Software and Application security
Software security is the idea of engineering software so that it continues to function correctly under malicious attack. Software security best practices leverage good software engineering practice and involve thinking about security early in the software lifecycle, knowing and understanding common threats (including language-based flaws and pitfalls), designing for security and subjecting all software artifacts to thorough objective risk analyses and testing.
Application security usually refers to the protection of software after it is already built. Application security consists of a wide range of measures taken throughout the code’s life-cycle to prevent loopholes in the security policy of an application or the underlying system, through flaws in the design, development, deployment, upgrade, or maintenance of the application. It includes sandboxing code (as the Java virtual machine does), protecting against malicious code, obfuscating code, locking down executables, monitoring programs as they run (especially their input), enforcing the software use policy with technology and dealing with extensible systems.
We use the principle-based approach for application security, which includes the following:
- Know the threats.
- Secure the network, host and application
- Incorporate security into your software development process
Threats, attacks, vulnerabilities, and countermeasures
The following terms are relevant to application security:
- Asset – A resource of value such as the data in a database or on the file system, or a system resource
- Threat – Anything that can exploit a vulnerability and obtain, damage, or destroy an asset
- Vulnerability – A weakness or gap in security program that can be exploited by threats to gain unauthorized access to an asset
- Attack (or exploit) – An action taken to harm an asset
- Countermeasure – A safeguard that addresses a threat and mitigates risk
Application threats / attacks
The following are classes of common application security threats / attacks:
|Category||Threats / Attacks|
|Input Validation||Buffer overflow; cross-site scripting; SQL injection; canonicalization|
|Software Tampering||Attacker modifies an existing application’s runtime behavior to perform unauthorized actions; exploited via binary patching, code substitution, or code extension|
|Authentication||Network eavesdropping ; Brute force attack; dictionary attacks; cookie replay; credential theft|
|Authorization||Elevation of privilege; disclosure of confidential data; data tampering; luring attacks|
|Configuration management||Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts|
|Sensitive information||Access sensitive code or data in storage; network eavesdropping; code/data tampering|
|Session management||Session hijacking; session replay; man in the middle|
|Cryptography||Poor key generation or key management; weak or custom encryption|
|Parameter manipulation||Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation|
|Exception management||Information disclosure; denial of service|
|Auditing and logging||User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks|
Security architecture/design analysis
Security architecture /design analysis verifies that the software design correctly implements security requirements.
There are four basic techniques that are used for security architecture/design analysis:
- Logic analysis – evaluates the equations, algorithms, and control logic of the software design.
- Data analysis – evaluates the description and intended usage of each data item used in design of the software component. (e.g. Ensure interrupt handling routines do not alter critical data used by other routines).
- Interface analysis – verifies the proper design of the software component’s interfaces with other components of the system, including hardware, software, and end-users.
- Constraint analysis – evaluates the design of a software component against restrictions imposed by requirements and real-world limitations. (e.g. Ensure design is responsive to all known or anticipated restrictions on the software component, such as timing, sizing, and throughput constraints, input and output data limitations, equation and algorithm limitations, etc.)
Software and Application Security Testing
Application security testing techniques remove vulnerabilities or security holes in applications. Security testing should be implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. However, more often testing is conducted as an afterthought at the end of the development cycle. Some of the tools and techniques used are:
- Vulnerability scanners – Ethical hacking testing tools
- White Box Testing – Automated source code review & analysis tools
- Black Box Testing – Penetration testing tools
- Physical code review – filter, interrupt and report the outputs of the automated source code analysis tools