WP What is Application Security | Types, Tools & Best Practices | Imperva

Application Security: The Complete Guide

112.6k views
Web and Application Security

What is Application Security?

Application security aims to protect software application code and data against cyber threats. You can and should apply application security during all phases of development, including design, development, and deployment.

Here are several ways to promote application security throughout the software development lifecycle (SDLC):

  • Introduce security standards and tools during design and application development phases. For example, include vulnerability scanning during early development.
  • Implement security procedures and systems to protect applications in production environments. For example, perform continuous security testing.
  • Implement strong authentication for applications that contain sensitive data or are mission critical.
  • Use security systems such as firewalls, web application firewalls (WAF), and intrusion prevention systems (IPS).

What Types of Applications Does a Modern Organization Need to Secure?

Web Application Security

A web application is software that runs on a web server and is accessible via the Internet. The client runs in a web browser. By nature, applications must accept connections from clients over insecure networks. This exposes them to a range of vulnerabilities. Many web applications are business critical and contain sensitive customer data, making them a valuable target for attackers and a high priority for any cyber security program.

The evolution of the Internet has addressed some web application vulnerabilities – such as the introduction of HTTPS, which creates an encrypted communication channel that protects against man in the middle (MitM) attacks. However, many vulnerabilities remain. The most severe and common vulnerabilities are documented by the Open Web Application Security Project (OWASP), in the form of the OWASP Top 10.

Due to the growing problem of web application security, many security vendors have introduced solutions especially designed to secure web applications. Examples include the web application firewall (WAF), a security tool designed to detect and block application-layer attacks.

Learn more in our detailed guide to website security

API Security

Application Programming Interfaces (API) are growing in importance. They are the basis of modern microservices applications, and an entire API economy has emerged, which allows organizations to share data and access software functionality created by others. This means API security is critical for modern organizations.

APIs that suffer from security vulnerabilities are the cause of major data breaches. They can expose sensitive data and result in disruption of critical business operations. Common security weaknesses of APIs are weak authentication, unwanted exposure of data, and failure to perform rate limiting, which enables API abuse.

Like web application security, the need for API security has led to the development of specialized tools that can identify vulnerabilities in APIs and secure APIs in production.

Learn more in the detailed guide to API Security

Cloud Native Application Security

Cloud native applications are applications built in a microservices architecture using technologies like virtual machines, containers, and serverless platforms. Cloud native security is a complex challenge, because cloud native applications have a large number of moving parts and components tend to be ephemeral—frequently torn down and replaced by others. This makes it difficult to gain visibility over a cloud native environment and ensure all components are secure.

In cloud native applications, infrastructure and environments are typically set up automatically based on declarative configuration—this is called infrastructure as code (IaC). Developers are responsible for building declarative configurations and application code, and both should be subject to security considerations. Shifting left is much more important in cloud native environments, because almost everything is determined at the development stage.

Cloud native applications can benefit from traditional testing tools, but these tools are not enough. Dedicated cloud native security tools are needed, able to instrument containers, container clusters, and serverless functions, report on security issues, and provide a fast feedback loop for developers.

Another important aspect of cloud native security is automated scanning of all artifacts, at all stages of the development lifecycle. Most importantly, organizations must scan container images at all stages of the development process.

Learn more in the detailed guides to:

Operating System (OS) Security

Operating system security focuses on securing the underlying systems that support applications, including servers, desktops, and mobile devices. Because the OS is foundational to all applications, vulnerabilities at this level can lead to severe security incidents.

OS security measures include implementing access controls to prevent unauthorized access, regular patching to address known vulnerabilities, and system hardening, which involves disabling unused services and ports to minimize the attack surface. Organizations also commonly use anti-malware tools to protect against viruses and other malicious code.

In addition, logging and monitoring are essential for tracking suspicious activities on the OS. Security teams can use centralized logging tools to identify and respond to threats in real time.

Operating systems must be regularly updated and carefully configured to ensure the security of the applications and data they support.

Learn more in the detailed guide to OS security

Application Security Risks

Web Application Security Risks: OWASP Top 10

Software applications can be affected by numerous threats. The Open Web Application Security Project (OWASP) Top 10 list includes critical application threats that are most likely to affect applications in production.

Broken Access Control

Broken access control allows threats and users to gain unauthorized access and privileges. Here are the most common issues:

  • It enables attackers to gain unauthorized access to user accounts and act as administrators or regular users.
  • It provides users with unauthorized privileged functions.

You can remediate this issue by implementing strong access mechanisms that ensure each role is clearly defined with isolated privileges.

Cryptographic Failures

Cryptographic failures (previously referred to as “sensitive data exposure”) occur when data is not properly protected in transit and at rest. It can expose passwords, health records, credit card numbers, and personal data.

This application security risk can lead to non-compliance with data privacy regulations, such as the EU General Data Protection Regulation (GDPR), and financial standards like PCI Data Security Standards (PCI DSS).

Injection (Including XSS, LFI, and SQL Injection)

Injection vulnerabilities enable threat actors to send malicious data to a web application interpreter. It can cause this data to be compiled and executed on the server. SQL injection is a common form of injection.

Learn more in the detailed guides to:

Insecure Design

Insecure design covers many application weaknesses that occur due to ineffective or missing security controls. Applications that do not have basic security controls capable of against critical threats. While you can fix implementation flaws in applications with secure design, it is not possible to fix insecure design with proper configuration or remediation.

Security Misconfiguration (Including XXE)

Security misconfigurations occur due to a lack of security hardening across the application stack. Here are common security misconfigurations:

  • Improperly configuring cloud service permissions
  • Leaving unrequired features enabled or installed
  • Using default passwords or admin accounts
  • XML External Entities (XXE) vulnerabilities

Learn more in the detailed guide to XML External Entities (XXE)

Vulnerable and Outdated Components

Vulnerable and outdated components (previously referred to as “using components with known vulnerabilities”) include any vulnerability resulting from outdated or unsupported software. It can occur when you build or use an application without prior knowledge of its internal components and versions.

Identification and Authentication Failures

Identification and authentication failures (previously referred to as “broken authentication”) include any security problem related to user identities. You can protect against identity attacks and exploits by establishing secure session management and setting up authentication and verification for all identities.

Software and Data Integrity Failures

Software and data integrity failures occur when infrastructure and code are vulnerable to integrity violations. It can occur during software updates, sensitive data modification, and any CI/CD pipeline changes that are not validated. Insecure CI/CD pipelines can result in unauthorized access and lead to supply chain attacks.

Security Logging and Monitoring Failures

Security logging and monitoring failures (previously referred to as “insufficient logging and monitoring”) occur when application weaknesses cannot properly detect and respond to security risks. Logging and monitoring are critical to the detection of breaches. When these mechanisms do not work, it hinders the application’s visibility and compromises alerting and forensics.

Server Side Request Forgery

Server-side request forgery (SSRF) vulnerabilities occur when a web application does not validate a URL inputted by a user before pulling data from a remote resource. It can affect firewall-protected servers and any network access control list (ACL) that does not validate URLs.

Learn more in the detailed guide to SSRF

Learn about additional cyber threats in our guide to cyber attacks

API Security Risks: OWASP Top 10

APIs enable communication between different pieces of software. Applications with APIs allow external clients to request services from the application. APIs are exposed to various threats and vulnerabilities. The OWASP compiled a list prioritizing the top 10 API security risks.

Broken Object Level Authorization

APIs often expose endpoints handling object identifiers. It creates a wider attack surface Level Access Control issue. Instead, you should check object level authorization in every function that can access a data source through user inputs.

Broken User Authentication

Incorrectly implemented authentication mechanisms can grant unauthorized access to malicious actors. It enables attackers to exploit an implementation flaw or compromise authentication tokens. Once it occurs, attackers can assume a legitimate user identity permanently or temporarily. As a result, the system’s ability to identify a client or user is compromised, which threatens the overall API security of the application.

Excessive Data Exposure

Generic implementations often lead to exposure of all object properties without consideration of the individual sensitivity of each object. It occurs when developers rely on clients to perform data filtering before displaying the information to the user.

Lack of Resources & Rate Limiting

APIs usually do not impose restrictions on the number or size of resources a client or user is allowed to request. However, this issue can impact the performance of the API server and result in Denial of Service (DoS). Additionally, it can create authentication flaws that enable brute force attacks.

Broken Function Level Authorization

Authorization flaws enable attackers to gain unauthorized access to the resources of legitimate users or obtain administrative privileges. It can occur as a result of overly complex access control policies based on different hierarchies, roles, groups, and unclear separation between regular and administrative functions.

Mass Assignment

Mass assignment is usually a result of improperly binding data provided by clients, like JSON, to data models. It occurs when binding happens without using properties filtering based on an allowlist. It enables attackers to guess object properties, read the documentation, explore other API endpoints, or provide additional object properties to request payloads.

Security Misconfiguration

Security misconfiguration usually occurs due to:

  • Insecure default configurations
  • Open cloud storage
  • Ad-hoc or incomplete configurations
  • Misconfigured HTTP headers
  • Permissive cross-origin resource sharing (CORS)
  • Unnecessary HTTP methods
  • Verbose error messages that contain sensitive information

Injection

Injection flaws like command injection, SQL, and NoSQL injection occur when a query or command sends untrusted data to an interpreter. It is typically malicious data that attempts to trick the interpreter into providing unauthorized access to data or executing unintended commands.

Improper Assets Management

APIs usually expose more endpoints than traditional web applications. This nature of APIs means proper and updated documentation becomes critical to security. Additionally, proper hosts and deployed API versions inventory can help mitigate issues related to exposed debug endpoints and deprecated API versions.

Insufficient Logging & Monitoring

Insufficient logging and monitoring enable threat actors to escalate their attacks, especially when there is ineffective or no integration with incident response. It allows malicious actors to maintain persistence and pivot to other systems where they extract, destroy, or tamper with data.

Learn more in the detailed guide to OWASP

What is Application Security Testing?

Application Security Testing (AST) is the process of making applications more resilient to security threats by identifying and remediating security vulnerabilities.

Originally, AST was a manual process. In modern, high-velocity development processes, AST must be automated. The increased modularity of enterprise software, numerous open source components, and a large number of known vulnerabilities and threat vectors all make automation essential. Most organizations use a combination of application security tools to conduct AST.

Key considerations before testing applications

Here are key considerations before you can properly test applications for security vulnerabilities:

  • Create a complete inventory of your applications.
  • Understand the business use, impact and sensitivity of your applications.
  • Determine which applications to test—start from public-facing systems like web and mobile applications.

How to test

You must determine the following parameters before you can successfully test applications for security vulnerabilities:

  • Authenticated vs. non-authenticated testing—you can test applications from an outsider’s perspective (a black box approach). However, there is a lot of value in performing authenticated testing, to discover security issues that affect authenticated users. This can help uncover vulnerabilities like SQL injection and session manipulation.
  • Which tools to use—testing should ideally involve tools that can identify vulnerabilities in source code, tools that can test applications for security weaknesses at runtime, and network vulnerability scanners.
  • Testing production vs. staging—testing in production is important because it can identify security issues that are currently threatening the organization and its customers. However, production testing can have a performance impact. Testing in staging is easier to achieve and allows faster remediation of vulnerabilities.
  • Whether to disable security systems while testing—for most security tests, it is a good idea to disable firewalls, web application firewalls (WAF), and intrusion prevention systems (IPS), or at least whitelist the IPs of testing tools, otherwise tools can interfere with scanning. However, in a full penetration test, tools should be left on and the goal is to scan applications while avoiding detection.
  • When to test—it is typically advisable to perform security testing during off periods to avoid an impact on performance and reliability of production applications.
  • What to report—many security tools provide highly detailed reports relating to their specific testing domain, and these reports are not consumable by non-security experts. Security teams should extract the most relevant insights from automated reports and present them in a meaningful way to stakeholders.
  • Validation testing—a critical part of security testing is to validate that remediations were done successfully. It is not enough for a developer to say the remediation is fixed. You must rerun the test and ensure that the vulnerability no longer exists, or otherwise give feedback to developers.

Learn more in the detailed guide to:

Application Security Testing vs. API Security Testing

Application Security Testing (AST) and API Security Testing are both critical components of a comprehensive security strategy, but they focus on different aspects of the software ecosystem.

Application Security Testing is broader and encompasses the security of entire applications, including web, mobile, and desktop applications. It targets vulnerabilities that could be exploited by attackers to gain unauthorized access, manipulate data, or disrupt services. AST covers various areas, such as code vulnerabilities, misconfigurations, and runtime behaviors.

API Security Testing is more specialized and focuses on securing APIs. APIs can be particularly vulnerable because they expose endpoints that can be targeted by attackers. API security testing typically checks for issues like improper authentication, lack of encryption, excessive data exposure, and rate limiting. It ensures that the APIs only allow legitimate interactions and protect against common API-specific threats, such as injection attacks and broken access controls.

Learn more in the detailed guide to API security testing

Types of Application Security Testing

There are three main types of application security tests:

Black Box Security Testing

In a black box test, the testing system does not have access to the internals of the tested system. This is the perspective of an outside attacker. A testing tool or human tester must perform reconnaissance to identify systems being tested and discover vulnerabilities. Black box testing is highly valuable but is insufficient, because it cannot test underlying security weaknesses of applications.

Learn more in the detailed guide to black box testing

White Box Security Testing

In a white box test, the testing system has full access to the internals of the tested application. A classic example is static code analysis, in which a testing tool has direct access to the source code of the application. White box testing can identify business logic vulnerabilities, code quality issues, security misconfigurations, and insecure coding practices. White-box testing can also include dynamic testing, which leverages fuzzing techniques to exercise different paths in the application and discover unexpected vulnerabilities. The drawback of the white-box approach is that not all these vulnerabilities will really be exploitable in production environments.

Learn more in the detailed guide to white box testing

Gray Box Security Testing

In a gray-box test, the testing system has access to limited information about the internals of the tested application. For example, the tester might be provided login credentials so they can test the application from the perspective of a signed-in user. Gray box testing can help understand what level of access privileged users have, and the level of damage they could do if an account was compromised. Gray box tests can simulate insider threats or attackers who have already breached the network perimeter. Gray box testing is considered highly efficient, striking a balance between the black box and white box approaches.

Learn more in the detailed guide to gray box testing

Application Security Tools and Solutions

Web Application Firewall (WAF)

A WAF monitors and filters HTTP traffic that passess between a web application and the Internet. WAF technology does not cover all threats but can work alongside a suite of security tools to create a holistic defense against various attack vectors.

In the open systems interconnection (OSI) model, WAF serves as a protocol layer seven defense that helps protect web applications against attacks like cross-site-scripting (XSS), cross-site forgery, SQL injection, and file inclusion.

Unlike a proxy server that protects the identity of client machines through an intermediary, a WAF works like a reverse proxy that protects the server from exposure. The WAF serves as a shield that stands in front of a web application and protects it from the Internet—clients pass through the WAF before they can reach the server.

Learn more about Imperva Web Application Firewall

Runtime Application Self-Protection (RASP)

RASP technology can analyze user behavior and application traffic at runtime. It aims to help detect and prevent cyber threats by achieving visibility into application source code and analyzing vulnerabilities and weaknesses.

RASP tools can identify security weaknesses that have already been exploited, terminate these sessions, and issue alerts to provide active protection.

Learn more about Imperva Runtime Application Self-Protection

Vulnerability Management

Vulnerability management is a critical aspect of application security. It involves identifying, classifying, prioritizing, and mitigating software vulnerabilities. Vulnerability management tools scan your applications for known vulnerabilities, such as those listed in the Common Vulnerabilities and Exposures (CVE) database.

Once identified, these vulnerabilities are classified based on their severity. The next step is to prioritize the vulnerabilities that need to be addressed first. This priority list helps organizations focus their efforts on the most critical security issues. Finally, the vulnerabilities are mitigated, often through patch management procedures.

Learn more about vulnerability management

Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) is a comprehensive list of components in a piece of software. It provides transparency into an application’s composition, making it easier to track and manage any vulnerabilities. An SBOM can include details about the open-source and proprietary components, libraries, and modules used in the software.

With an SBOM, organizations can quickly identify any components with known vulnerabilities. It helps streamline the process of vulnerability management and ensures a swift response when a security flaw is discovered. SBOM is becoming increasingly important, especially with the rise of open-source software and the associated security risks.

Software Composition Analysis (SCA)

SCA tools create an inventory of third-party open source and commercial components used within software products. It helps learn which components and versions are actively used and identify severe security vulnerabilities affecting these components.

Organizations use SCA tools to find third-party components that may contain security vulnerabilities.

Learn more about Software Composition Analysis (SCA)

Static Application Security Testing (SAST)

SAST tools assist white box testers in inspecting the inner workings of applications. It involves inspecting static source code and reporting on identified security weaknesses.

SAST can help find issues, such as syntax errors, input validation issues, invalid or insecure references, or math errors in non-compiled code. You can use binary and byte-code analyzers to apply SAST to compiled code.

Dynamic Application Security Testing (DAST)

DAST tools assist black box testers in executing code and inspecting it at runtime. It helps detect issues that possibly represent security vulnerabilities. Organizations use DAST to conduct large-scale scans that simulate multiple malicious or unexpected test cases. These tests provide reports on the application’s response.

DAST can help identify issues such as query strings, the use of scripts, requests and responses, memory leakage, authentication, cookie and session handling, execution of third-party components, DOM injection, and data injection.

Interactive Application Security Testing (IAST)

IAST tools employ SAST and DAST techniques and tools to detect a wider range of security issues. These tools run dynamically to inspect software during runtime. It occurs from within the application server to inspect the compiled source code.

IAST tools can help make remediation easier by providing information about the root cause of vulnerabilities and identifying specific lines of affected code. These tools can analyze data flow, source code, configuration, and third-party libraries. You can also use IAST tools for API testing.

Mobile Application Security Testing (MAST)

MAST tools employ various techniques to test the security of mobile applications. It involves using static and dynamic analysis and investigating forensic data collected by mobile applications.

Organizations use MAST tools to check security vulnerabilities and mobile-specific issues, such as jailbreaking, data leakage from mobile devices, and malicious WiFi networks.

CNAPP

A cloud native application protection platform (CNAPP) provides a centralized control panel for the tools required to protect cloud native applications. It unifies cloud workload protection platform (CWPP) and cloud security posture management (CSPM) with other capabilities.

CNAPP technology often incorporates identity entitlement management, API discovery and protection, and automation and orchestration security for container orchestration platforms like Kubernetes.

Application Security Best Practices

Here are several best practices that can help you practice application security more effectively.

Perform a Threat Assessment

Having a list of sensitive assets to protect can help you understand the threat your organization is facing and how to mitigate them. Consider what methods a hacker can use to compromise an application, whether existing security measures are in, and if you need additional tools or defensive measures.

It is also important to be realistic about your security expectations. Even with the highest level of protection, nothing is impossible to hack. You also need to be honest about what you think your team can sustain over the long term. If you push too hard, safety standards and practices can be ignored. Remember that safety is a long-term endeavor and you need the cooperation of other employees and your customers.

Shift Security Left

Companies are transitioning from annual product releases to monthly, weekly, or daily releases. To accommodate this change, security testing must be part of the development cycle, not added as an afterthought. This way, security testing doesn’t get in the way when you release your product.

A good first step before making these changes is to help security staff understand development processes and build relationships between security and development teams. Security staff need to learn the tools and processes used by developers, so that they can integrate security organically. When security is seamlessly integrated into the development process, developers are more likely to embrace it and build trust.

You also need to find a way to automate security testing for CI/CD pipelines. Integrating automated security tools into the CI/CD pipeline allows developers to quickly fix issues a short time after the relevant changes were introduced.

Learn more in the detailed guide to shift left testing

Prioritize Your Remediation Ops

Vulnerabilities are growing, and developers find it difficult to address remediation for all issues. Given the scale of the task at hand, prioritization is critical for teams that want to keep applications safe.

Effective prioritization requires performing a threat assessment based on the severity of the vulnerability—using CVSS ratings and other criteria, such as the operational importance of the affected application. When it comes to open source vulnerabilities, you need to know whether proprietary code is actually using the vulnerable feature of open source components. If the function of the vulnerable component is never invoked by your product, then its CVSS rating is significant, but there is no impact and no risk.

Measure Application Security Results

It is important to measure and report the success of your application security program. Identify the metrics that are most important to your key decision makers and present them in an easy-to-understand and actionable way to get buy-in for your program.

Giving executives too many metrics at an early stage can be overwhelming and frankly unnecessary. The main goal is to indicate how the application security program is compliant with internal policies and show the impact in terms of reduction of vulnerabilities and risks and increased application resilience.

Manage Privileges

It is important to limit privileges, especially for mission critical and sensitive systems. Application security best practices limit access to applications and data to those who need them, when they need them—this is known as the least privilege principle. Least privilege is critical for two reasons:

  • Hackers might compromise less privileged accounts, and it is important to ensure that they cannot gain access to sensitive systems.
  • Insider threats are just as dangerous as external attackers. If insiders go bad, it is important to ensure that they never have more privileges than they should—limiting the damage they can do.

Application Security with Imperva

Imperva provides comprehensive protection for applications, APIs, and microservices:

Web Application Firewall – Prevent attacks with world-class analysis of web traffic to your applications.

Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.

API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.

Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.

DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.

Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.

Client-Side Protection – Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, prevent data breaches, and client-side attacks.

See Additional Guides on Key Application Security Topics

Website Security

Authored by Imperva

Cyber Attacks

Authored by Imperva

API Security Testing

Authored by Pynt

API Security 

Authored by Pynt

CSRF

Authored by Bright Security

LFI

Authored by Bright Security 

SSRF

Authored by Bright Security

XXE

Authored by Bright Security 

Vulnerability Management

Authored by Bright Security

OWASP

Authored by Bright Security

Additional Application Security Resources