Application Security

Only available on StudyMode
  • Download(s) : 138
  • Published : January 3, 2013
Open Document
Text Preview
-------------------------------------------------
Application security
Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development,deployment, upgrade, or maintenance of the application. Applications only control the use of resources granted to them, and not which resources are granted to them. They, in turn, determine the use of these resources by users of the application through application security. Open Web Application Security Project (OWASP) and Web Application Security Consortium (WASC) updates on the latest threats which impair web based applications. This aids developers, security testers and architects to focus on better design and mitigation strategy. OWASP Top 10 has become an industrial norm in assessing Web Applications. -------------------------------------------------

Methodoogy
According to the patterns & practices Improving Web Application Security book, a principle-based approach for application security includes:[1] * Knowing your threats.
* Securing the network, host and application..
* Incorporating security into your software development process Note that this approach is technology / platform independent. It is focused on principles, patterns, and practices. -------------------------------------------------

Threats, Attacks, Vulnerabilities, and Countermeasures
According to the patterns & practices Improving Web Application Security book, the following terms are relevant to application security:[1] * Asset. A resource of value such as the data in a database or on the file system, or a system resource. * Threat. A negative effect.

* Vulnerability. A weakness that makes a threat possible. * Attack (or exploit). An action taken to harm an asset. * Countermeasure. A safeguard that addresses a threat and mitigates risk. -------------------------------------------------

[edit]Application Threats / Attacks
According to the patterns & practices Improving Web Application Security book, the following are classes of common application security threats / attacks:[1] Category| Threats / Attacks|
Input Validation| Buffer overflow; cross-site scripting; SQL injection; canonicalization| Authentication| Network eavesdropping ; Brute force attack; dictionary attacks; cookie replay; credential theft| Authorization| Elevation of privilege; disclosure of confidential data; data tampering; luring attacks| Configuration management| Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts| Sensitive information| Access sensitive data in storage; network eavesdropping; data tampering| Session management| Session hijacking; session replay; man in the middle| Cryptography| Poor key generation or key management; weak or custom encryption| Parameter manipulation| Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation| Exception management| Information disclosure; denial of service| Auditing and logging| User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks| -------------------------------------------------

[edit]Security testing for applications
Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle. Vulnerability scanners, and more specifically...
tracking img