Definitions: Application Security

Definition

Application security is a collective term that refers to the  efforts throughout an application’s life cycle to identify and fix  vulnerabilities in the code that could put systems and data at risk. Various  procedures, hardware and software can be used to detect and fix flaws in the  design, development, deployment, upgrading or maintenance of an application.

Traditionally, application security has been an  afterthought, with businesses scanning their Web and other applications only  after they “go live.” However, according to Gartner,  that will change as businesses become increasingly aware of the significant  class of vulnerabilities that applications can harbor.

Business Application

Network security  efforts alone cannot protect applications from the many vulnerabilities that  riddle code. Whether building custom applications in-house or purchasing  vendor-built software, businesses should plan an application-security strategy  that enforces security practices throughout the application’s life cycle.

Begin  by identifying business assets and how the application will use them, keeping  in mind that applications only control the assets or resources that are granted  to them. Next, identify the vulnerabilities in the application and the threats  that can exploit them. Based on the value of the asset and the risks posed by  vulnerabilities and threats, determine an appropriate countermeasure. This may  include accepting the risk without deploying a countermeasure or choosing to  avoid the risk altogether by turning off the functionality or removing the  piece of code causing the vulnerability.

Deployment Concerns

Many businesses fail to recognize the importance of application  security, despite the fact that 8 out of 10 Web sites have  security holes, according to Jeremiah Grossman, CTO of White Hat Security. They mistakenly depend on traditional  vulnerability-assessment tools to identify weaknesses in their applications,  but that just isn’t enough.

Businesses also generally lack the  financial and technical resources to do application security.  If this is the  case, consider application detection/scanning services by companies such as  White Hat Security, SPI Dynamics and OmniTI.

Technical details

Application security can be achieved through a variety of  countermeasures that should be used together. Procedures should be integrated  in each step of the application-development process to avoid expensive fixes  and delays in the application release. Software application-security scanners  can be used to test application code for vulnerabilities.

Once the application  is deployed, businesses may consider also deploying an application firewall.  Where an intruder may get past a network firewall, a software application  firewall can stop the execution of potentially malicious code that could  exploit vulnerabilities in the application. Hardware countermeasures, such as a  router, sit on the network. A router can prevent the IP addresses of computers  using applications from being visible on the public Internet. Other  countermeasures include antivirus, anti-spyware, encryption, network firewalls  and authentication systems.

Applications can be vulnerable to a variety of threats and  attacks. The Open Web Application Security Project publishes the top 10 Web application-security  problems, which can be helpful to businesses when determining a strategy  for application security.

Among the most common application-security threats are input  validation attacks, such as buffer overflows, SQL injection and cross-site  scripting. Input validation involves checking the data entered into forms --  for example, the address field in a Web contact form – to ensure that the data  entered is appropriate for that field and does not include characters that  could exploit the application.

Other application-security threats include eavesdropping,  elevation of privilege, session hijacking, data tampering, denial of service  and information disclosure.