Application Security
Information Technology and the Internet are an integral part of our modern and digitalized societies. We increasingly rely on applications to manage our daily life for online banking, healthcare, education, transportation, public services, and social interactions. Currently, people and technology are almost inseparable, and application security, or insecurity, is critical to our well-being as individuals and for the prosperity of our economies. Attackers recognize the value of the data these applications process and store, so they waste no effort in finding ways to access them and profit from what they find.
In this blog, we will write about the importance of application security, but first, we will provide a simplified overview of what applications are and how they typically work.
Applications are created using programs that give instructions to our computers and smartphones to execute instructions based on a user request according to a defined workflow. Applications have a standard architecture made of different components responsible for hosting, serving users’ requests, and storing application data.
The typical components of modern applications are the following:
Client
In the context of the application, the client could be your browser visiting a shopping website if you are accessing it through the URL, or a mobile application built specifically for an e-commerce website that you install on your mobile device. These are considered ‘clients’ of the online shop.
Application Server
The application server contains the code that serves the pages to the clients. These include pages that show which items are available and their prices, and allow the adding of items to your shopping cart, checking out, and paying. All the logic and algorithms are implemented using server-side code.
Application Program Interface (API)
Modern applications use APIs to transmit data between the client and the server. In this context, you can consider an API as a ‘servant’ which takes inputs from you, the client, and sends them to the server. An example of which are your search keywords. The API sends those keywords to the server so it can process your search and return the available items. APIs can be used within the same application to hide complexity and simplify communication between the client and the server. APIs are also used to access data from 3rd party services, like for tracking your package from the courier company and delivering your items to your door, which is a different application to the online shop.
DatabaseServer
Data on the website, such as available items, prices, user information, user credentials, are stored separately in a different place called a database. These databases are accessed by the application code using a language called SQL.
Operating System
Both the application server and the database need an underlying operating system. Most common types of operating systems are Linux and Microsoft Windows.
These are the main components typically involved in building and interacting with applications. Other components may also be used as part of the application but the one mentioned are the important ones. Every one of the four components above can be affected by several types of security risk if the application is insecurely developed.
What Security Issues Can Affect Applications?
Application security issues come in several types and various levels of impact. These issues affect one or more of the CIA triad (Confidentiality, Integrity, or Availability) for users of the applications in addition to the organizations that host these vulnerable applications. The Open Web Application Security Project (OWASP) listed the top 10 most critical security risks that affect web applications, a list that was updated in 2021.
Let’s take one of OWASP’s Top 10 security risks: Injections.
Injections
Injections rank as number 3 of OWASP’s Top 10 security issues. Injections can occur in vulnerable applications built insecurely without proper validation of the user input received from the client. Depending on where the injection occurs in the vulnerable code, an attacker can ‘inject’ additional code to be executed as part of the server code. Injections can happen in different forms and affect different components of the application. Some affect the database used for the application, some affect the operating system that hosts the application server, and there are injections that affect the organization’s LDAP directory if it is used as one of the application components.
Here is a brief description of each one and where they occur:
SQL Injection
SQL Injections enable attackers to query the application’s database and perform operations such as updating data, adding more data, and deleting data from the web application’s database. Depending on the assigned privilege and the complexity of the injection, a successful SQL injection exploitation can also lead to compromising the operating system hosting the database.
OS Command Injection
OS Command Injection enables the attacker to talk directly to the operating system hosting the vulnerable application and execute OS commands. This allows the attacker to fully control the operating system. Depending on the privileges given to the application, an attacker may also be able steal files, wipe the drive used for storage, or shut down the operating system completely. Depending on the security of the network, this may also allow the attacker to pivot to other systems within the organization.
LDAP Injection
LDAP Injections allows the attacker to talk to the LDAP Directory of the organization if the directory was used as one of the application components. A common example is for authenticating user accounts to the application using the organization’s Active Directory through the LDAP protocol.
Not only do these types of injections affect the web application itself, but the entire organization is also at risk as they provide attackers with an entry point to the organization’s internal network allowing them pivot to internal systems—all through the original vulnerable application. These are examples of the most common injection of vulnerabilities. There are other forms of vulnerabilities, but injections are just one of the many security issues that can affect applications that are insecurely built.
How Can You Secure Your Applications?
Whether you are developing web applications, mobile applications, desktop applications, or APIs as part of the services you deliver to your clients, it is important to ensure cybersecurity is integrated in all phases of the application development process. There is no silver bullet to make your applications fully secure, however, here are some of the most important things you can consider to elevate the security of your applications:
Secure Software Development
Developers need to have a security mindset while developing applications and always assume that there will be malicious users trying to cause harm to the application and its infrastructure. Developers should never trust any request coming from the users of the application.
OWASP has particularly good references for the most common security risks that affect applications in their different forms; web, mobile, and API, and how to ensure the implemented code is secured against these threats.
Source Code Review
Reviewing the implemented code can uncover security risks that may not have been addressed during code development. Different languages and platforms have their own security risks, so it is important to ensure that each language is implemented following the best security practices.
Penetration Testing
Some security risks may not be easy to identify during a code review, especially security issues related to the logic of the application. Therefore, it is also important to perform penetration tests on the application to uncover any security risks that may not have been addressed during the development phase or during any code reviews. OWASP also provides penetration testers a thorough guide that covers all well-known security issues that affect web applications and how to test for them.
Web Application Firewall (WAF)
When all else fails, it is important to have an added layer of security in case security issues have slipped through during the development or the assessment of the application. A fine-tuned Web Application Firewall (WAF) can prevent malicious attacks against the application.
Conclusion
Designing and building your applications with a security mindset is crucial for protecting user data and your company assets. One security incident caused by a security flaw in one of your applications can not only impact your customers and your systems, but can also damage the reputation that you have worked hard to build over the years. Investing in cybersecurity is no longer a choice, but a necessity.
OIVAN can help you design, develop, and operate secure services that will keep your valuable information protected from cybercriminals. We can also assess your applications, your systems, and your networks for any security vulnerabilities that may put your organization at risk. Our cybersecurity experts bring with them years of experience in the security field coupled with top-notch industry certifications to accredit their knowledge in cybersecurity.
Get In Touch
Want to hear more about our cybersecurity services? Let’s talk! Send us a message for more information.
Cybersecurity Services
"*" indicates required fields