![What CXOs Need To Know: Economic Recovery Is Not An End To Disruption](https://pathlock.com/wp-content/uploads/2021/03/proxyclick-visitor-management-system-XxiSsVvtwDM-unsplash-scaled-1.jpg")
![Pathlock Named to Inc. 5000 List After Notable Expansion](https://pathlock.com/wp-content/uploads/2021/02/pathlock-mask-web-1.png")
![Streamlining SOX Compliance and 404 Audits with Continuous Controls Monitoring (CCM)](https://pathlock.com/wp-content/uploads/2021/06/iStock-1289898562.jpg")
Complete Guide to Application Security: Threats and Defenses
What Is Application Security?
Application security involves implementing security measures to protect applications, their data, and the underlying code. It covers security during all development phases, including application design, development, testing, and deployment.
Application security applies processes and technologies that can help identify or reduce security vulnerabilities. Here are common application security measures:
- Organizational processes for application security—for example, mandatory scanning for all application components and security code reviews.
- Application security tools for developers—technology that can help developers and testers identify vulnerabilities in applications and remediate them.
- Runtime application security—tools like web application firewalls (WAF) that can detect and block attacks on applications during runtime.
Common Vulnerabilities and Threats Affecting Application Security
SQL Injection Attacks
SQL injection (SQLi) is a critical application security vulnerability. SQL injection vulnerabilities expose sensitive data to attack while allowing remote access and control of any affected system. This issue is further aggravated when web application hosting and development are outsourced without adequate continuous security testing.
Organizations can mitigate SQL injection threats by conducting penetration testing (pentesting) and using vulnerability scanners and source code analyzers to detect application security threats. Since a single scanner cannot uncover all issues, organizations should utilize multiple scanners.
Security Misconfiguration
Misconfigurations occur due to several practices, such as:
- Insecure default configurations
- Incomplete or ad-hoc configurations
- Misconfigured HTTP headers
- Verbose error messages containing sensitive information
- Open-cloud storage
Organizations must properly configure and timely patch operating systems, frameworks, applications, and libraries to protect them from threat actors.
CSRF Attacks
A cross-site request forgery (CSRF) attack enables an intruder to disguise as a legitimate user and attack an application or website. It occurs when a threat actor tricks an authenticated user into executing unauthorized actions. The authenticated user is typically unaware of the attack. The actor can trick them into sending HTTP requests that enable sensitive data to be returned to the actor.
Possible consequences include fraudulent financial transactions, email address changes, or modified firewall settings. If the forgery victim has administrator privileges, the CSRF attack can expose the entire application to critical risk.
CSRF attacks are often described as reverse XSS attacks. However, CSRFs are more difficult to prevent than XSS attacks. CSRF attacks are less common and make it difficult to confirm whether an HTTP request was made intentionally by the user or not.
Cross-site scripting attacks (XSS)
Threat actors exploit cross-site scripting (XSS) vulnerabilities to forge or steal cookies so they can impersonate legitimate users. It allows actors to use privileged accounts to perform various malicious activities, like altering content or executing remote code.
Actors can launch three XSS attack types: reflected, Document Object Model (DOM)-based, and stored XSS exploits. You can prevent XSS attacks by validating user input, avoiding certain sinks, and escaping special characters and encoding output.
Broken Authentication and Authorization
Poorly implemented authentication and session management allow threat actors to exploit these mechanisms to compromise keys, passwords, and session tokens. Threat actors can hijack user or even admin accounts, using them to compromise the entire system.
Insecure Design
Insecure design can lead to many application security weaknesses resulting from missing or ineffective security controls. Applications lacking basic security controls cannot defend against critical threats. It is possible to use remediation to fix implementation flaws in applications built with secure design. However, you cannot fix insecure designs using remediation or proper configuration.
Server Side Request Forgery (SSRF)
Server-side request forgery (SSRF) vulnerabilities can be found in web applications that do not validate URLs inputted by users before pulling data from remote resources. This issue can affect network access control lists (ACLs) and firewall-protected servers that do not validate URLs.
Application Security Attack Examples
Here are some notable examples of large-scale attacks against software applications.
The Log4j Vulnerability
Discovered in late 2021, the Log4j vulnerability, or Log4Shell, affects the open-source Apache Log4j library, a widely used logging framework. Many products use Log4j globally, allowing malicious actors to exploit the vulnerability before many organizations could patch it.
Attackers can exploit the Log4j vulnerability by submitting malicious requests to vulnerable applications. These requests cause the target systems to execute arbitrary, malicious code, giving the attackers control. Successful Log4j exploits allow attackers to perform various malicious actions, including stealing data and launching ransomware attacks.
ProxyLogon Vulnerabilities
ProxyLogon is a set of vulnerabilities affecting Microsoft Exchange servers. Their Common Vulnerabilities and Exposures listings include CVE-2021-27065, CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858. Attackers can exploit a combination of these vulnerabilities (i.e., vulnerability chaining) and execute malicious code on vulnerable Exchange email servers to gain access to files, mailboxes, and credentials, allowing them to persist on the target servers.
Zoho ManageEngine ADSelfService Plus
All older versions of Zoho ManageEngine ADSelfService Plus (6113 and earlier) contain a vulnerability that allows threat actors to bypass REST API authentication measures to execute code remotely. An error in URL normalization before validation allows actors to bypass authentication using a malicious REST API URL. After bypassing the target system’s authentication filter, attackers can exploit endpoint devices to launch attacks and execute arbitrary commands.
This vulnerability exists in the default configuration of the Zoho product, making it easy to exploit. Zoho software is popular, making this vulnerability an attractive attack vector. Attackers often look for organizations that run vulnerable versions of this software. Despite a patch being available since September 2021, many enterprises continue to use an unpatched version.
vSphere Client
VMware vSphere offers virtualized server capabilities for enterprise infrastructure, including the ESXi hypervisor and vCenter infrastructure management tools. The software usually resides in an internal network.
VMware disclosed the CVE-2021-21972 vulnerability in early 2021, which affected the vSphere Client. This highly critical vulnerability allows attackers to execute code remotely using the vCenter Server plugin. It has a severity rating of 9.8. Attackers can exploit this flaw to gain port 443 access to execute malicious commands with unlimited privileges on host operating systems.
Atlassian Confluence Vulnerability
The CVE-2021-26084 vulnerability impacts Atlassian Confluence, including the server and data center. It enables unauthenticated users to execute malicious code on vulnerable systems. The vulnerability’s proof of concept was available online a week after its initial disclosure, and it has since become a widely exploited vulnerability. Mass exploit attempts were observed in September 2021.
What Are Application Security Controls?
Application security controls are specific steps that developers or other personnel take when implementing security standards. Security implementations consist of standards, policies, and controls. Each component serves a different role while working together to create cohesive security. Here is how this hierarchy works:
- Policies define the boundaries for the organization’s application security and protection.
- Standards specify rules that help enforce the boundaries defined in policies.
- Controls include specific steps to implement security standards.
Several departments and stakeholders are responsible for application controls, but developers usually play a key role.
The importance of security controls
Applications enable employees to access system resources and sensitive data. Threat actors often target applications, trying to exploit access vulnerabilities to penetrate core systems. Since employees rely on applications to perform their job, organizations must maintain security while minimizing disruptions.
Application controls provide an added layer of security to help triage if a breach occurs. Security controls are a foundational component of any enterprise security program. Organizations use security controls to prevent actors from exploiting application vulnerabilities and minimize the risk and potential cost of data breaches. Additionally, controls offer better visibility into traffic, applications, and all data passing within the network.
How application security controls work
When assessing vulnerabilities, organizations classify applications by threat level and business purpose. This classification helps tailor controls by application, ensuring organizations can implement standards while minimizing disruption to workflows.
Organizations use allowlists and denylists to execute applications automatically. Automation increases efficiency and plays a key role in maintaining productivity in larger organizations using centrally-managed hosts.
Application controls can also help identify resource-intensive applications and organize associated traffic to increase overall network stability. Additionally, you can leverage application controls for threat monitoring. For example, your controls can identify anomalous behavior by comparing traffic to network models.
Learn more in our detailed guide to application security controls (coming soon)
What Are Application Security Frameworks?
An application security framework includes state-mandated and global cybersecurity processes and procedures designed to help organizations secure critical applications. These frameworks offer a holistic, detailed approach to protecting sensitive data and provide visibility into validating security controls to help implement risk management.
Application security frameworks aim to improve the security of critical information systems and any associated environment. Organizations use application security framework programs to determine how to enhance application security and comply with security standards and regulations, using the best practices detailed in the security framework.
Here are popular application security frameworks:
- NIST SP 800-53 – the National Institute of Standards and Technology (NIST) provides a comprehensive library of IT standards, including information security standards. The NIST SP 800 was first published in 1990 to address all aspects of information security, and it increasingly focuses on cloud security.
- The Open Web Application Security Project (OWASP) – the OWASP Application Security Verification Standard helps security professionals, testers, developers, and architects define and implement secure applications. It offers a framework that includes application security requirements and controls for modern applications.
- CIS Controls – the Center for Internet Security (CIS) Critical Security Controls provides a list of technical, operational, and security controls that apply to all environments. It focuses solely on reducing risks and increasing resiliency for technical infrastructure.
Types of Application Security Software and Tools
Here are commonly used application security tools:
SAST
Static application security testing (SAST) is a white box tool that scans your application’s source code. Web application security tools often use SAST to identify various security risks in the code.
SAST can be extremely helpful but can also overwhelm teams with many false positives. Teams need to carefully analyze and filter SAST results to ensure they fix the most critical and immediate issues.
DAST
Dynamic application security testing (DAST) tools remotely test deployed and running code to find attack entry points. DAST tools operate by sending many requests with malformed packets to your application code to find ways to breach.
Teams can analyze the results to find actual defects. To ensure efficiency, teams can integrate DAST into the build process to work alongside SAST tools.
IAST
Interactive application security testing (IAST) tools analyze code to find security vulnerabilities while the application is running. Unlike DAST and SAST, IAST tools work inside your application to test only what is exercised by the functional test.
IAST tools use an automated test, human tester, or various activities that interact with the application’s functionality. The goal is to identify vulnerabilities in real time, ensuring CI/CD pipelines are not held back due to issues.
SCA
Software composition analysis (SCA) software helps manage open-source components. Development teams use SCA to efficiently track and analyze all open source components pulled into a project.
SCA tools identify components, supporting libraries, and the relevant direct and indirect dependencies. Additionally, some SCA tools can detect deprecated dependencies, software licenses, vulnerabilities, and potential exploits. The SCA scanning process creates a bill of materials (BOM) that offers a complete inventory of the project’s software assets.
Penetration Testing
Penetration testing (pentesting) is a testing method that simulates a cyberattack. It involves using dynamic scanning tools and manual exploitation to breach a target. Ethical hackers conduct pentesting after they are given legal permission to attempt to exploit a target.
During a pentest, ethical hackers try to gain access to a target, compromise users, cause service disruption, or steal data. Compared to SAST and DAST, pentesting is a more advanced technique and can unearth more security weaknesses in the application.
Threat Detection and Response
Threat detection and response (TDR) solutions correlate threat indicators to identify threats or analyze the environment and user behavior to identify potentially malicious activities.
TDR solutions use signatures to detect known threats and behavior-based detection to detect unknown emerging threats. Some TDR solutions can detect highly evasive malware, zero-day attacks, and advanced persistent threats (APTs) that often evade traditional defenses.
Organizations typically use antiviruses, firewalls, and anti-malware technology as a first line of defense. Threat detection and response solutions based on the zero trust security model offer a last line of defense to identify and block breaches and remediate and mitigate resulting damage.
Learn more in our detailed guide to threat detection and response (coming soon)
Application Security Best Practices
Perform a Threat Assessment
Once you have a list of what needs protecting, you can begin to figure out what your threats are and how to mitigate them. Consider what the paths attackers could use to breach your application and whether you have existing security measures to detect or prevent each type of attack.
It is important to identify what security measures are missing. However, you should also be realistic about how secure you can be. Security measures should provide a good return on investment – you should implement those measures that will provide the best protection considering your budget and other constraints.
Be honest about the tools and processes your team can maintain in the long run. Implementing overly complex security procedures or too many tools can lead to your security practices being ignored in the long term.
Shift Security Left
Modern DevOps organizations are releasing software on a weekly, daily, or even hourly basis. To keep up with this change, security testing needs to be woven into the development cycle. Stopping the development process at the end for security testing is not feasible in a modern DevOps process. It is also ineffective because security issues discovered at the end of the process are more complex and expensive to fix.
“Shifting security left” means starting security testing from the beginning of the development process. A good first step is to create collaboration between security and development teams, help security understand how development works, and ensure developers understand security concerns. Security teams will need to learn about development tools and processes and suggest tools and procedures that will allow security testing to be naturally integrated.
By adapting security measures to the development process and taking developer productivity into account, developers are more likely to be receptive to security measures and become active partners in the security process.
A key part of this process is automation. Look for ways to automate security testing in each part of the CI/CD pipeline. By integrating automated security tools into the pipeline, you can perform testing in the “mainline” without handing off code to another team, making it easier for developers to fix issues immediately and reducing the reliance on security experts.
Prioritize Remediations
Vulnerabilities have been on the rise for years, and any organization that tests for vulnerabilities will discover large numbers of them, making complete remediation difficult. Given the scale of the task at hand, prioritization is essential to keep applications secure without overwhelming development and operations resources.
Prioritization relies on your initial threat assessment, as well as the objective severity of a vulnerability, typically measured by CVSS rating. Other aspects are how critical the impacted application is to business operations, whether sensitive data is involved, and whether it is subject to compliance requirements.
When it comes to open source vulnerabilities, you need to know whether proprietary code is actually using the vulnerable functionality. If the vulnerable component’s functionality is not receiving calls from your product, then it is not a high risk, even if its CVSS rating is critical. Technology like software composition analysis (SCA) can automatically perform this analysis.
Measure the Results of Your Application Security Program
Bringing too many metrics to your executives can confuse them instead of creating visibility. Start by presenting one metric: how your application security program ensures compliance with your internal security policies. From here, you can start sharing other valuable metrics such as the number of remediations, mean time to recovery, and reduction in security incidents over time.
Manage Privileges
It is critical to ensure that applications and their users only have access to the software components and data they really need for their daily roles. This can significantly reduce the attack surface, prevent lateral movement and privilege escalation, and combat insider threats.
Ensure you manage privileges carefully and adhere to the principle of least privilege. If you are managing a complex application with hundreds or thousands of users, consider using automated mechanisms to detect privilege issues, automatically revoke unneeded privileges, and check for concerns such as separation of duties (SoD) conflicts.
Application Security with Pathlock
Pathlock is the leader in Application Security and Controls Automation for business-critical applications. Customers rely on Pathlock to streamline critical processes like fine-grained provisioning, separation of duties, and detailed user access reviews. Pathlock offers coverage for the leading business applications, with support for key applications like SAP, Oracle, Workday, Dynamics365, Salesforce, and more.
With Pathlock, you can:
- Configure policy-based access controls and enable automated policy enforcement.
- Automate user access management processes (e.g., role design, provisioning, de-provisioning, access recertification, emergency access management, and privileged access management).
- Perform vulnerability assessment with over 4,000 pre-configured risk and threat scans to proactively avoid threats.
- Perform compliant provisioning at a transaction code or function level into both cloud and on-premise applications.
- Define Separation of Duties (SOD) rules, both within an application and across them, and enforce them to prevent access risks and stay compliant.
- Enrich User Access Reviews (UARs) with fine-grained entitlement details and usage about transactions performed with specific access combinations.
Interested to learn more about Pathlock’s application security capabilities? Request a demo today to see the solution in action!
