With the recent wave of cyber attacks on enterprises such as the European Central Bank, Sony Pictures Entertainment, Home Depot, eBay, and JPMorgan Chase, the need for comprehensive application security assessments continues to grow. There are seven components that are indispensable when performing a comprehensive application security assessment.
Let’s take a look at these assessment components.
1. Injection Flaws
Injection flaws can happen wherever the application user is asked to input data. Submitting an unexpected input such as database queries or snippets of code can allow attackers to wreak havoc on your assets. A successful injection attack can enable attackers to redirect users to malicious websites, read and modify (insert/update/delete) sensitive data from a database, execute admin operations on a database, and (in some cases) issue commands to the underlying OS.
Testing for this vulnerability should be a critical part of any application security assessment. Authentication forms, search bars, and other user input forms (any place where the user enters data into the application) should be thoroughly checked to ensure that attackers cannot successfully exploit them. These inputs, including the hidden fields of POST requests, are the gateway to interactions with backend systems and databases.
2. Broken Authentication & Session Management
Websites and applications make use of session identifiers to track and differentiate users once they are logged-in. These identifiers are often stored in cookies and hidden fields, sometimes within a URL. If these elements are vulnerable, attackers can steal them and reuse them to hijack online identities and accounts. With such access, attackers can perform sensitive operations in the guise of legitimate users. In some cases, gaining complete control over the entire application or backend system is not unheard of.
An application security assessment should check to see whether credentials are stored and protected using encryption or hashing. It should also ensure that account management functions such as account creation and password changes are implemented securely, and that passwords, session IDs, and other sensitive information are sent over secured channels such as Transport Layer Security (TLS).
3. Sensitive Data Exposure
When conducting an application security assessment, testers should check for development mistakes such as failure to encrypt, weak encryption, weak hashing, and instances where the encryption keys are stored alongside the encrypted data. If data is not handled securely in transit or at rest, an attacker can leverage that data for their own purposes. Additionally, whenever possible, fake or anonymized data should be used in the development version of the application.
4. Insufficient Logging & Monitoring
Applications with insufficient logging and monitoring can often be breached for long periods of time before the successful attack is detected. Studies show that the average time taken by developers to detect such a breach is 200 days. This is more than enough time for attackers to steal sensitive data, cause untold damage, and worm their way into higher-priority applications. Testing for insufficient logging and monitoring should be a core part of application security assessments.
5. OWASP Top 10 Check
At a minimum all applications should be tested against the OWASP Top 10 (2017). With the move to Agile and DevOps the need for real-time automated security assessment tools has grown sharply. These tools are steadily maturing but many development teams have yet to deploy comprehensive testing suites. Many of the vulnerabilities covered by the OWASP Top 10 are still common today.
6. Application Categories
In today’s globalized marketplace, most enterprises use dozens – if not hundreds – of applications. Since these applications usually have different risk levels and vulnerabilities, it’s always a good idea to classify them into defined categories before undertaking an application security assessment.
Applications are classified into five groups based on the stringency of compliance regulations and the possible ramifications of a successful breach. These categories (from highest to lowest levels of importance and risk) are as follows:
- Internal function support
- General function support
Based on risk, the first three categories have the highest levels of priority in an organization. A successful attack or downtime (even for a few seconds) of any application in these categories could result in productivity losses, customer dissatisfaction, serious financial loss, or litigation.
Since these applications also have access to an organization’s most sensitive data, a successful breach could result in high-risk data exposure, complete loss of brand value and customer trust, and severe legal repercussions, among others. Reviewing the risks and vulnerabilities present in these applications should be a top priority for application security assessment initiatives.
7. Manual Testing Phase
Due to tight development and release cycles, it is tempting to want to rely solely on automated and development integrated testing tools to vet the security of an application. While these tools make a great starting point and can serve as a strong foundation for security, there should always be a phase of testing by seasoned, professional security assessors. This gives an additional layer of testing that is more flexible and deeper than automated testing alone.
Watch the app assessment webinar to learn more detail!
Want more? Read about...
- pretty much everything you'd need to know about pen testing
- mobile application pen testing tools
- the five foundational facts about mobile app security
Featured Image: iStock.com/ipopba