‘The attack surface has widened even with our dynamic application security in place. I even suspect false-positive errands,’ says the CISO.
‘It’s all zero-day attack vectors and increased application exposure. In fact, after POODLE CWE was made public, even average hackers have learned to exploit it,’ replies his colleague.
What’s wrong with this usual conversation between application security personnel? Nothing exactly, but it gets difficult for the management and everyone else to understand what exactly these people are trying to say.
Web application security has emerged as one of the most crucial and yet misunderstood security domains due to the technicalities attached to it by default.
However, one cannot shy away from the fact that web applications are and continue to be a major part of the security strategy. Given that 30, 000 websites are hacked every day, out of which 75% are compromised at the application layer, it’s about time that business gets acquainted with some of the buzz words in the industry.
Application vulnerability is a known or unknown weakness that hackers can use. Imagine a hole in the application that needs to be repaired and gives a chance to people that can get inside and access sensitive data. Insecure coding, unknown risks, updates, and business logic are considered as the top sources of application vulnerabilities.
Also consider reading: What is a Zero-Day Vulnerability?
When a hacker uses inherent application vulnerability to his advantage, it’s called an exploitation incidence. While finding vulnerability simply means that the coders need to patch it, exploitations are much more serious and indicate that people have accessed sensitive business data within the database at least once.
It’s simply every risk that can compromise a web application. Attack surface takes into account all the possible vulnerabilities, unauthorized use, and other exploitation risks in general. So if someone talks about reducing the attack surface, it usually means application security testing, attack prevention, and virtual patching.
Do you wish to read more on what vulnerabilities add to your application’s attack surface?
Although authentication is not necessarily an application-only buzzword, it is an integral part of the web application security. It’s basically a way of verifying an entry from the user through trusted mechanisms. Using authentication measures, the application ensures that the user is who it claims to be.
Types of authentication:
You might want to get a bit more technical with Broken Authentication and Session Management.
The Open Web Application Security Project (OWASP) is an online community. It is actively involved in open source web application security with members coming from varied educational organizations, corporations, and as individuals. The OWASP community releases lists of most critical web application security flaws through consensus and this list is widely trusted as a guide to test applications and keep them secure.
Their last list was released as Top 10-2013 and you can read about it here.
OWASP Top 10 is not the only web application risk, is it? There are many other weaknesses and business logic flaws top that list. Often hackers misuse inherent application structure and its rules to their advantages. These flaws are specific to business models and cannot be predicted under any circumstances.
A business logic flaw is an application vulnerability, which arises by circumstantial security weakness. As a one-of-a-kind problem, it does not have a universal solution and cannot be detected by automated web application scanning either.
Explore how hackers actually exploit Business Logic Flaw.
There are so many vulnerabilities being discovered, how can one keep a reference for each? The MITRE Corporation came with a logical solution for this problem years ago. They compile vulnerabilities with common identifiers known as the Common Vulnerabilities and Exposures (CVE) as a baseline index point for easier reference and data exchange.
The recent ‘FREAK’ vulnerability was indexed as CVE-2015-0204 and you can read about it in detail.
Also known as penetration testing, dynamic application security testing (DAST), and black-box testing, it refers to testing applications for vulnerabilities that can be exploited by hackers. An automatic web application scanner usually identifies OWASP Top 10 risks and reports it to administrators.
Advanced web application scanning also includes real-time tests by security experts who pose as hackers and find out if there are any underlying business logic flaws or other severe vulnerabilities.
Also read: 3 Must-Have Web Application Testing Features
Often confused with network layer firewall, web application firewall block application-layer attacks, something that no other product or service can do. Designed to patch web applications virtually, WAF even allows monitoring data and learn about the kind of behavior and technology hackers use on the application.
Web application scanning can further complement the web application firewall to structure a whole ‘detect + protect + monitor’ cycle.
Zero False Positive is a flaw in logic. Think of a security guard whose job is to keep suspicious individuals out of your property, but who instead denies access to your family members due to some misplaced understanding of what you told him. Wouldn’t that frustrate you to a level of firing that security guard? That’s exactly what you should do with a WAF loading false alarms because it blocks genuine traffic on your websites.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Before this, as the CTO @ Indusface, Venky created the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.