August 13, 2015


Web application security has emerged as one of the most crucial and yet misunderstood security domains due to the technicalities attached to it by default.

'The attack surface has widened even with our dynamic application security in place. I even suspect false positive errands,' says the CISO. 'It's all zero-day attack vectors and increased application exposure. In fact, after POODLE CWE was made public, even average hackers have learned to exploit it,’ replies his colleague. What’s wrong with this usual conversation between application security personnel? Nothing exactly, but it gets difficult for the management and everyone else to understand what exactly these people are trying to say.

Web application security has emerged as one of the most crucial and yet misunderstood security domains due to the technicalities attached to it by default. However, one cannot shy away from the fact that web applications are and continue to be a major part of the security strategy. Given that 30, 000 websites are hacked every day, out of which 75% are compromised at the application layer, it’s about time that business get acquainted with some of the buzz words in the industry.

Vulnerability: Application vulnerability is a known or unknown weakness that hackers can use. Imagine a hole in the application that needs to be repaired and gives a chance to people that can get inside and access sensitive data. Insecure coding, unknown risks, updates, and business logics are considered as the top sources of application vulnerabilities.

Exploitation: When a hacker uses inherent application vulnerability to his advantage, it’s called an exploitation incidence. While finding vulnerability simply means that the coders need to patch it, exploitations are much more serious and indicate that people have accessed sensitive business data within the database at least once.

Attack Surface: It’s simply every risk that can compromise a web application. Attack surface takes into account all the possible vulnerabilities, unauthorized use, and other exploitation risks in general. So if someone talks about reducing the attack surface, it usually means application security testing, attack prevention, and virtual patching.

User Authentication: Although authentication is not necessarily an application-only buzzword, it is an integral part of the web application security. It’s basically a way of verifying an entry from user through trusted mechanisms. Using authentication measures, the application ensures that the user is who it claims to be. Types of authentication—Basic or single factor, Multifactor, Cryptographic.

OWASP Top 10: The Open Web Application Security Project (OWASP) is an online community. It is actively involved in open source web application security with members coming from varied educational organizations, corporations, and as individuals. The OWASP community releases lists of most critical web application security flaws through consensus and this list is widely trusted as a guide to test applications and keep them secure.

Read moreClick here

By Venkatesh Sundar, CTO, Indusface.

News Sources: