Application security


Application security

Application security encompasses measures taken throughout the life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgradation,or maintenance of the application, .

Applications only control the use of resources granted to them, and not "which" resources are granted to them. They, in turn, determine the use of these resources by users of the application through application security.

Methodology

According to the patterns & practices "Improving Web Application Security" book, a principle-based approach for application security includes: [http://msdn2.microsoft.com/en-us/library/ms994920.aspx# Improving Web Application Security: Threats and Countermeasures] , published by Microsoft Corporation.]
* Know your threats
* Secure the network, host and application
* Bake security into your application life cycle

Note that this approach is technology / platform independent. It is focused on principles, patterns, and practices.

For more information on a principle-based approach to application security, see [http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.ApplicationSecurityMethodology patterns & practices Application Security Methodology]

Threats, Attacks, Vulnerabilities, and Countermeasures

According to the patterns & practices "Improving Web Application Security" book, the following terms are relevant to application security:

* Asset. A resource of value such as the data in a database or on the file system, or a system resource.
* Threat. A negative effect.
* Vulnerability. A weakness that makes a threat possible.
* Attack (or exploit). An action taken to harm an asset.
* Countermeasure. A safeguard that addresses a threat and mitigates risk.

Application Threats / Attacks

According to the patterns & practices "Improving Web Application Security" book, the following are classes of common application security threats / attacks:

Mobile Application Security

The proportion of mobile devices providing open platform functionality is expected to continue to increase as time move on. The openness of these platforms offers significant opportunities to all parts of the mobile eco-system by delivering the ability for flexible programmes and service delivery options that may be installed, removed or refreshed multiple times in line with the user’s needs and requirements. However, with openness comes responsibility and unrestricted access to mobile resources and APIs by applications of unknown or untrusted origin could result in damage to the user, the device, the network or all of these, if not managed by suitable security architectures and network precautions. Mobile Application Security is provided in some form on most open OS mobile devices (Symbian OS [ [http://developer.symbian.com/main/learning/press/books/sops/plat_sec_chap.pdf "Platform Security Concepts"] , Simon Higginson.] , Microsoft fact|date=July 2008, BREW, etc.). Industry groups have also created recommendations including the GSM Association and Open Mobile Terminal Platform (OMTP) [ [http://www.omtp.org/Publications.aspx Recommendations papers] , Open Mobile Terminal Platform ]

ecurity testing for applications

Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle.

Vulnerability scanners, and more specifically web application scanners, otherwise known as penetration testing tools (i.e. ethical hacking tools) have been historically used by security organizations within corporations and security consultants to automate the security testing of http request/responses; however, this is not a substitute for the need for actual source code review. Physical code reviews of an application's source code can be accomplished manually or in an automated fashion. Given the common size of individual programs (often 500K Lines of Code or more), the human brain can not execute a comprehensive data flow analysis needed in order to completely check all circuitous paths of an application program to find vulnerability points. The human brain is suited more for filtering, interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to trace every possible path through a compiled code base to find the root cause level vulnerabilities.

The two types of automated tools associated with application vulnerability detection (application vulnerability scanners) are Penetration Testing Tools (otherwise known as Black Box Testing Tools) and Source Code Analysis Tools (otherwise known as White Box Testing Tools). Tools in the Black Box Testing arena include [http://www.boonbox.net/devfense.htm Devfense] , Watchfire, HP [ [https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201_4000_100__ Application security: Find web application security vulnerabilities during every phase of the software development lifecycle] , HP center] (through the acquisition of SPI Dynamics [ [http://news.cnet.com/8301-10784_3-9731312-7.html HP acquires SPI Dynamics] , CNET news.com] ), Cenzic, Nikto (open source), [http://www.grendel-scan.com/ Grendel-Scan] (open source), [http://www.nstalker.com N-Stalker] and [http://www.syhunt.com/sandcat Sandcat] (freeware). Tools in the White Box Testing arena include [http://www.armorize.com Armorize Technologies] , Fortify Software and Ounce Labs.

Banking and large E-Commerce corporations have been the very early adopter customer profile for these types of tools. It is commonly held within these firms that both Black Box testing and White Box testing tools are needed in the pursuit of application security. Typically sited, Black Box testing (meaning Penetration Testing tools) are ethical hacking tools used to attack the application surface to expose vulnerabilities suspended within the source code hierarchy. Penetration testing tools are executed on the already deployed application. White Box testing (meaning Source Code Analysis tools) are used by either the application security groups or application development groups. Typically introduced into a company through the application security organization, the White Box tools complement the Black Box testing tools in that they give specific visibility into the specific root vulnerabilities within the source code in advance of the source code being deployed. Vulnerabilities identified with White Box testing and Black Box testing are typically in accordance with the OWASP taxonomy for software coding errors. White Box testing vendors have recently introduced dynamic versions of their source code analysis methods; which operates on deployed applications. Given that the White Box testing tools have dynamic versions similar to the Black Box testing tools, both tools can be correlated in the same software error detection paradigm ensuring full application protection to the client company.

ecurity standards and regulations

* Sarbanes-Oxley Act (SOX)

* Health Insurance Portability and Accountability Act (HIPAA)

* IEEE P1074

* ISO/IEC 7064:2003 "Information technology -- Security techniques -- Check character systems"

* ISO/IEC 9796-2:2002 "Information technology -- Security techniques -- Digital signature schemes giving message recovery -- Part 2: Integer factorization based mechanisms"
* ISO/IEC 9796-3:2006 "Information technology -- Security techniques -- Digital signature schemes giving message recovery -- Part 3: Discrete logarithm based mechanisms"

* ISO/IEC 9797-1:1999 "Information technology -- Security techniques -- Message Authentication Codes (MACs) -- Part 1: Mechanisms using a block cipher"
* ISO/IEC 9797-2:2002 "Information technology -- Security techniques -- Message Authentication Codes (MACs) -- Part 2: Mechanisms using a dedicated hash-function"

* ISO/IEC 9798-1:1997 "Information technology -- Security techniques -- Entity authentication -- Part 1: General"
* ISO/IEC 9798-2:1999 "Information technology -- Security techniques -- Entity authentication -- Part 2: Mechanisms using symmetric encipherment algorithms"
* ISO/IEC 9798-3:1998 "Information technology -- Security techniques -- Entity authentication -- Part 3: Mechanisms using digital signature techniques"
* ISO/IEC 9798-4:1999 "Information technology -- Security techniques -- Entity authentication -- Part 4: Mechanisms using a cryptographic check function"
* ISO/IEC 9798-5:2004 "Information technology -- Security techniques -- Entity authentication -- Part 5: Mechanisms using zero-knowledge techniques"
* ISO/IEC 9798-6:2005 "Information technology -- Security techniques -- Entity authentication -- Part 6: Mechanisms using manual data transfer"

* ISO/IEC 14888-1:1998 "Information technology -- Security techniques -- Digital signatures with appendix -- Part 1: General]
* ISO/IEC 14888-2:1999 "Information technology -- Security techniques -- Digital signatures with appendix -- Part 2: Identity-based mechanisms"
* ISO/IEC 14888-3:2006 "Information technology -- Security techniques -- Digital signatures with appendix -- Part 3: Discrete logarithm based mechanisms"

* ISO/IEC 17799:2005 "Information technology -- Security techniques -- Code of practice for information security management"

* ISO/IEC 24762:2008 "Information technology -- Security techniques -- Guidelines for information and communications technology disaster recovery services"

* ISO/IEC 27006:2007 "Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems"

* Gramm-Leach-Bliley Act

* PCI Data Security Standard (PCI DSS)

ee also

* Data security
* Database security
* Information security
* Web application
* Web application framework
* Countermeasure

References

External links

* [http://www.owasp.org Open Web Application Security Project]
* [http://www.webappsec.org The Web Application Security Consortium]


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • HP Application Security Center — (ASC) is a set of solutions by HP Software (Formerly SPI Dynamics) [http://searchsecurity.techtarget.com/news/article/0,289142,sid14 gci1261345,00.html HP to acquire SPI Dynamics for Web security] , June 19, 2007 By SearchSecurity.com Staff] that …   Wikipedia

  • Web application security scanner — A web application security scanner is program which communicates with a web application through the web front end in order to identify potential security weaknesses in the web application. [ [http://www.myappsecurity.com/wassec/index.php5?title=Te… …   Wikipedia

  • Open Web Application Security Project — OWASP (Open Web Application Security Project) est une communauté travaillant sur la sécurité des applications Web. Sa philosophie est d être à la fois libre et ouverte à tous. OWASP est aujourd hui reconnu dans le monde de la sécurité des… …   Wikipédia en Français

  • Open Web Application Security Project — OWASP (acrónimo de Open Web Application Security Project, en inglés ‘Proyecto de seguridad de aplicaciones web abiertas’) es un proyecto de código abierto dedicado a determinar y combatir las causas que hacen que el software sea inseguro. La… …   Wikipedia Español

  • Security — is the condition of being protected against danger, loss, and criminals. In the general sense, security is a concept similar to safety. The nuance between the two is an added emphasis on being protected from dangers that originate from outside.… …   Wikipedia

  • Application firewall — An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet… …   Wikipedia

  • Application layer firewall — In computer networking, an application layer firewall is a firewall operating at the application layer of a protocol stack. [ [http://www.f5.com/glossary/application layer firewall.html Application Layer Firewall | Web Glossary | F5 Networks ] ]… …   Wikipedia

  • Security-Enhanced Linux — The SELinux administrator in Fedora 8 Security Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense style mandatory access controls,… …   Wikipedia

  • Application Level Firewall — Eine Web Application Firewall (WAF) ist eine Technologie, die Web Anwendungen vor Angriffen über das HTTP Protokoll schützen soll. Teilweise wird diese Technologie auch als Web Shield, Application Level Gateway (ALG) oder Application Level… …   Deutsch Wikipedia

  • Application Level Gateway — Eine Web Application Firewall (WAF) ist eine Technologie, die Web Anwendungen vor Angriffen über das HTTP Protokoll schützen soll. Teilweise wird diese Technologie auch als Web Shield, Application Level Gateway (ALG) oder Application Level… …   Deutsch Wikipedia