Application security (short AppSec) includes all tasks that introduce a secure

software development life cycle In software engineering, a software development process or software development life cycle (SDLC) is a process of planning and managing software development. It typically involves dividing software development work into smaller, parallel, or s ...

to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance. Web application security is a branch of

information security Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...

that deals specifically with the security of

websites A website (also written as a web site) is any web page whose content is identified by a common domain name and is published on at least one web server. Websites are typically dedicated to a particular topic or purpose, such as news, education ...

web applications A web application (or web app) is application software that is created with web technologies and runs via a web browser. Web applications emerged during the late 1990s and allowed for the server to dynamically build a response to the request, ...

, and

web services A web service (WS) is either: * a service offered by an electronic device to another electronic device, communicating with each other via the Internet, or * a server running on a computer device, listening for requests at a particular port over a n ...

. At a high level, web application security draws on the principles of application security but applies them specifically to the

internet The Internet (or internet) is the Global network, global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a internetworking, network of networks ...

and

web Web most often refers to: * Spider web, a silken structure created by the animal * World Wide Web or the Web, an Internet-based hypertext system Web, WEB, or the Web may also refer to: Computing * WEB, a literate programming system created by ...

systems. The application security also concentrates on

mobile apps A mobile application or app is a computer program or software application designed to run on a mobile device such as a phone, tablet, or watch. Mobile applications often stand in contrast to desktop applications which are designed to run on d ...

and their security which includes iOS and Android Applications Web Application Security Tools are specialized tools for working with HTTP traffic, e.g.,

Web application firewall A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulne ...

Approaches

Different approaches will find different subsets of the security

vulnerabilities Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." The understanding of social and environmental vulnerability, as a methodological approach, involves ...

lurking in an application and are most effective at different times in the software lifecycle. They each represent different tradeoffs of time, effort, cost and vulnerabilities found. * Design review. Before code is written the application's architecture and design can be reviewed for security problems. A common technique in this phase is the creation of a

threat model Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized. The purpose of threat modeling is to provide d ...

. * Whitebox security review, or

code review Code review (sometimes referred to as peer review) is a software quality assurance activity in which one or more people examine the source code of a computer program, either after implementation or during the development process. The persons perf ...

. This is a security engineer deeply understanding the application through manually reviewing the source code and noticing security flaws. Through comprehension of the application, vulnerabilities unique to the application can be found. * Blackbox security audit. This is only through the use of an application testing it for security vulnerabilities, no source code is required. * Automated Tooling. Many security tools can be automated through inclusion into the development or testing environment. Examples of those are automated DAST/SAST tools that are integrated into code editor or CI/CD platforms. * Coordinated vulnerability platforms. These are hacker-powered application security solutions offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs.

Security threats

The Open Worldwide Application Security Project (

OWASP The Open Worldwide Application Security Project (formerly Open Web Application Security Project) (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of Io ...

) provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2017 results from recent research based on comprehensive data compiled from over 40 partner organizations. This data revealed approximately 2.3 million vulnerabilities across over 50,000 applications. According to the OWASP Top 10 - 2021, the ten most critical web application security risks include: # Broken

access control In physical security and information security, access control (AC) is the action of deciding whether a subject should be granted or denied access to an object (for example, a place or a resource). The act of ''accessing'' may mean consuming ...

# Cryptographic failures #

Injection Injection or injected may refer to: Science and technology * Injective function, a mathematical function mapping distinct arguments to distinct values * Injection (medicine), insertion of liquid into the body with a syringe * Injection, in broadca ...

# Insecure design # Security misconfiguration # Vulnerable and outdated components # Identification and authentification failures # Software and data integrity failures # Security logging and monitoring failures* # Server-side request forgery (SSRF)*

Security controls

Th
OWASP Top 10 Proactive Controls 2024
is a list of security techniques every software architect and developer should know and heed. The current list contains: # Implement access control # Use cryptography the proper way # Validate all input & handle exceptions # Address security from the start # Secure by default configurations # Keep your components secure # Implement digital identity # Use browser security features # Implement security logging and monitoring # Stop server-side request forgery

Tooling for security testing

Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire

(SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. There are many kinds of automated tools for identifying vulnerabilities in applications. Common tool categories used for identifying application vulnerabilities include: *

Static application security testing Static may refer to: Places *Static Nunatak, in Antarctica *Static, Kentucky and Tennessee, U.S. *Static Peak, a mountain in Wyoming, U.S. **Static Peak Divide, a mountain pass near the peak Science and technology Physics *Static electricity, a n ...

(SAST) analyzes source code for security vulnerabilities during an application's development. Compared to DAST, SAST can be utilized even before the application is in an executable state. As SAST has access to the full source code it is a white-box approach. This can yield more detailed results but can result in many false positives that need to be manually verified. * Dynamic application security testing (DAST, often called

vulnerability scanner A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. These scanners are used to discover the weaknesses of a given system. They are used in the identification and detection ...

s) automatically detects vulnerabilities by crawling and analyzing websites. This method is highly scalable, easily integrated and quick. DAST tools are well suited for dealing with low-level attacks such as injection flaws but are not well suited to detect high-level flaws, e.g., logic or business logic flaws.

Fuzzing In programming and software development, fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptio ...

tools are commonly used for input testing. * Interactive application security testing (IAST) assesses applications from within using software instrumentation. This combines the strengths of both SAST and DAST methods as well as providing access to code, HTTP traffic, library information, backend connections and configuration information. Some IAST products require the application to be attacked, while others can be used during normal quality assurance testing. * Runtime application self-protection augments existing applications to provide intrusion detection and prevention from within an application runtime. * Dependency scanners (also called

software composition analysis Software composition analysis (SCA) is a practice in the fields of Information technology and software engineering for analyzing custom-built software applications to detect embedded open-source software and detect if they are up-to-date, contain ...

) try to detect the usage of software components with known vulnerabilities. These tools can either work on-demand, e.g., during the source code build process, or periodically.

Security standards and regulations

* CERT Secure Coding standard * ISO/IEC 27034-1:2011 ''Information technology — Security techniques — Application security -- Part 1: Overview and concepts'' * ISO/IEC TR 24772:2013 ''Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use'' * NIST Special Publication 800-53 * OWASP ASVS: Web Application Security Verification Standard

References