‘The attack surface has widened even with our dynamic application security in place. I even suspect false positive errands,’ says the CISO. ‘It’s all zero-day attack vectors and increased application exposure. In fact, after POODLE CWE was made public, even average hackers have learned to exploit it,’ replies his colleague. What’s wrong with this usual conversation between application security personnel? Nothing exactly, but it gets difficult for the management and everyone else to understand what exactly these people are trying to say.
Web application security has emerged as one of the most crucial and yet misunderstood security domains due to the technicalities attached to it by default. However, one cannot shy away from the fact that web applications are and continue to be a major part of the security strategy. Given that 30, 000 websites are hacked every day, out of which 75% are compromised at the application layer, it’s about time that business get acquainted with some of the buzz words in the industry.
Vulnerability: Application vulnerability is a known or unknown weakness that hackers can use. Imagine a hole in the application that needs to be repaired and gives a chance to people that can get inside and access sensitive data. Insecure coding, unknown risks, updates, and business logics are considered as the top sources of application vulnerabilities.
Exploitation: When a hacker uses inherent application vulnerability to his advantage, it’s called an exploitation incidence. While finding vulnerability simply means that the coders need to patch it, exploitations are much more serious and indicate that people have accessed sensitive business data within the database at least once.
Attack Surface: It’s simply every risk that can compromise a web application. Attack surface takes into account all the possible vulnerabilities, unauthorized use, and other exploitation risks in general. So if someone talks about reducing the attack surface, it usually means application security testing, attack prevention, and virtual patching.
User Authentication: Although authentication is not necessarily an application-only buzzword, it is an integral part of the web application security. It’s basically a way of verifying an entry from user through trusted mechanisms. Using authentication measures, the application ensures that the user is who it claims to be. Types of authentication—Basic or single factor, Multifactor, Cryptographic.
OWASP Top 10: The Open Web Application Security Project (OWASP) is an online community. It is actively involved in open source web application security with members coming from varied educational organizations, corporations, and as individuals. The OWASP community releases lists of most critical web application security flaws through consensus and this list is widely trusted as a guide to test applications and keep them secure.
Business Logic Flaws: OWASP Top 10 is not the only web application risk, is it? There are many other weaknesses and business logic flaws top that list. Often hackers misuse inherent application structure and its rules to their advantages. These flaws are specific to business models and cannot be predicted under any circumstances. A business logic flaw is an application vulnerability, which arises by circumstantial security weakness. As one-of-a-kind problem, it does not have a universal solution and cannot be detected by automated web application scanning either.
CVE: There are so many vulnerabilities being discovered, how can one keep a reference for each? The MITRE Corporation came with a logical solution for this problem years ago. They compile vulnerabilities with common identifiers known as the Common Vulnerabilities and Exposures (CVE) as a baseline index point for easier reference and data exchange.
Web Application Scanning: Also known as penetration testing, dynamic application security testing (DAST), and black box testing, it refers to testing applications for vulnerabilities that can be exploited by the hackers. An automatic web application scanner usually identifies OWASP Top 10 risks and reports it to administrators. Advanced web application scanning also includes real-time tests by security experts who pose as hackers and find out if there are any underlying business logic flaws or other severe vulnerabilities.
Web Application Firewall: Often confused with network layer firewall, web application firewall block application layer attacks, something that no other product or service can do. Designed to patch web applications virtually, WAF even allows monitoring data and learn about the kind of behavior and technology hackers use on the application. Web application scanning can further complement web application firewall to structure a whole ‘detect + protect + monitor’ cycle.
Zero False Positives: Zero False Positive is a flaw in logic. Think of a security guard whose job is to keep suspicious individuals out of your property, but who instead denies access to your family members due to some misplaced understanding of what you told him. Wouldn’t that frustrate you to a level of firing that security guard? That’s exactly what you should do with a WAF loading false alarms because it blocks genuine traffic on your websites.
By Venkatesh Sundar, CTO, Indusface....