Software and Application Security

Software and Application security

Applicaitons Security

Software and Application Security

Software security is the idea of engineering software so that it continues to function correctly under malicious attack. Software security best practices leverage good software engineering practice and involve thinking about security early in the software lifecycle, knowing and understanding common threats (including language-based flaws and pitfalls), designing for security and subjecting all software artifacts to thorough objective risk analyses and testing.

Application security usually refers to the protection of software after it is already built. Application security consists of a wide range of measures taken throughout the code’s life-cycle to prevent loopholes in the security policy of an application or the underlying system, through flaws in the design, development, deployment, upgrade, or maintenance of the application. It includes sandboxing code (as the Java virtual machine does), protecting against malicious code, obfuscating code, locking down executables, monitoring programs as they run (especially their input), enforcing the software use policy with technology and dealing with extensible systems.


We use the principle-based approach for application security, which includes the following:

  • Know the threats.
  • Secure the network, host and application
  • Incorporate security into your software development process

Threats, attacks, vulnerabilities, and countermeasures

The following terms are relevant to application security:

  • Asset – A resource of value such as the data in a database or on the file system, or a system resource
  • Threat – Anything that can exploit a vulnerability and obtain, damage, or destroy an asset
  • Vulnerability – A weakness or gap in security program that can be exploited by threats to gain unauthorized access to an asset
  • Attack (or exploit) – An action taken to harm an asset
  • Countermeasure – A safeguard that addresses a threat and mitigates risk

Application threats / attacks

The following are classes of common application security threats / attacks:

Category Threats / Attacks
Input Validation Buffer overflow; cross-site scripting; SQL injection; canonicalization
Software Tampering Attacker modifies an existing application’s runtime behavior to perform unauthorized actions; exploited via binary patching, code substitution, or code extension
Authentication Network eavesdropping ; Brute force attack; dictionary attacks; cookie replay; credential theft
Authorization Elevation of privilege; disclosure of confidential data; data tampering; luring attacks
Configuration management Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts
Sensitive information Access sensitive code or data in storage; network eavesdropping; code/data tampering
Session management Session hijacking; session replay; man in the middle
Cryptography Poor key generation or key management; weak or custom encryption
Parameter manipulation Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation
Exception management Information disclosure; denial of service
Auditing and logging User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks

Security architecture/design analysis

Security architecture /design analysis verifies that the software design correctly implements security requirements.

There are four basic techniques that are used for security architecture/design analysis:

  • Logic analysis – evaluates the equations, algorithms, and control logic of the software design.
  • Data analysis – evaluates the description and intended usage of each data item used in design of the software component. (e.g. Ensure interrupt handling routines do not alter critical data used by other routines).
  • Interface analysis – verifies the proper design of the software component’s interfaces with other components of the system, including hardware, software, and end-users.
  • Constraint analysis – evaluates the design of a software component against restrictions imposed by requirements and real-world limitations. (e.g. Ensure design is responsive to all known or anticipated restrictions on the software component, such as timing, sizing, and throughput constraints, input and output data limitations, equation and algorithm limitations, etc.)

Software and Application Security Testing

Source Code Security

Software and Application Security Testing


Application security testing techniques remove vulnerabilities or security holes in applications. Security testing should be implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. However, more often testing is conducted as an afterthought at the end of the development cycle. Some of the tools and techniques used are:

  • Vulnerability scanners – Ethical hacking testing tools
  • White Box Testing – Automated source code review & analysis tools
  • Black Box Testing – Penetration testing tools
  • Physical code review – filter, interrupt and report the outputs of the automated source code analysis tools