Application security aims to protect software application code and data against cyber threats. You can and should apply application security during all phases of development, including design, development, and deployment.
Here are several ways to promote application security throughout the software development lifecycle (SDLC):
A web application is software that runs on a web server and is accessible via the Internet. The client runs in a web browser. By nature, applications must accept connections from clients over insecure networks. This exposes them to a range of vulnerabilities. Many web applications are business critical and contain sensitive customer data, making them a valuable target for attackers and a high priority for any cyber security program.
The evolution of the Internet has addressed some web application vulnerabilities – such as the introduction of HTTPS, which creates an encrypted communication channel that protects against man in the middle (MitM) attacks. However, many vulnerabilities remain. The most severe and common vulnerabilities are documented by the Open Web Application Security Project (OWASP), in the form of the OWASP Top 10.
Due to the growing problem of web application security, many security vendors have introduced solutions especially designed to secure web applications. Examples include the web application firewall (WAF), a security tool designed to detect and block application-layer attacks.
Learn more in our detailed guide to website security
Application Programming Interfaces (API) are growing in importance. They are the basis of modern microservices applications, and an entire API economy has emerged, which allows organizations to share data and access software functionality created by others. This means API security is critical for modern organizations.
APIs that suffer from security vulnerabilities are the cause of major data breaches. They can expose sensitive data and result in disruption of critical business operations. Common security weaknesses of APIs are weak authentication, unwanted exposure of data, and failure to perform rate limiting, which enables API abuse.
Like web application security, the need for API security has led to the development of specialized tools that can identify vulnerabilities in APIs and secure APIs in production.
Learn more in the detailed guide to API Security
Cloud native applications are applications built in a microservices architecture using technologies like virtual machines, containers, and serverless platforms. Cloud native security is a complex challenge, because cloud native applications have a large number of moving parts and components tend to be ephemeral—frequently torn down and replaced by others. This makes it difficult to gain visibility over a cloud native environment and ensure all components are secure.
In cloud native applications, infrastructure and environments are typically set up automatically based on declarative configuration—this is called infrastructure as code (IaC). Developers are responsible for building declarative configurations and application code, and both should be subject to security considerations. Shifting left is much more important in cloud native environments, because almost everything is determined at the development stage.
Cloud native applications can benefit from traditional testing tools, but these tools are not enough. Dedicated cloud native security tools are needed, able to instrument containers, container clusters, and serverless functions, report on security issues, and provide a fast feedback loop for developers.
Another important aspect of cloud native security is automated scanning of all artifacts, at all stages of the development lifecycle. Most importantly, organizations must scan container images at all stages of the development process.
Learn more in the detailed guides to:
Software applications can be affected by numerous threats. The Open Web Application Security Project (OWASP) Top 10 list includes critical application threats that are most likely to affect applications in production.
Broken access control allows threats and users to gain unauthorized access and privileges. Here are the most common issues:
You can remediate this issue by implementing strong access mechanisms that ensure each role is clearly defined with isolated privileges.
Cryptographic failures (previously referred to as “sensitive data exposure”) occur when data is not properly protected in transit and at rest. It can expose passwords, health records, credit card numbers, and personal data.
This application security risk can lead to non-compliance with data privacy regulations, such as the EU General Data Protection Regulation (GDPR), and financial standards like PCI Data Security Standards (PCI DSS).
Injection vulnerabilities enable threat actors to send malicious data to a web application interpreter. It can cause this data to be compiled and executed on the server. SQL injection is a common form of injection.
Learn more in the detailed guides to:
Insecure design covers many application weaknesses that occur due to ineffective or missing security controls. Applications that do not have basic security controls capable of against critical threats. While you can fix implementation flaws in applications with secure design, it is not possible to fix insecure design with proper configuration or remediation.
Security misconfigurations occur due to a lack of security hardening across the application stack. Here are common security misconfigurations:
Learn more in the detailed guide to XML External Entities (XXE)
Vulnerable and outdated components (previously referred to as “using components with known vulnerabilities”) include any vulnerability resulting from outdated or unsupported software. It can occur when you build or use an application without prior knowledge of its internal components and versions.
Identification and authentication failures (previously referred to as “broken authentication”) include any security problem related to user identities. You can protect against identity attacks and exploits by establishing secure session management and setting up authentication and verification for all identities.
Software and data integrity failures occur when infrastructure and code are vulnerable to integrity violations. It can occur during software updates, sensitive data modification, and any CI/CD pipeline changes that are not validated. Insecure CI/CD pipelines can result in unauthorized access and lead to supply chain attacks.
Security logging and monitoring failures (previously referred to as “insufficient logging and monitoring”) occur when application weaknesses cannot properly detect and respond to security risks. Logging and monitoring are critical to the detection of breaches. When these mechanisms do not work, it hinders the application’s visibility and compromises alerting and forensics.
Server-side request forgery (SSRF) vulnerabilities occur when a web application does not validate a URL inputted by a user before pulling data from a remote resource. It can affect firewall-protected servers and any network access control list (ACL) that does not validate URLs.
Learn more in the detailed guide to SSRF
Learn about additional cyber threats in our guide to cyber attacks
APIs enable communication between different pieces of software. Applications with APIs allow external clients to request services from the application. APIs are exposed to various threats and vulnerabilities. The OWASP compiled a list prioritizing the top 10 API security risks.
APIs often expose endpoints handling object identifiers. It creates a wider attack surface Level Access Control issue. Instead, you should check object level authorization in every function that can access a data source through user inputs.
Incorrectly implemented authentication mechanisms can grant unauthorized access to malicious actors. It enables attackers to exploit an implementation flaw or compromise authentication tokens. Once it occurs, attackers can assume a legitimate user identity permanently or temporarily. As a result, the system’s ability to identify a client or user is compromised, which threatens the overall API security of the application.
Generic implementations often lead to exposure of all object properties without consideration of the individual sensitivity of each object. It occurs when developers rely on clients to perform data filtering before displaying the information to the user.
APIs usually do not impose restrictions on the number or size of resources a client or user is allowed to request. However, this issue can impact the performance of the API server and result in Denial of Service (DoS). Additionally, it can create authentication flaws that enable brute force attacks.
Authorization flaws enable attackers to gain unauthorized access to the resources of legitimate users or obtain administrative privileges. It can occur as a result of overly complex access control policies based on different hierarchies, roles, groups, and unclear separation between regular and administrative functions.
Mass assignment is usually a result of improperly binding data provided by clients, like JSON, to data models. It occurs when binding happens without using properties filtering based on an allowlist. It enables attackers to guess object properties, read the documentation, explore other API endpoints, or provide additional object properties to request payloads.
Security misconfiguration usually occurs due to:
Injection flaws like command injection, SQL, and NoSQL injection occur when a query or command sends untrusted data to an interpreter. It is typically malicious data that attempts to trick the interpreter into providing unauthorized access to data or executing unintended commands.
APIs usually expose more endpoints than traditional web applications. This nature of APIs means proper and updated documentation becomes critical to security. Additionally, proper hosts and deployed API versions inventory can help mitigate issues related to exposed debug endpoints and deprecated API versions.
Insufficient logging and monitoring enable threat actors to escalate their attacks, especially when there is ineffective or no integration with incident response. It allows malicious actors to maintain persistence and pivot to other systems where they extract, destroy, or tamper with data.
Learn more in the detailed guide to OWASP
Application Security Testing (AST) is the process of making applications more resilient to security threats by identifying and remediating security vulnerabilities.
Originally, AST was a manual process. In modern, high-velocity development processes, AST must be automated. The increased modularity of enterprise software, numerous open source components, and a large number of known vulnerabilities and threat vectors all make automation essential. Most organizations use a combination of application security tools to conduct AST.
Key considerations before testing applications
Here are key considerations before you can properly test applications for security vulnerabilities:
You must determine the following parameters before you can successfully test applications for security vulnerabilities:
Learn more in the detailed guide to:
Application Security Testing (AST) and API Security Testing are both critical components of a comprehensive security strategy, but they focus on different aspects of the software ecosystem.
Application Security Testing is broader and encompasses the security of entire applications, including web, mobile, and desktop applications. It targets vulnerabilities that could be exploited by attackers to gain unauthorized access, manipulate data, or disrupt services. AST covers various areas, such as code vulnerabilities, misconfigurations, and runtime behaviors.
API Security Testing is more specialized and focuses on securing APIs. APIs can be particularly vulnerable because they expose endpoints that can be targeted by attackers. API security testing typically checks for issues like improper authentication, lack of encryption, excessive data exposure, and rate limiting. It ensures that the APIs only allow legitimate interactions and protect against common API-specific threats, such as injection attacks and broken access controls.
Learn more in the detailed guide to API security testing
There are three main types of application security tests:
In a black box test, the testing system does not have access to the internals of the tested system. This is the perspective of an outside attacker. A testing tool or human tester must perform reconnaissance to identify systems being tested and discover vulnerabilities. Black box testing is highly valuable but is insufficient, because it cannot test underlying security weaknesses of applications.
Learn more in the detailed guide to black box testing
In a white box test, the testing system has full access to the internals of the tested application. A classic example is static code analysis, in which a testing tool has direct access to the source code of the application. White box testing can identify business logic vulnerabilities, code quality issues, security misconfigurations, and insecure coding practices. White-box testing can also include dynamic testing, which leverages fuzzing techniques to exercise different paths in the application and discover unexpected vulnerabilities. The drawback of the white-box approach is that not all these vulnerabilities will really be exploitable in production environments.
Learn more in the detailed guide to white box testing
In a gray-box test, the testing system has access to limited information about the internals of the tested application. For example, the tester might be provided login credentials so they can test the application from the perspective of a signed-in user. Gray box testing can help understand what level of access privileged users have, and the level of damage they could do if an account was compromised. Gray box tests can simulate insider threats or attackers who have already breached the network perimeter. Gray box testing is considered highly efficient, striking a balance between the black box and white box approaches.
Learn more in the detailed guide to gray box testing
A WAF monitors and filters HTTP traffic that passess between a web application and the Internet. WAF technology does not cover all threats but can work alongside a suite of security tools to create a holistic defense against various attack vectors.
In the open systems interconnection (OSI) model, WAF serves as a protocol layer seven defense that helps protect web applications against attacks like cross-site-scripting (XSS), cross-site forgery, SQL injection, and file inclusion.
Unlike a proxy server that protects the identity of client machines through an intermediary, a WAF works like a reverse proxy that protects the server from exposure. The WAF serves as a shield that stands in front of a web application and protects it from the Internet—clients pass through the WAF before they can reach the server.
RASP technology can analyze user behavior and application traffic at runtime. It aims to help detect and prevent cyber threats by achieving visibility into application source code and analyzing vulnerabilities and weaknesses.
RASP tools can identify security weaknesses that have already been exploited, terminate these sessions, and issue alerts to provide active protection.
Vulnerability management is a critical aspect of application security. It involves identifying, classifying, prioritizing, and mitigating software vulnerabilities. Vulnerability management tools scan your applications for known vulnerabilities, such as those listed in the Common Vulnerabilities and Exposures (CVE) database.
Once identified, these vulnerabilities are classified based on their severity. The next step is to prioritize the vulnerabilities that need to be addressed first. This priority list helps organizations focus their efforts on the most critical security issues. Finally, the vulnerabilities are mitigated, often through patch management procedures.
A Software Bill of Materials (SBOM) is a comprehensive list of components in a piece of software. It provides transparency into an application’s composition, making it easier to track and manage any vulnerabilities. An SBOM can include details about the open-source and proprietary components, libraries, and modules used in the software.
With an SBOM, organizations can quickly identify any components with known vulnerabilities. It helps streamline the process of vulnerability management and ensures a swift response when a security flaw is discovered. SBOM is becoming increasingly important, especially with the rise of open-source software and the associated security risks.
SCA tools create an inventory of third-party open source and commercial components used within software products. It helps learn which components and versions are actively used and identify severe security vulnerabilities affecting these components.
Organizations use SCA tools to find third-party components that may contain security vulnerabilities.
SAST tools assist white box testers in inspecting the inner workings of applications. It involves inspecting static source code and reporting on identified security weaknesses.
SAST can help find issues, such as syntax errors, input validation issues, invalid or insecure references, or math errors in non-compiled code. You can use binary and byte-code analyzers to apply SAST to compiled code.
DAST tools assist black box testers in executing code and inspecting it at runtime. It helps detect issues that possibly represent security vulnerabilities. Organizations use DAST to conduct large-scale scans that simulate multiple malicious or unexpected test cases. These tests provide reports on the application’s response.
DAST can help identify issues such as query strings, the use of scripts, requests and responses, memory leakage, authentication, cookie and session handling, execution of third-party components, DOM injection, and data injection.
IAST tools employ SAST and DAST techniques and tools to detect a wider range of security issues. These tools run dynamically to inspect software during runtime. It occurs from within the application server to inspect the compiled source code.
IAST tools can help make remediation easier by providing information about the root cause of vulnerabilities and identifying specific lines of affected code. These tools can analyze data flow, source code, configuration, and third-party libraries. You can also use IAST tools for API testing.
MAST tools employ various techniques to test the security of mobile applications. It involves using static and dynamic analysis and investigating forensic data collected by mobile applications.
Organizations use MAST tools to check security vulnerabilities and mobile-specific issues, such as jailbreaking, data leakage from mobile devices, and malicious WiFi networks.
A cloud native application protection platform (CNAPP) provides a centralized control panel for the tools required to protect cloud native applications. It unifies cloud workload protection platform (CWPP) and cloud security posture management (CSPM) with other capabilities.
CNAPP technology often incorporates identity entitlement management, API discovery and protection, and automation and orchestration security for container orchestration platforms like Kubernetes.
Here are several best practices that can help you practice application security more effectively.
Having a list of sensitive assets to protect can help you understand the threat your organization is facing and how to mitigate them. Consider what methods a hacker can use to compromise an application, whether existing security measures are in, and if you need additional tools or defensive measures.
It is also important to be realistic about your security expectations. Even with the highest level of protection, nothing is impossible to hack. You also need to be honest about what you think your team can sustain over the long term. If you push too hard, safety standards and practices can be ignored. Remember that safety is a long-term endeavor and you need the cooperation of other employees and your customers.
Companies are transitioning from annual product releases to monthly, weekly, or daily releases. To accommodate this change, security testing must be part of the development cycle, not added as an afterthought. This way, security testing doesn’t get in the way when you release your product.
A good first step before making these changes is to help security staff understand development processes and build relationships between security and development teams. Security staff need to learn the tools and processes used by developers, so that they can integrate security organically. When security is seamlessly integrated into the development process, developers are more likely to embrace it and build trust.
You also need to find a way to automate security testing for CI/CD pipelines. Integrating automated security tools into the CI/CD pipeline allows developers to quickly fix issues a short time after the relevant changes were introduced.
Learn more in the detailed guide to shift left testing
Vulnerabilities are growing, and developers find it difficult to address remediation for all issues. Given the scale of the task at hand, prioritization is critical for teams that want to keep applications safe.
Effective prioritization requires performing a threat assessment based on the severity of the vulnerability—using CVSS ratings and other criteria, such as the operational importance of the affected application. When it comes to open source vulnerabilities, you need to know whether proprietary code is actually using the vulnerable feature of open source components. If the function of the vulnerable component is never invoked by your product, then its CVSS rating is significant, but there is no impact and no risk.
It is important to measure and report the success of your application security program. Identify the metrics that are most important to your key decision makers and present them in an easy-to-understand and actionable way to get buy-in for your program.
Giving executives too many metrics at an early stage can be overwhelming and frankly unnecessary. The main goal is to indicate how the application security program is compliant with internal policies and show the impact in terms of reduction of vulnerabilities and risks and increased application resilience.
It is important to limit privileges, especially for mission critical and sensitive systems. Application security best practices limit access to applications and data to those who need them, when they need them—this is known as the least privilege principle. Least privilege is critical for two reasons:
Imperva provides comprehensive protection for applications, APIs, and microservices:
Web Application Firewall – Prevent attacks with world-class analysis of web traffic to your applications.
Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.
API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.
Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.
DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.
Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.
Client-Side Protection – Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, prevent data breaches, and client-side attacks.
Authored by Imperva