Achieving Application Security Maturity
Application security, or appsec, is a fast-growing, advanced field of cybersecurity. This field focuses on the unique business applications created by companies large and small. In today’s “Software is eating the world” era, the code developed by companies becomes one of its most critical business assets. Research and development departments across enterprises are introducing new applications and pushing updates to existing ones faster than ever, and securing them as early as possible in the development cycle, therefore, becomes more and more important.
One of the main challenges in appsec today is the extreme proliferation and diversity of implementations. If you task two developers to build the same application using the same coding language, you’ll get two very different solutions, each one with unique security problems. To succeed in writing secure software, it is crucial for a company to be able to map its software assets and properly test them, which requires the teams to be familiar with the hazards relevant to its technology.
In other areas of cybersecurity such as cloud, SaaS and common infrastructure security, much of the research done by vendors and the community is reusable and directly applicable to all users.
In appsec, however, a large portion of the vulnerabilities are specific to the custom code or to highly intricate custom configurations. In this way, almost every vulnerability detected in an application can be considered a zero-day vulnerability. To address this, the appsec community is constantly working on characterizing classes of vulnerabilities, such as those described in the OWASP Top Ten. One example is cross-site scripting. It is a purely technical class of vulnerabilities that stems from improper coding of web pages, and plays a major part in large cybercrime campaigns, such as the Magecart web skimming campaign.
Other vulnerability types do not stem from a technical problem, but, rather, from a failure to recognize and enforce business logic. For example, a Race condition attack will abuse a time-of-check to time-of-use bug – a common software bug to trick credit systems – from banks to digital wallets – to transferring more credit than the user has.
To meet the challenge, appsec vendors and communities are constantly working on better methodologies and tools to identify assets and vulnerabilities, detect and protect against application-level attacks.
A method that can help deal with large-scale development is automated application security testing (AST). The leading categories of AST tools are static application security testing (SAST), software composition analysis (SCA) and dynamic application security testing (DAST) tools. SAST tools ingest custom code to identify vulnerabilities. SCA tools analyze configuration and build recipes of applications to identify the use of vulnerable third-party modules. DAST tools identify vulnerabilities by simulating attack payloads against running applications. AST tools can help teams cover more applications, but often yield false positive results, which requires handling by a professional AppSec researcher.
Another family of solutions focuses on detecting attacks and protecting against them by incorporating a component into the runtime environment. Solutions like web application & API protection (WaaP) and their predecessor web application firewalls (WAF) examine live traffic to detect anomalies and attacker payloads and block them before they reach the protected applications. Bot mitigation solutions will analyze active sessions to assess if the user is not human, to prevent scraping and spamming. These tools can offer good resilience against simple attacks, but often require extensive attention from engineering teams in integrations, configuration and maintenance.
Not unlike how automated systems cannot replace developers, AST tools and runtime detection/protection tools are limited in addressing vulnerabilities in business logic validation and in complex flows. Therefore, a major part of appsec is, and will be for the foreseeable future, the appsec team. Via a series of activities conducted throughout the development lifecycle, appsec teams help plan security mechanisms and test applications. The most common activities include application security penetration testing and threat modeling. These methods are regarded by many as critical for effective application security, but are also the most expensive element of appsec due to a shortage of professionals in this area, and budget limitations.
A mature appsec program will sustainably balance all these practices, by having a clear view of what applications the organization is/are building, and which applications are subjected to what requirements. It will apply the most expensive resources where it matters and implement automation of testing and protection that are suitable to the specific technology and business it is protecting.
Reaching maturity in appsec is extremely challenging. It requires an intimate understanding of applications, their communication channels and their weaknesses, as well as familiarity with exploits and attack frameworks. Especially in the era of rapid software development, while infrastructure elements keep maturing, applications disruptively proliferate. As a security researcher, I continuously seek to learn and take inspiration from the broader appsec community. Social media is one of the most community-supporting and fun resources available, that’s free to all and useful for hard-core appsec professionals, hobbyists, as well as novice bounty hunters.
We have compiled a list of experts – hackers, analysts, bug bounty hunters and cybersleuths – who provide practical tips regarding techniques and tools, share knowledge on the most recent vulnerabilities, and do so in a way that sparks the unique kind of thinking required in the appsec field.