Key controls for application security includes patching, minimizing permissions, and adding authentication. You should prioritize patching based on high CVSS score patches that attackers are actually taking advantage of. Only a small number of vulnerabilities are actually exploited, so if you spent all your time patching the CVSS score 10 patches, you may end up patching an unexploited 10 vulnerability while leaving a 9 vulnerable. You should also prioritize patches that are key to protecting your vital assets, systems, and data on your network.
Minimizing permissions is also important. A hacker’s goal once they get onto your network is to escalate privilege, so reducing application privilege to only what is absolutely necessary will help protect you from that exposure.
Also, authentication is key for creating a culture of accountability, logging, and to make it more difficult for threat actors to gain access to your network.
I agree with you that only a few vulnerabilities are actually exploited. Spending all of your time patching a patch with a CVSS score of 10 ignores vulnerabilities that are very vulnerable. Prioritization is even more important for protecting data on the network.
From reading this chapter I learned that programs often store information temporarily in RAM areas called buffers. A buffer overflow is when an attacker sends more bytes of a message than the programmer has allocated for the buffer , the attacker’s information will overflow to other areas of RAM.
On the other hand, I learned that the mechanics of vulnerabilities, exploits, patches, and workarounds are the same for both operating systems and applications. Companies may run applications from dozens of application software vendors. The largest share of all vulnerabilities and fixes are application-related. Every business needs to have a different mechanism for downloading and installing patches. Companies should minimize the number of applications running on the mainframe, as fewer applications means fewer opportunities to take over the computer.
Email security remains one of the most challenging aspects for cyber security professionals due to our heavy reliance on emails for business operations. Attackers can abuse an organization’s lack of email application security to deploy malware by rendering malicious HTML code within the email body or attaching other malicious executables directly with a phishing email. Organizations must take preventive actions to harden their email application gateways by implementing email filtering rules, blocking common malware attachments such as VBS scripts, and scanning for safe links to thwart successful execution of malicious code from an email client.
Hi Kelly,
I agree with your point; many attackers install Trojans via malicious email attachments or advertisements, allowing intruders to exploit vulnerabilities to gain access to sensitive information.
The major takeaways from this chapter are the different types of attacks that can occur should an application appears to be insecure. These attacks include buffer overflow, login screen bypass, cross-site scripting (XSS), and SQL injection. However, a generic risk assessment metric is used to assess application security risk (ASR). This does not encompass the basic factors of application security such as compliance, countermeasure efficiency and application priority. Obviously, the results are not commensurate with actual risk posed by application security. Real application security risk is perceived and not measured. Hence, organizations are not able to implement the required security controls. The business is unaware of its applications’ susceptibility to attack. This is the main reason for continued attacks on applications despite deploying robust security measures. ASR measurement requires a specifically designed metric that involves all of the factors of application security. This chapter primarily aims to define the standard for security in applications by designing a metric to secure application system to ensure confidentiality, integrity and availability of application systems at all times.
One of my takeaways from this chapter is that general programmers are not trained to program for security, but rather to make sure the application functions properly. Programmers could also overlook the general security practices in order for the application to work. Another thing is, you don’t want to trust user input, because the alternatives could lead to SQL or other types of injections. This is to say when creating/developing custom programs you want to make sure the developers are trained to apply security throughout the application, and utilizing OWASP top 10 can be beneficial to those developers.
This chapter discussed how to harden applications running on a host. This security need is especially critical as both clients and servers can run multiple applications each with possible vulnerabilities. One key takeaway I had from this chapter was how many different attack vectors can exist in web browser attacks alone. These attacks include client-side scripting, malicious links, file reading, automatic redirection, cookie tracing, and more. To enhance browser security, it is important to install new patches and updates, as well configuring both strong security and privacy options within the browser.
Hello Patrick,
I totally agree with you in regard to analysis on application that can be viewed different from operating system as regards its security. There are several categories of applications. Regarding operating system, there are only a handful of vendors that give operating system. However, there are several applications software company that offer service and make their patch update.
Application security is the discipline of processes, tools, and practices designed to protect applications from threats throughout the application lifecycle. Cybercriminals are organized and highly specialized. Their goal is to discover and exploit vulnerabilities and integrate applications to steal data, intellectual property, and sensitive information. Most successful attacks target exploitable vulnerabilities at the application layer, indicating that enterprise IT departments need to be more vigilant about application security. The problem is compounded by the growing number and complexity of applications. Ten years ago, the software security challenge was to protect desktop applications and static Web sites, which were relatively harmless and easy to scope and defend. The software supply chain has become more complex given outsourced development, the number of legacy applications, and in-house development using third-party, open-source, and commercial off-the-shelf software components.
I think the point you bring up about how AppSec has gotten harder to manage due to the quickly increasing number of applications is an important point to take note of. Thinking about this from a regulation perspective, I am not sure what the best course of action would be because reducing the amount of publicly trusted/usable apps takes away business and personal freedom, but would also make it more difficult for businesses and people to download applications with malicious code. One thing that is for sure is that this point emphasizes the importance of system hardening, and reviewing and testing all applications before deploying them for use.
After reading this Chapter, the biggest takeaway for me was email security. Emails contain a lot of confidential information within and is one of the hardest to keep fully secure. Organizations can set things such as content filters but will not secure an email 100%. On personal and work emails, users has the ability to still get spam mail and may have a phishing attack occur. An attack can have codes within attachments or a HTML code within the email body.
We can strengthen email security by phishing training, strong passwords, MFA, and be cautious to email attachments and links.
Thanks for your post; I think this is a great point. Email security is the vertex between access management security and application security, in addition to network security (i.e. inbound and outbound email traffic).
One of the most important things in the chapter is in the very beginning because I find it happens too often in practice; developers many times write applications to run with root privileges, making an attacker’s life significantly easier. An attacker in this scenario does not even have to figure out an entry for privilege escalation, as the developer has already done it for the attacker. Applications should never be written to only run as root, unless critically necessary for core functionality of the application, which is even an unlikely scenario. This significantly impacts the overall security posture of an organization, and critical systems running such an application have unnecessary added risk.
Great example of how many applications require elevated user privileges to run and the associated security risks. From an system admin standpoint, we can create policies like Group Policy Objects to prevent users from running applications that require eleveated privileges however, sometimes we need to balance business requirements with security as challenging as it is. Having an approved application repository within an organization can help mitigate some of these types of risks.
One point that I took away from this chapter is that most application programming is not done with appsec in mind; it is done with functionality, ease-of-use, and compatibility in mind. But, at the same time, even applications that are developed with a security-focused mindset will likely still have some kind of vulnerabilities at some point, so the most important part of the app creation and security process is testing, review, and patching of the application. If there is just one part of the application creation process that should always be security-focused, it is the code pertaining to authentication and authorization, because exploit of a vulnerability in this code can lead to unauthorized use of the application and elevation of privilege within the application, system, and even network.
You make some great points, and this was one of my takeaways as well. App development has a primary focus on clean and easy-to-use UI, with different functionality and compatibility as you said and at times security can become a secondary thought which leaves the door open to many vulnerabilities.
One of the takeaways from this week reading was the concept of Application security. It more time and resources to secure the application then hardening the host. As there would be multiple applications being used by multiple users within an organization. As many applications runs with the root privileges, if the attackers get access to those applications, then they attacker could easily gain access to the host. There are multiple types of attacks that could happen on the application such as buffer overflow, stacks, and cross site scripting.
One takeaway from this week’s reading was about VoIP (voice over protocol). VoIP is a secure protocol that allows users to vocally communicate through a secure line versus the public switched telephone network (PSTN). VoIP is either orchestrated through an IP telephone or a soft phone (PC using VoIP software). VoIP is not a closed system, and is easily accessible to attackers via the Internet and wireless LAN access points.
Application security is the process of making apps more secure by finding, fixing, and enhancing the security of apps. Much of this happens during the development phase, but it includes tools and methods to protect apps once they are deployed. This is becoming more important as hackers increasingly target applications with their attacks.
Application security is developing, adding, and testing security features within applications to prevent security vulnerabilities against threats such as unauthorized access and modification.
Authentication, authorization, encryption, logging, and application security testing are all forms of application security features.
Application security is essential for data protection in the sense that, Data security and privacy are core aspects of every application security approach. Applications pull data from wherever it is stored to power applications; If applications are compromised, i.e.through threats like Cross-Site Scripting (XSS), data gets compromised.
Key controls for application security includes patching, minimizing permissions, and adding authentication. You should prioritize patching based on high CVSS score patches that attackers are actually taking advantage of. Only a small number of vulnerabilities are actually exploited, so if you spent all your time patching the CVSS score 10 patches, you may end up patching an unexploited 10 vulnerability while leaving a 9 vulnerable. You should also prioritize patches that are key to protecting your vital assets, systems, and data on your network.
Minimizing permissions is also important. A hacker’s goal once they get onto your network is to escalate privilege, so reducing application privilege to only what is absolutely necessary will help protect you from that exposure.
Also, authentication is key for creating a culture of accountability, logging, and to make it more difficult for threat actors to gain access to your network.
Hi Madalyn,
I agree with you that only a few vulnerabilities are actually exploited. Spending all of your time patching a patch with a CVSS score of 10 ignores vulnerabilities that are very vulnerable. Prioritization is even more important for protecting data on the network.
From reading this chapter I learned that programs often store information temporarily in RAM areas called buffers. A buffer overflow is when an attacker sends more bytes of a message than the programmer has allocated for the buffer , the attacker’s information will overflow to other areas of RAM.
On the other hand, I learned that the mechanics of vulnerabilities, exploits, patches, and workarounds are the same for both operating systems and applications. Companies may run applications from dozens of application software vendors. The largest share of all vulnerabilities and fixes are application-related. Every business needs to have a different mechanism for downloading and installing patches. Companies should minimize the number of applications running on the mainframe, as fewer applications means fewer opportunities to take over the computer.
Email security remains one of the most challenging aspects for cyber security professionals due to our heavy reliance on emails for business operations. Attackers can abuse an organization’s lack of email application security to deploy malware by rendering malicious HTML code within the email body or attaching other malicious executables directly with a phishing email. Organizations must take preventive actions to harden their email application gateways by implementing email filtering rules, blocking common malware attachments such as VBS scripts, and scanning for safe links to thwart successful execution of malicious code from an email client.
Hi Kelly,
I agree with your point; many attackers install Trojans via malicious email attachments or advertisements, allowing intruders to exploit vulnerabilities to gain access to sensitive information.
The major takeaways from this chapter are the different types of attacks that can occur should an application appears to be insecure. These attacks include buffer overflow, login screen bypass, cross-site scripting (XSS), and SQL injection. However, a generic risk assessment metric is used to assess application security risk (ASR). This does not encompass the basic factors of application security such as compliance, countermeasure efficiency and application priority. Obviously, the results are not commensurate with actual risk posed by application security. Real application security risk is perceived and not measured. Hence, organizations are not able to implement the required security controls. The business is unaware of its applications’ susceptibility to attack. This is the main reason for continued attacks on applications despite deploying robust security measures. ASR measurement requires a specifically designed metric that involves all of the factors of application security. This chapter primarily aims to define the standard for security in applications by designing a metric to secure application system to ensure confidentiality, integrity and availability of application systems at all times.
One of my takeaways from this chapter is that general programmers are not trained to program for security, but rather to make sure the application functions properly. Programmers could also overlook the general security practices in order for the application to work. Another thing is, you don’t want to trust user input, because the alternatives could lead to SQL or other types of injections. This is to say when creating/developing custom programs you want to make sure the developers are trained to apply security throughout the application, and utilizing OWASP top 10 can be beneficial to those developers.
This chapter discussed how to harden applications running on a host. This security need is especially critical as both clients and servers can run multiple applications each with possible vulnerabilities. One key takeaway I had from this chapter was how many different attack vectors can exist in web browser attacks alone. These attacks include client-side scripting, malicious links, file reading, automatic redirection, cookie tracing, and more. To enhance browser security, it is important to install new patches and updates, as well configuring both strong security and privacy options within the browser.
Hello Patrick,
I totally agree with you in regard to analysis on application that can be viewed different from operating system as regards its security. There are several categories of applications. Regarding operating system, there are only a handful of vendors that give operating system. However, there are several applications software company that offer service and make their patch update.
Application security is the discipline of processes, tools, and practices designed to protect applications from threats throughout the application lifecycle. Cybercriminals are organized and highly specialized. Their goal is to discover and exploit vulnerabilities and integrate applications to steal data, intellectual property, and sensitive information. Most successful attacks target exploitable vulnerabilities at the application layer, indicating that enterprise IT departments need to be more vigilant about application security. The problem is compounded by the growing number and complexity of applications. Ten years ago, the software security challenge was to protect desktop applications and static Web sites, which were relatively harmless and easy to scope and defend. The software supply chain has become more complex given outsourced development, the number of legacy applications, and in-house development using third-party, open-source, and commercial off-the-shelf software components.
Hi Zijian,
I think the point you bring up about how AppSec has gotten harder to manage due to the quickly increasing number of applications is an important point to take note of. Thinking about this from a regulation perspective, I am not sure what the best course of action would be because reducing the amount of publicly trusted/usable apps takes away business and personal freedom, but would also make it more difficult for businesses and people to download applications with malicious code. One thing that is for sure is that this point emphasizes the importance of system hardening, and reviewing and testing all applications before deploying them for use.
-Mike
After reading this Chapter, the biggest takeaway for me was email security. Emails contain a lot of confidential information within and is one of the hardest to keep fully secure. Organizations can set things such as content filters but will not secure an email 100%. On personal and work emails, users has the ability to still get spam mail and may have a phishing attack occur. An attack can have codes within attachments or a HTML code within the email body.
We can strengthen email security by phishing training, strong passwords, MFA, and be cautious to email attachments and links.
Hi Victoria,
Thanks for your post; I think this is a great point. Email security is the vertex between access management security and application security, in addition to network security (i.e. inbound and outbound email traffic).
One of the most important things in the chapter is in the very beginning because I find it happens too often in practice; developers many times write applications to run with root privileges, making an attacker’s life significantly easier. An attacker in this scenario does not even have to figure out an entry for privilege escalation, as the developer has already done it for the attacker. Applications should never be written to only run as root, unless critically necessary for core functionality of the application, which is even an unlikely scenario. This significantly impacts the overall security posture of an organization, and critical systems running such an application have unnecessary added risk.
Hi Antonio,
Great example of how many applications require elevated user privileges to run and the associated security risks. From an system admin standpoint, we can create policies like Group Policy Objects to prevent users from running applications that require eleveated privileges however, sometimes we need to balance business requirements with security as challenging as it is. Having an approved application repository within an organization can help mitigate some of these types of risks.
Kelly
One point that I took away from this chapter is that most application programming is not done with appsec in mind; it is done with functionality, ease-of-use, and compatibility in mind. But, at the same time, even applications that are developed with a security-focused mindset will likely still have some kind of vulnerabilities at some point, so the most important part of the app creation and security process is testing, review, and patching of the application. If there is just one part of the application creation process that should always be security-focused, it is the code pertaining to authentication and authorization, because exploit of a vulnerability in this code can lead to unauthorized use of the application and elevation of privilege within the application, system, and even network.
Hi Michael,
You make some great points, and this was one of my takeaways as well. App development has a primary focus on clean and easy-to-use UI, with different functionality and compatibility as you said and at times security can become a secondary thought which leaves the door open to many vulnerabilities.
One of the takeaways from this week reading was the concept of Application security. It more time and resources to secure the application then hardening the host. As there would be multiple applications being used by multiple users within an organization. As many applications runs with the root privileges, if the attackers get access to those applications, then they attacker could easily gain access to the host. There are multiple types of attacks that could happen on the application such as buffer overflow, stacks, and cross site scripting.
One takeaway from this week’s reading was about VoIP (voice over protocol). VoIP is a secure protocol that allows users to vocally communicate through a secure line versus the public switched telephone network (PSTN). VoIP is either orchestrated through an IP telephone or a soft phone (PC using VoIP software). VoIP is not a closed system, and is easily accessible to attackers via the Internet and wireless LAN access points.
Application security is the process of making apps more secure by finding, fixing, and enhancing the security of apps. Much of this happens during the development phase, but it includes tools and methods to protect apps once they are deployed. This is becoming more important as hackers increasingly target applications with their attacks.
Application security is developing, adding, and testing security features within applications to prevent security vulnerabilities against threats such as unauthorized access and modification.
Authentication, authorization, encryption, logging, and application security testing are all forms of application security features.
Application security is essential for data protection in the sense that, Data security and privacy are core aspects of every application security approach. Applications pull data from wherever it is stored to power applications; If applications are compromised, i.e.through threats like Cross-Site Scripting (XSS), data gets compromised.