What is Application Security (AppSec)?
In the world of Web Applications there is lots and lots of code being written (or generated automatically at times), compiled, integrated and pushed into the Live/Production systems. These Web Applications are vulnerable to numerous attacks, which if exploited will not only take down any Business but can more importantly harm it’s customers and their financial lives, shake the political world. The impacts can be quite widespread across various sectors…. Application security is about securing the Web Applications from various threats and vulnerabilities.
The many challenging Why’s around Application security?
As per Akamai’s state of the internet report, SQL injection (51%) along with Local file injection (30%) and XSS (25%) topped the most common application security breaches in 2018. Despite of having dedicated Application Security communities that are tasked to eradicate the App Sec issues, there are still the same age old attacks haunting the web applications, Why?
Application Developers are so tied-up in delivering business features that they more often than not focus less on the Security aspects, Why?
Once application coding is almost completed, suddenly the Stakeholders get nervous about Security and end up looking for quick and easy fixes, raising waivers etc. to deliver their valuable business features into Live/Production environment at some Risk, Why?
There are still dozens of Why’s which can’t be covered in this short read, however i have covered the most common ones.
Is there any Silver bullet to resolve AppSec challenges?- Easy! make AppSec, Secure by Design 🙂
Oh hang on!!…. What does Secure by Design even mean??
It’s about baking in AppSec in the foundations of the software building processes i.e., by writing security requirements as stories, which reflect the security standards, policies of the organisation (example: Which Encryption algorithms to use, What transport layer security protocol needs to be used etc.). The security stories also need to capture preventative solutions to the most common vulnerabilities faced by the organisation i.e., for a financial services organisation, it could be building solutions around the most common attack – credential validation attack, where attackers validate user credentials and sell it in the dark web to the fraudsters. Thus, by writing security stories, the security solution can be made reusable across teams, by tagging the security stories wherever applicable in the epics, stories, tasks etc.
Threat Modelling… don’t forget it and do keep it ALIVE!
Threat modelling is one of the most significant milestones of AppSec that highlights the Security Risks and Vulnerabilities. The most common threat modelling approach is to use STRIDE, that can give a quite comprehensive coverage to understand the attack surface and mitigate the same by proposing security controls. Bake in the findings of threat modelling into stories & test cases to continuously monitor application for most significant threats.
Now, most Organisations ignore threat modelling, once the Application is in Production/Live, which tends to cease it’s objective. Threat modelling needs to happen throughout the software development lifecycle (SDLC) and should be kept alive by performing a periodic review backed-up with feedback and outcomes of Vulnerability scanners and other security automation tools (mentioned below in the CI/CD section).
Secure coding practice
Develop a culture of secure coding within your teams i.e., by creating best practices for mitigating some of the common AppSec attacks (OWASP Top 10) by performing some of the basic hygiene viz., Encoding and escaping data, Validating all the user/api inputs to avoid XSS and SQL injection attacks. Handling the application errors and exceptions gracefully, so as not to leak any sensitive data to the attackers. Make sure not to comment sensitive data in the code i.e., application secrets, as it’s a very common mistake by developers. So make use of some secrets management solution to store your application secrets. Use security libraries i.e., for nodeJs use Helmet library etc. Lastly for developers, the most important aspect, ensure there is proper auditing and logging in the application code so that the DevOps team can monitor and automate alerts for any malicious activity.
Hardening your Continuous Integration (CI) & Continuous Deployment (CD) pipelines
In an agile world, where software is released into Production/Live environment numerous times in a day (gone are those days when we had quarterly releases), it becomes utmost important to harden your CI/CD pipeline. According to NIST, fixing vulnerabilities in the development phase saves cost by 5-6 times, if the same vulnerability is found in production. Suddenly CI/CD pipeline becomes a very critical infrastructure. Automate security test cases as part of the pipeline, by,
- Covering all the identified Security user stories
- SAST (Static testing) and DAST (Dynamic testing)
- Penetration testing
- Software Composition Analysis (Finding vulnerable 3rd party software/libraries)
Thereby ensuring that you release quality software into the production environment. By hardening the CI/CD pipeline, I also mean that one needs to address the Privileged access management (PAM) aspects as well. To protect from an insider threat, ensure that the principle of least privilege is applied to the pipeline users viz., developers, testers, DevOps etc. Auditing and monitoring user actions can help prove non-repudiation in case of breaches or anomalous behaviour/activity.
Vulnerability patching
The DevOps team need to ensure that the application doesn’t have any known vulnerabilities by using continuous scanning tools and patching them immediately if any. If your environment doesn’t have automated vulnerabilities scanning tools then it will be a good proactive practice to create/update the software inventory list with current versions and search in the NVD database for any vulnerability disclosure, so that you can act accordingly.
Conclusion
AppsSec is a Continuous Engineering process and the challenges can only be resolved by building the AppSec practice, grounds up. Right from the Organisation’s Business stakeholders till your IT teams (Developers, Testers, Managers, DevOps etc.) need to follow the practice, to achieve the AppSec Nirvana….
Good Luck with your AppSec 🙂
Also check my container security blog, Container Security Overview for more on the AppSec Issues.
Cyber Vyber 
Leave a comment