- 23 April, 2023
- 2 Min read
Application Security
Measures taken to protect software applications from threats and vulnerabilities.
Application Security is the practice of protecting software applications from security threats throughout their entire lifecycle, from development to deployment and beyond.
Application Security means finding and fixing weaknesses in websites, apps, or software so hackers can’t break in or misuse them.
ToC
Contents
Background
Technique
Application security (short AppSec) includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.
Web Application Security Tools are specialized tools for working with
HTTPtraffic, e.g., Web application firewalls.
Web application security is a branch of information security that deals specifically with the security of websites, web applications, and web services. At a high level, web application security draws on the principles of application security but applies them specifically to the internet and web systems. The application security also concentrates on mobile apps and their security which includes iOS and Android applications.
Goals
AppSec
- Prevent unauthorized access to app data or functions.
- Fix coding mistakes (vulnerabilities) like SQL Injection, XSS, SSRF, Vulnerable and Outdated Components, etc.
- Ensure users only perform actions they are authorized to do.
- Secure Apps against known attacks (like from the OWASP Top 10 list).
Activities
| Stage | What happens | Example |
|---|---|---|
| Development | Secure Coding, Code Reviews | Avoid Hardcoded Passwords |
| Testing | Manual or automated scanning | Use tools like Burp Suite |
| Deployment | Secure Configuration, Patching | Disable Debug mode in production |
| Maintenance | Monitor and update apps | Apply security patches regularly |
Standards
The OWASP Top Ten is a list of the 10 most critical web application security risks published by the Open Web Application Security Project (OWASP). It is widely used by developers, security professionals, and organizations to improve web application security.
OWASP Top 10
- Broken Access Control — Users can access data or actions they shouldn’t (e.g., viewing others’ accounts, deleting unauthorized files).
- Cryptographic Failures — Weak or missing encryption exposes data like passwords, credit cards, etc.
- Injection — Untrusted input leads to attacks like SQL Injection, Command Injection.
- Insecure Design — Flawed design decisions that make the app insecure, even if the code is bug-free.
- Security Misconfiguration — Default passwords, verbose error messages, open ports, or misconfigured servers.
- Vulnerable and Outdated Components — Using old libraries or plugins with known security holes.
- Identification and Authentication Failures — Broken login systems, weak passwords, no account lockout, or exposed session tokens.
- Software and Data Integrity Failures — Failure to validate code, software updates, or third-party content.
- Security Logging and Monitoring Failures — No proper logging or alerting — attacks go undetected.
- Server-Side Request Forgery (SSRF) — Server is tricked into making requests to internal systems (often used to bypass Firewalls).
Why?
- It’s a global standard for web security.
- Helps developers and companies identify and fix common flaws.
- Often required in security
audits,compliance, andsecureSDLC (Software Development Life Cycle).
