The document provides an overview of application security concepts and terms for beginners. It defines key terms like the software development lifecycle (SDLC) and secure SDLC, which incorporates security best practices into each stage of development. It also describes common application security testing methods like static application security testing (SAST) and dynamic application security testing (DAST). Finally, it outlines some common application security threats like SQL injection, cross-site scripting, and cross-site request forgery and their potential impacts.
2. INTRODUCTION
This beginner’s guide to application
security focuses on the main concepts
and keywords used in the Application
Security domain.
This guide is divided into the following
categories:
Code
2
ApplicationSecuritySolutions
CodeDevelopmentMethodologies
Commonthreatsandtheir impacts
3. WHAT IS SDLC?
Most organizations develop applications
according to a clear process by which each
application is designed, developed, tested,
and deployed. This sequence is called the
software development lifecycle, orSDLC.
SDLCshapesthe way applications are built
and defines the processes and milestones
an application needs to pass before going
to the next stageof development.
WHATISASECURESDLC?
Secure SDLC is a process where security
touch points are added to each stage of
the SDLC.SecureSDLCapplies security best
practices to ensure that applications are
secure upon release while fitting into any
developer’scontinuousintegrationworkflow.
Secure SDLCProcess
1 32
Risk
Assessment
ThreatModeling
&DesignReview
Static
Analysis
SecurityTesting
&CodeReview
SecurityAssessment&
SecureConfiguration
4 5
SDLCProcess
1 32 4 5
Requirements
Design
Development
Testing
Deployment
3 5
4. STATIC APPLICATION SECURITY
TESTING WITH SECURE SDLC
Static Applications Security Testing (SAST)
is one of the driving forces behind the
secure SDLC. SAST empowers developers
to deliver secure applications by seamlessly
integrating with their development
processes andenvironments.
In a secure SDLC, SAST solutions detect
vulnerabilities which may expose the
application to security risksandbreaches.
6 7
SASTIntegration Points
6. Processfor planning, creating, testing and
deploying anapplication.
Software Development
Life Cycle (SDLC)
Alternative to traditional project management
wherethe emphasisisplaced onempowering
people to collaborate and make team
decisions in addition to continuous planning,
testing andintegration.
AGILE Model
10 11
7. Sequential design process, used in software
development processes, in which progress is
seen as flowing steadily downwards (like a
waterfall) through the phasesof requirement,
design, development andtesting.
Waterfall Model
Development method that uses minimal
planning in favor of rapid prototyping. A
prototype is equivalent to a component of
theproduct.
Rapid Application
Development (RAD)
12 13
9. Collectionof sourcecodethat isusedto build
a particular software system, application or
softwarecomponent.
Codebase (or code base)
Frameworksarefairly largepre-madepieces
of code. Thedevelopers write their code on
top of the framework.
Notableexamples:
Struts
Telerik
GWT
Frameworks
16 17
10. Atool designed to automate the process of
program compilation. Build systems come
in various forms and are used for a variety
of software buildtasks.
Notableexamples:
Jenkins
AnthillPro
Build Systems
(or Build Server, Build Automation)
File archive or web hosting facility where
large amounts of software source code are
kept either publicly or privately.
Archived files may also beversioned.
Notable examples:
Source Code Repository
18 19
TFS
GIT
Perforce
SVN
11. Software application that keeps track of
reported bugs, issuesor tasks ina project.
Notableexamples:
TFS
Jira
HP-QC
Bug Tracking Systems
(Issue Tracking Systems)
Modern interpretation of service-oriented
architectures used to build distributed
software systems.Processesthat communicate
with eachother over the network in order to
fulfill atask.
Example: Microservices can be found in
Facebookor LinkedIn; someparts of the GUI
havedowntimefor updatesandsomedon’t.
Micro Services
20 21
12. The artifact created after compiling and
building source code for C++ and other
Microsoft codinglanguages.
DLL (Dynamic Link Library)
The artifact created after compiling and
building source code for Java coding
language.
JAR (Java Archive)
22 23
13. Development is built around predefined
code test cases.This means that only after
the test cases have been created, the
developers can start writing the code.
Test Driven Development
(TDD)
24
15. Security testing which analyzes an
applications source code or binary code
to determineif securityvulnerabilitiesexist.
SAST solutions analyze the application
‘from the inside-out’, in many cases SAST
solutions do need compiledcode.
Static Application
Security Testing (SAST)
Security experts trying to find and exploit
vulnerabilities that an attacker could
use. The testing is done with or without
dedicated hackingtools.
Penetration Testing
(AKA Pen Testing)
28 29
16. Detect conditions of a security vulnerability
in an application in its running state.
Dynamic Application Security testing
generates automated attacks which may
be used by realattackers.
Dynamic Application
Security Testing (DAST)
Security technology that is built or linked
into an application or application runtime
environment and is capable of detecting
and preventing real-timeattacks.
Runtime Application Self-
Protection (RASP)
30 31
17. List of software weakness. List is created
by community cooperation.
Software weaknesses are errors that can
lead to software vulnerabilities.
Common Weakness
Enumeration (CWE)
A publicly available and free to use list
or dictionary of standardized identifiers
for common computer vulnerabilities
and exposures.
Common Vulnerabilities
and Exposures (CVE)
32 33
18. Community which creates freely-available
methodologies, tools, standards and
technologies in the field of application
security.
Open Web Application
Security Project (OWASP)
Combines elements of SAST and DAST
simultaneously. It is typically implemented
as an agent within the test runtime
application or environment that observes
attacks and identifiesvulnerabilities.
IAST determines whether a vulnerability
is exploitable with increased accuracy,
and can identify where specifically the
vulnerability is located in the code.
Interactive Application
Security Testing (IAST)
34 35
19. When a security scanner indicates that
a vulnerability exists (for example, SQL
Injection), while in reality it doesn’t exist.
False Positive
Whena vulnerability exists and the security
scanner doesn’t detect it. Therefore the
userisnot notified about the vulnerability.
False Negative
36 37
20. Protects web applications by monitoring
and controlling its input and output and the
accessto and from the application.
Running as an appliance, server plug-in
or cloud-based service, a WAF inspects
monitors, filters or blocks malicious traffic
to and from a Webapplication.
Web Application Firewall
(WAF)
BinaryAnalysisisaformof StaticApplication
Security testing based on analysis of a
compiled code-base rather than the raw
sourcecode. Abinary is a machine readable
file which can be executed and run.
Binary Analysis
38 39
21. Agreement offered by many websites and
software development companies by which
individuals can receive recognition and
compensation for reporting bugs, exploits
andvulnerabilities.
Bug Bounty Program
Security practice where after the code is
written it issentto securityexpert to undergo
inspection after which the developer needs
to alter the code accordingly.
Security Gate
40 41
23. THREAT:
Code injection technique used to attack
data-driven applications, in which
malicious SQLfragment are inserted into
an entry field for execution.
SQL Injection
IMPACT:
May reflect sensitive information,
plant information or damage data
May be used to reveal customer’s
credit card numbers or any other
personal data stored on the DB
Attacker could change system
administrator credentials forthe
databaseserver
Can affect public image of the
company resulting in profit loss
44 45
24. THREAT:
Vulnerability typically found in web
applications enabling attackers to inject
client-side scripts into web pages viewed
by other users.
Cross Site Scripting
(XSS)
IMPACT:
May gain access touser’s identity
and act on their behalf
Ability to spread web worms or Trojans
Possible business impact ofpublic
exposure aboutvulnerability
Attacker may gain access to all the
end-user information kept on the
Client Server (cookies, session IDand
Client identity)
46 47
25. THREAT:
Attacker uses multiple transparent layers
to trick a user into clicking on a button
or link that is not the originally intended
target area. Therefore, the attacker is
rerouting (hijacking) the user to another
page, likely owned by another application.
Keystrokes can also be hijacked using the
samemethod.
Clickjacking
(UI redress attack)
IMPACT:
Can be used to utilize the computer's
microphone andcamera
May activate print screen to capture
sensitiveinformation
48 49
26. THREAT:
Attack that forces an end user to execute
unwanted actions on a web application
in which they're currently authenticated.
Inherits the identity and privileges of the
victim to perform an undesired function
on the victim'sbehalf.
Cross Site Request
Forgery (CSRF)
IMPACT:
If the victim is an administrative
account, can be usedto force the user
to perform state changing requests
like transferring funds, changing their
email address, and soforth.
Can compromise the entireweb
application
50 51
27. THREAT:
Exploit which allows attackers to access
restricted directories and execute
commands outside of the web server's
intendeddirectory.
Path Traversal
(Directory Traversal)
IMPACT:
Can be used to access to restricted
areas and files causing a critical
information leak
52 53
28. THREAT:
Vulnerability that permits an attacker
to hijack a valid user session. The attack
explores a limitation in the way the
web application manages the session
ID and specifically the vulnerable web
application.
Session Fixation
(dot-dot-slash)
IMPACT:
Canbe used to hijack the user-
validated sessionby utilizing the
knowledge of thesessionID
54 55