By: Darcy Kempa
June 3, 2021
Web Application Security
By: Darcy Kempa
June 3, 2021
Web application security has always been an important part of any cybersecurity program. Hardening web applications, protecting web servers, and using two-factor authentication (2FA) have helped protect businesses and consumers from data loss. However, the recent pandemic has increased the use of the internet for shopping, banking, and even social gatherings. It has changed the how and why of internet usage and may never return to pre-pandemic patterns. This means that web application security has taken on an essential role in cybersecurity defense.
The term “web application” is normally associated with a web-based program. The application software is stored on a web server and is accessed through the internet. From a web application security standpoint, it would be easy to stop there and restrict access to the application. Unfortunately, access management is only one of the many considerations relative to web application security.
Open Web Application Security, or OWASP provides a list of application security risks known as the OWASP Top Ten and should be referenced when contemplating web application security. This is because the application may not just be a user interface but a combination of interface, databases, and even other applications. The application may even provide a gateway to other software or the network itself. An example of this is banking software that provides savings account information and credit card information but can redirect or transfer the user to an external vendor for automobile insurance.
The OWASP Top Ten Application Security Risks list includes:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components With Known Vulnerabilities
- Insufficient Logging and Monitoring.
The OWASP website provides additional information as well as examples of preventative techniques. There is also training available on OWASP as well as an introduction to the OWASP Top Ten.
Application Security Testing
In a perfect application development cycle, cybersecurity is part of the build and not an afterthought. The design phase would identify risks and employ mitigations. On the other hand, the development phase would not re-use old, vulnerable code or link to libraries with known vulnerabilities. The testing phase would also include penetration testing and not just a verification of functionality.
Unfortunately, not all applications are built perfectly and without complications. This requires that application security testing be performed to identify vulnerabilities and, hopefully, fix them before a hacker exposes them. There are three types of application testing available to help web application security efforts.
Dynamic application security testing (DAST). This type of testing involves using a tool to interact with an application through the front end. The tool scans an application by pretending to be a malicious user and uses similar efforts like a SQL injection attack. The tool does not have access to the source code. This requires the user to backtrack through the code to identify and correct the vulnerability.
Static application security testing (SAST). This type of testing uses a tool that has access to the application source code. The tool reviews the code and identifies any issues that it finds to be potentially malicious. The developers then go through the findings and repair any discrepancies in the software or architecture.
Interactive application security testing (IAST). This type of testing is a combination of DAST and SAST analysis. IAST uses a tool that analyzes request data as well as the source code execution. This analysis is performed within the application and provides real-time information. The results are more accurate than DAST or SAST testing alone.
It is important that businesses know about these tests and uses one or more as part of a Web Application Security Program.
Web application security is extremely important in protecting businesses and consumers alike. It reduces risks to data loss or manipulation and helps build trust with customers. This should be an ongoing effort since a software update or change may create a new and unknown vulnerability. The OWASP Top Ten provides a good benchmark for use in this effort. Organizations can use the Top Ten to educate developers, administrators, and managers on how they can help strengthen a Web Application Security Program.
Cybrary provides online training courses in information technology and cybersecurity. These courses cover a myriad of subjects, from project management to penetration testing to auditing.