What does the security of modern applications consist of?

On the Internet you can find different interpretations of the concept AppSec (Application Security). And in this article we will try to figure out what should be included in AppSec and what skills are required for specialists working in this industry and what tools they should use.

Overall, AppSec methodology helps protect data and application code from cyber attacks and data theft. The methodology addresses all aspects of security when designing, developing, and deploying applications. AppSec involves implementing software, hardware, and procedures that identify and reduce security vulnerabilities and minimize the likelihood of a successful attack.

AppSec typically involves embedding security and controls into software processes. For example, automatic static analysis of new code, testing new versions of software for security vulnerabilities or misconfigurations, and using an application firewall to strictly define what is allowed and what is not allowed.

Let's take a closer look at the components of the AppSec methodology.

Secure Software Development Lifecycle

It’s worth starting the story about AppSec by considering the concept of software development, which consists of forming application requirements, secure programming, testing, certification, operation and updating.

SSDLC involves building and analyzing a threat model for the application being created, taking into account the risks, developing the application design in accordance with the model data, developing the application using various code analysis and testing tools, and actually deploying it in a secure configuration.

We will talk about all this further.

Threat model

Obviously, to effectively protect an application, you need to have a good understanding of how attackers can try to hack it. And threat modeling can help us with this. With its help, we can optimize the security of systems, business processes and applications. It involves identifying vulnerabilities and targets, and identifying suitable countermeasures to mitigate and prevent the impact of threats. It is a fundamental component of a comprehensive application security program.

When performing threat modeling of the application you are creating, you must first identify all the assets that will participate in its operation. We must not only know how many machines we have running Windows, Linux, MacOS and how many server operating systems are used. It is important to understand what roles certain nodes perform and what business processes they participate in. The criticality of these processes plays an important role. After all, one server running Ubuntu 22.04 can participate in a critical business process, the downtime of which will lead to large financial losses. And another server running a similar OS is used to ensure the not too critical process of recording employee working hours.

Therefore, when making an inventory, it is important not just to count the operating systems of nodes and container images on which application components are located, but you need to identify each node within the framework of business processes and their criticality. After identification, it is necessary to create a security profile, that is, to understand what potential threats there are for this node. To do this, it is necessary, first of all, to identify the vulnerabilities that exist in the OS and applications installed on the host.

The vulnerabilities found must be prioritized and, of course, tried to be eliminated as far as possible.

As for tools for inventory and searching for vulnerabilities, there are many commercial solutions on the market from Russian vendors. But in the simplest case, you can find nodes on the network using nmap, and to identify vulnerabilities you can use, for example, the Trivy scanner.

The figure below shows a fragment of the results of scanning the Nginx image. Although the utility can also find not only vulnerabilities, but also incorrect configurations, secrets and licenses left in the project, and works with both files and images of virtual machines, GIT repositories and cloud resources.

General format for calling the utility:

trivy [global flags] command [flags] target

Testing

AppSec testing (AST) helps identify and mitigate software vulnerabilities. This allows teams to prevent software vulnerabilities before deployment and quickly identify vulnerabilities in production. Let's look at the main types of tests.

Static Application Security Testing (SAST) helps identify code defects by analyzing application source files for root causes. It allows you to compare static analysis scan results with real-time solutions to quickly detect security issues, reduce troubleshooting time, and collaborate on troubleshooting.

Here, different analyzers will be used for different languages. So for C/C++ it could be clang, for Python it could be Bandit, and so on. The general idea is that the analyzer receives a file with source code as input, and as output we receive a report on the errors found.

Dynamic application security testing (DAST) simulates security breaches in a running web application to identify exploitable vulnerabilities. These tools evaluate applications in production to help detect execution- or environment-related errors.

Interactive Application Security Testing (IAST) uses elements of SAST and DAST, performing analysis in real time or at any stage of the SDLC from the application. IAST tools gain access to application code and components, meaning the tools provide the comprehensive access needed to get accurate results.

Protecting application security at runtime (RASP) are tools that work directly in the application, providing continuous security checks and automatically responding to possible violations. Common responses include alerting IT personnel and terminating the suspicious session.

Cloud Application Security Platform (CNAPP) centralizes management of all the tools used to protect cloud applications. It brings together various technologies such as cloud security posture management (CSPM) and cloud workload protection platform (CWPP), identity rights management, orchestration automation and security for container orchestration platforms such as Kubernetes, and API discovery and protection.

Application Security Best Practices

Next, we'll look at a few basic recommendations for ensuring application security.

First of all, this is a shift of the security level “to the left”. Today's fast-paced software development industry requires frequent updates—sometimes several times a day. Security testing must be included in the development process to ensure development and security teams keep up with demand. Testing should start early in the SDLC (to the left if you look at the SDLC lifecycle diagram) to avoid blocking release at the end of the pipeline.

Understanding the current development process and the relationship between developers and security testers is important to implementing an effective shift left strategy. The next step is to integrate security processes into the existing development pipeline so that developers can easily adapt to the new approach.

The CI/CD pipeline should include automated security tests at various stages. Integrating security automation into the pipeline allows the team to test the code themselves without relying on other teams, allowing developers to quickly and easily fix problems.

Effective privilege management is also necessary. Not every user in an organization requires the same access privileges. Restricting access to data and applications in accordance with security requirements is one of the main methods of ensuring security. There are two main reasons for limiting privileges.

If hackers can gain access to a system using stolen credentials (for example, from a marketing employee), controls must be in place to prevent access to other data. Least privilege access controls help prevent lateral movement and minimize the attack surface.

Insider threats become more dangerous when an attacker has access to internal network resources. These threats can be malicious or unintentional, such as an employee misinstalling a device or downloading malicious files.

Privilege management should be based on the principle of least privilege to ensure that employees and external users cannot access data they do not need, reducing overall vulnerability.

You can analyze the rights granted without the help of special tools. It is enough to look at the contents of the /etc/sudoers, /etc/groups files to see if there are users included in privileged groups.

You can also search the system for files with SUID/SGID rights.

find "$DIRECTORY" -perm /u=s,g=s

You can also look for files with full rights 777:

find / -type f -perm 0777

These steps should be performed while the target application is already deployed, during production. And checks need to be carried out on a regular basis, since application security is a process, not a result.

Conclusion

We've covered the basics of the AppSec application security process and introduced some of the tools that can be used to accomplish the tasks of the process.

Let me take this opportunity to remind you about open lessons on application security:

  • October 7 — Dive into security rules and strategies: basic terms and practices in the field of security, examples of vulnerabilities and their classification, current trends and innovations in cybersecurity. Sign up via link

  • October 14 — Network traffic analysis: basic methods, types, tools for analyzing network traffic; how Burp Suite works. Sign up via link

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *