World Library  
Flag as Inappropriate
Email this Article

Application security

Article Id: WHEBN0002571015
Reproduction Date:

Title: Application security  
Author: World Heritage Encyclopedia
Language: English
Subject: Computer security, Information security, Hacker (computer security), Computer accessibility, Operating system security
Collection: Computer Security
Publisher: World Heritage Encyclopedia
Publication
Date:
 

Application security

Application security encompasses measures taken throughout the code's life-cycle to prevent gaps in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.

Applications only control the kind of resources granted to them, and not which resources are granted to them. They, in turn, determine the use of these resources by users of the application through application security.

Contents

  • Methodology 1
  • Threats, attacks, vulnerabilities, and countermeasures 2
  • Application threats / attacks 3
  • Mobile application security 4
  • Security testing for applications 5
  • Security certifications 6
  • Security standards and regulations 7
  • See also 8
  • References 9
  • External links 10

Methodology

According to the patterns & practices Improving Web Application Security book, a principle-based approach for application security includes:[1]

Note that this approach is technology / platform independent. It is focused on principles, patterns, and practices.

Threats, attacks, vulnerabilities, and countermeasures

According to the patterns & practices Improving Web Application Security book, the following terms are relevant to application security:[1]

  • Asset. A resource of value such as the data in a database or on the file system, or a system resource.
  • Threat. Anything that can exploit a vulnerability and obtain, damage, or destroy an asset.
  • Vulnerability. A weakness or gap in security program that can be exploited by threats to gain unauthorized access to an asset.
  • Attack (or exploit). An action taken to harm an asset.
  • Countermeasure. A safeguard that addresses a threat and mitigates risk.

Application threats / attacks

According to the patterns & practices Improving Web Application Security book, the following are classes of common application security threats / attacks:[1]

Category Threats / Attacks
Input Validation Buffer overflow; cross-site scripting; SQL injection; canonicalization
Software Tampering Attacker modifies an existing application's runtime behavior to perform unauthorized actions; exploited via binary patching, code substitution, or code extension
Authentication Network eavesdropping ; Brute force attack; dictionary attacks; cookie replay; credential theft
Authorization Elevation of privilege; disclosure of confidential data; data tampering; luring attacks
Configuration management Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts
Sensitive information Access sensitive code or data in storage; network eavesdropping; code/data tampering
Session management Session hijacking; session replay; man in the middle
Cryptography Poor key generation or key management; weak or custom encryption
Parameter manipulation Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation
Exception management Information disclosure; denial of service
Auditing and logging User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks

Mobile application security

The proportion of mobile devices providing open platform functionality is expected to continue to increase in future. The openness of these platforms offers significant opportunities to all parts of the mobile eco-system by delivering the ability for flexible program and service delivery options that may be installed, removed or refreshed multiple times in line with the user’s needs and requirements. However, with openness comes responsibility and unrestricted access to mobile resources and APIs by applications of unknown or untrusted origin could result in damage to the user, the device, the network or all of these, if not managed by suitable security architectures and network precautions. Application security is provided in some form on most open OS mobile devices (Symbian OS,[2] Microsoft, BREW, etc.). Industry groups have also created recommendations including the GSM Association and Open Mobile Terminal Platform (OMTP).[3]

There are several strategies to enhance mobile application security including

  • Application white listing
  • Ensuring transport layer security
  • Strong authentication and authorization
  • Encryption of data when written to memory
  • Sandboxing of applications
  • Granting application access on a per-API level
  • Processes tied to a user ID
  • Predefined interactions between the mobile application and the OS
  • Requiring user input for privileged/elevated access
  • Proper session handling

Security testing for applications

Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle.

Penetration Testing Tools (often categorized as Black Box Testing Tools) and static code analysis tools (often categorized as White Box Testing Tools).

According to Gartner Research,[4] "...next-generation modern Web and mobile applications requires a combination of SAST and DAST techniques, and new interactive application security testing (IAST) approaches have emerged that combine static and dynamic techniques to improve testing...". Because IAST combines SAST and DAST techniques, the results are highly actionable, can be linked to the specific line of code, and can be recorded for replay later for developers.

Banking and large OWASP taxonomy for software coding errors. White Box testing vendors have recently introduced dynamic versions of their source code analysis methods; which operates on deployed applications. Given that the White Box testing tools have dynamic versions similar to the Black Box testing tools, both tools can be correlated in the same software error detection paradigm ensuring full application protection to the client company.

The advances in professional malware and that any data coming from their infected host may be tainted. Therefore, application security has begun to manifest more advanced anti-fraud and heuristic detection systems in the back-office, rather than within the client-side or Web server code.[5]

Security certifications

There are a number of certifications available for security professionals to demonstrate their knowledge in the subject matter (e.g. Certified Information Systems Security Professional, Certified Information Security Manager, etc.), however the usefulness of security certifications and certifications in general typically receives mixed reviews by experienced professionals.

Security standards and regulations

  • IEEE P1074
  • ISO/IEC 7064:2003 Information technology -- Security techniques -- Check character systems
  • ISO/IEC 9796-2:2002 Information technology -- Security techniques -- Digital signature schemes giving message recovery -- Part 2: Integer factorization based mechanisms
  • ISO/IEC 9796-3:2006 Information technology -- Security techniques -- Digital signature schemes giving message recovery -- Part 3: Discrete logarithm based mechanisms
  • ISO/IEC 9797-1:1999 Information technology -- Security techniques -- Message Authentication Codes (MACs) -- Part 1: Mechanisms using a block cipher
  • ISO/IEC 9797-2:2002 Information technology -- Security techniques -- Message Authentication Codes (MACs) -- Part 2: Mechanisms using a dedicated hash-function
  • ISO/IEC 9798-1:1997 Information technology -- Security techniques -- Entity authentication -- Part 1: General
  • ISO/IEC 9798-2:1999 Information technology -- Security techniques -- Entity authentication -- Part 2: Mechanisms using symmetric encipherment algorithms
  • ISO/IEC 9798-3:1998 Information technology -- Security techniques -- Entity authentication -- Part 3: Mechanisms using digital signature techniques
  • ISO/IEC 9798-4:1999 Information technology -- Security techniques -- Entity authentication -- Part 4: Mechanisms using a cryptographic check function
  • ISO/IEC 9798-5:2004 Information technology -- Security techniques -- Entity authentication -- Part 5: Mechanisms using zero-knowledge techniques
  • ISO/IEC 9798-6:2005 Information technology -- Security techniques -- Entity authentication -- Part 6: Mechanisms using manual data transfer
  • ISO/IEC 14888-1:1998 Information technology -- Security techniques -- Digital signatures with appendix -- Part 1: General
  • ISO/IEC 14888-2:1999 Information technology -- Security techniques -- Digital signatures with appendix -- Part 2: Identity-based mechanisms
  • ISO/IEC 14888-3:2006 Information technology -- Security techniques -- Digital signatures with appendix -- Part 3: Discrete logarithm based mechanisms
  • ISO/IEC 27002:2005 Information technology -- Security techniques -- Code of practice for information security management
  • ISO/IEC 24762:2008 Information technology -- Security techniques -- Guidelines for information and communications technology disaster recovery services - now withdrawn.
  • ISO/IEC 27006:2007 Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems
  • ISO/IEC 27031:2011 Information technology -- Security techniques -- Guidelines for ICT readiness for Business Continuity
  • ISO/IEC 27034-1:2011 Information technology — Security techniques — Application security -- Part 1: Overview and concepts
  • ISO/IEC TR 24772:2013 Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use
  • PCI Data Security Standarded (PCI DSS)

See also

References

  1. ^ a b c Improving Web Application Security: Threats and Countermeasures, published by Microsoft Corporation.
  2. ^ "Platform Security Concepts", Simon Higginson.
  3. ^ Application Security Framework, Open Mobile Terminal Platform
  4. ^ http://www.gartner.com/technology/reprints.do?id=1-1GT3BKT&ct=130702&st=sb&mkt_tok=3RkMMJWWfF9wsRokvazAZKXonjHpfsX76%252B4qX6WylMI%252F0ER3fOvrPUfGjI4CTsRmI%252BSLDwEYGJlv6SgFTbnFMbprzbgPUhA%253D
  5. ^ "Continuing Business with Malware Infected Customers". Gunter Ollmann. October 2008. 

External links

  • The Web Application Security Consortium
  • The Microsoft Security Development Lifecycle (SDL)
  • patterns & practices Security Guidance for Applications
  • Advantages of an integrated security solution for HTML and XML
  • patterns & practices Application Security Methodology
  • Understanding the Windows Mobile Security Model, Windows Mobile Security]
  • Network Security Testing
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.