facebookor LinkedIn; someparts of the GUI havedowntimefor updatesandsomedon’t. Micro Services 20 21
  12. 12. The artifact created after compiling and building source code for C++ and other Microsoft codinglanguages. DLL (Dynamic Link Library) The artifact created after compiling and building source code for Java coding language. JAR (Java Archive) 22 23
  13. 13. Development is built around predefined code test cases.This means that only after the test cases have been created, the developers can start writing the code. Test Driven Development (TDD) 24
  14. 14. <APPLICATION SECURITY SOLUTIONS/>
  15. 15. Security testing which analyzes an applications source code or binary code to determineif securityvulnerabilitiesexist. SAST solutions analyze the application ‘from the inside-out’, in many cases SAST solutions do need compiledcode. Static Application Security Testing (SAST) Security experts trying to find and exploit vulnerabilities that an attacker could use. The testing is done with or without dedicated hackingtools. Penetration Testing (AKA Pen Testing) 28 29
  16. 16. Detect conditions of a security vulnerability in an application in its running state. Dynamic Application Security testing generates automated attacks which may be used by realattackers. Dynamic Application Security Testing (DAST) Security technology that is built or linked into an application or application runtime environment and is capable of detecting and preventing real-timeattacks. Runtime Application Self- Protection (RASP) 30 31
  17. 17. List of software weakness. List is created by community cooperation. Software weaknesses are errors that can lead to software vulnerabilities. Common Weakness Enumeration (CWE) A publicly available and free to use list or dictionary of standardized identifiers for common computer vulnerabilities and exposures. Common Vulnerabilities and Exposures (CVE) 32 33
  18. 18. Community which creates freely-available methodologies, tools, standards and technologies in the field of application security. Open Web Application Security Project (OWASP) Combines elements of SAST and DAST simultaneously. It is typically implemented as an agent within the test runtime application or environment that observes attacks and identifiesvulnerabilities. IAST determines whether a vulnerability is exploitable with increased accuracy, and can identify where specifically the vulnerability is located in the code. Interactive Application Security Testing (IAST) 34 35
  19. 19. When a security scanner indicates that a vulnerability exists (for example, SQL Injection), while in reality it doesn’t exist. False Positive Whena vulnerability exists and the security scanner doesn’t detect it. Therefore the userisnot notified about the vulnerability. False Negative 36 37
  20. 20. Protects web applications by monitoring and controlling its input and output and the accessto and from the application. Running as an appliance, server plug-in or cloud-based service, a WAF inspects monitors, filters or blocks malicious traffic to and from a Webapplication. Web Application Firewall (WAF) BinaryAnalysisisaformof StaticApplication Security testing based on analysis of a compiled code-base rather than the raw sourcecode. Abinary is a machine readable file which can be executed and run. Binary Analysis 38 39
  21. 21. Agreement offered by many websites and software development companies by which individuals can receive recognition and compensation for reporting bugs, exploits andvulnerabilities. Bug Bounty Program Security practice where after the code is written it issentto securityexpert to undergo inspection after which the developer needs to alter the code accordingly. Security Gate 40 41
  22. 22. <COMMON THREATS AND THEIR IMPACTS /> OWASP TOP 6
  23. 23. THREAT: Code injection technique used to attack data-driven applications, in which malicious SQLfragment are inserted into an entry field for execution. SQL Injection IMPACT: May reflect sensitive information, plant information or damage data May be used to reveal customer’s credit card numbers or any other personal data stored on the DB Attacker could change system administrator credentials forthe databaseserver Can affect public image of the company resulting in profit loss 44 45
  24. 24. THREAT: Vulnerability typically found in web applications enabling attackers to inject client-side scripts into web pages viewed by other users. Cross Site Scripting (XSS) IMPACT: May gain access touser’s identity and act on their behalf Ability to spread web worms or Trojans Possible business impact ofpublic exposure aboutvulnerability Attacker may gain access to all the end-user information kept on the Client Server (cookies, session IDand Client identity) 46 47
  25. 25. THREAT: Attacker uses multiple transparent layers to trick a user into clicking on a button or link that is not the originally intended target area. Therefore, the attacker is rerouting (hijacking) the user to another page, likely owned by another application. Keystrokes can also be hijacked using the samemethod. Clickjacking (UI redress attack) IMPACT: Can be used to utilize the computer's microphone andcamera May activate print screen to capture sensitiveinformation 48 49
  26. 26. THREAT: Attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. Inherits the identity and privileges of the victim to perform an undesired function on the victim'sbehalf. Cross Site Request Forgery (CSRF) IMPACT: If the victim is an administrative account, can be usedto force the user to perform state changing requests like transferring funds, changing their email address, and soforth. Can compromise the entireweb application 50 51
  27. 27. THREAT: Exploit which allows attackers to access restricted directories and execute commands outside of the web server's intendeddirectory. Path Traversal (Directory Traversal) IMPACT: Can be used to access to restricted areas and files causing a critical information leak 52 53
  28. 28. THREAT: Vulnerability that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID and specifically the vulnerable web application. Session Fixation (dot-dot-slash) IMPACT: Canbe used to hijack the user- validated sessionby utilizing the knowledge of thesessionID 54 55
  29. 29. www.checkmarx.com Thanks for reading! Learn more at:

×