make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

A Guide to Application Security Assessments

04/19/2018  |  By: Andrew Smith, Senior Information Security Analyst

Share

Social Logo Social Logo Social Logo Social Logo

In today’s technology-first world, businesses need to make sure their digital assets are adequately protected against attacks. In many cases, Internet-facing applications have become a primary target for attackers. Applications, when not properly hardened and tested, can provide access to sensitive data or even permit full compromise of the underlying operating system.

However, due to the increasing complexity of the application landscape, many businesses have trouble determining where to start when it comes to improving application security. Dynamic application security testing (DAST) is a "limited knowledge,” meaning no access to source code, testing method used by LBMC Information Security to evaluate the security of a specific application in its running state by searching for vulnerabilities that could be exploited by an attacker and then providing recommendations for mitigating the identified security issues as well as their "root cause.”

To help determine if an application security assessment of this nature is appropriate for your needs, here’s an overview of important areas to consider when it comes to application security assessments. 

The Benefits of an Application Security Assessment

Here are a few important reasons to consider an application security assessment:

  1. Identify exploitable security risks within your website or app. Whether your app is developed in-house or by a third-party, it’s important to make sure it is not vulnerable to common application security issues.
  2. Improve your overall security posture. In addition to identifying potential risks, an application security assessment also provides actionable steps to resolve them. While fixing issues identified during testing is important, analysis of the "root cause" for identified issues can also result in improvement of insecure SDLC processes.
  3. Make sure your app is compliant with cybersecurity laws. In addition to making sure your app is adequately protected, it’s also important to consider the specific industry regulations that apply to your business. Whether you’re a retailer looking to develop an online shopping portal or a hospital looking to create an app for your patients, it’s important to make sure your app meets the latest regulatory requirements.

Important Questions to Consider Before Conducting an Application Security Assessment

While there are many different factors that go into determining the scope of what should be tested in an application security assessment, there are a few key questions to help determine the appropriate testing approach: 

  1. Who is most likely to pose a potential threat? It’s important to consider who is likely to attempt to abuse this application. Is it anonymous users on the Internet? Your customers? Internal users?
  2. What kind of data are you trying to protect? Determining the type of data you are looking to protect as well, the sensitivity of that data, and the location of that data will help prioritize security efforts. 
  3. What does your application's attack surface look like? Defining the trust boundaries and attack surface you are exposing, to both untrusted and trusted users, is important. 
  4. Where have you struggled with application-related security issues in the past? This might point you in the direction of potential areas of concern. What application security incidents have taken place in the past if any?

Taking the time to answer these questions is an important step for maximizing the effectiveness of an application security assessment. Answering these questions makes it easier to prioritize efforts in identifying and remediating potential issues.  

Examples of Application Security Vulnerabilities

Our team at LBMC Information Security has found that the most-effective assessments take a  testing approach that covers, but is not limited to, common application security vulnerabilities such as those outlined in the Open Web Application Security Project’s (OWASP) “Top 10 Application Security Risks.” Here is a brief overview of each of the 10 vulnerability categories:

  1. Injection Flaws. Injection flaws are very prevalent, particularly in legacy code. The most widely recognized injection flaw is referred to as SQL Injection (SQLi).
  2. Broken Authentication. Because many of the authentication and session management functions are often improperly implemented, they frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. 
  3. Sensitive Data Exposure. One of the most common flaws is simply not encrypting sensitive data. When cryptography is employed, weak key generation and management, and weak algorithm usage are common, particularly weak password hashing techniques.
  4. XML External Entities (XXE). Older or poorly-configured XML processors evaluate external entity references within XML documents, allowing external entities to be used for disclosing internal files, internal file shares, internal port scanning, remote code execution, or even denial of service attacks.
  5. Broken Access Control. Because restrictions for authenticated users are not always properly enforced, attackers can exploit flaws to access unauthorized data or functionality.
  6. Security Misconfiguration. Security misconfiguration is the most commonly observed issue and can happen at any level of an application stack and are easy areas of access for hackers.
  7. Cross Site Scripting (XSS). XSS flaws occur when an application includes user-supplied data in a page sent to the browser without properly validating or escaping that content.
  8. Insecure Deserialization. Insecure deserialization can lead to remote code execution, but even if not, it can be used to perform replay, injection, and privilege escalation attacks.
  9. Using Components with Known Vulnerabilities. Virtually every application has these issues because most development teams don’t focus on ensuring their components/libraries are up to date.
  10. Insufficient Logging & Monitoring. Coupled with missing or ineffective integration with incident response, insufficient logging and monitoring can allow attackers further entry into a system where more damage can be done.

Is Your Application Vulnerable?

At LBMC Information Security, we want to make sure you can answer this question. If you’re looking to conduct an application security assessment, learn more about how our team can help you identify potential security vulnerabilities and create an actionable plan for protecting the applications and systems that are essential to your business. 

Posted in: Security Consulting