The first step to application hardening is to identify/define the attack surface of the application. This is accomplished through logically mapping how data flows through the application, what types of data the application ingests and applying the proper controls to prevent exploitation.
The biggest applications with web applications in general is securing them, as there are a plethora of security downfalls in implementing applications, developers are not always informed of best security practices rather than completing functionality of the application.
Hello Victoria,
Thanks for sharing your thought on question to discuss with your classmates. I believe that Web security is always the biggest challenge in developing the application. No matter what, security should always be included throughout the development lifecycle. Web app developers should take proper measures while coding and make sure that they include appropriate encryptions to safeguard their products against the threats mentioned above.
It is easier to secure operating systems than applications.
With operating systems, an individual has to keep up with the system and software security updates (there are automatic push for software updates available), enable a firewall, password protect and lock your device, encrypt your data, and use a VPN.
However to secure an application, an application security audit, proper logging, real-time security monitoring and protection, encrypt and harden everything, keeping severs and softwares up to date, and keep an eye on OWASP top ten are ways to protect an application.
I think that in theory it is easier to secure an OS if it is linux/unix, Windows is inherently more difficult because the GUI adds many more attack vectors and kernel vulnerabilities, and Windows kernel is maintained only by a small sample of Microsoft employees. Applicatons are created by all kinds of developers with a wide variety of skill ranges and there are a high number of possible attack vectors, inevitably 1 or several seem to always make it past developers, especially the lazier they are with development, the more vulnerable an application will be, with clear indications to attackers of certain attack methods to check for based on picking up that a developer is using a subpar practice.
Kelly,
One way an organization can improve an email gateway is ensuring the user is an actual employee before creating an account. The organization must keep track of employees (who is leaving/ will be immediately terminated) and terminate their access in a reasonable amount of time in order to disregard any threat. Another way to improve email application gateway security is to enable the account hijack detection. If an attacker guesses the account’s password, in order to limit the ability to a compromised account, the account hijack detection is able to set a maximum number of messages given in a timeframe One ether limit is reached, the account is disabled and the administrator is notified.
One of the most important things is to train the people. You should implement at least annual training on security awareness and phishing awareness. You can also use simulated phishing attacks to test employee’s awareness. When you send out the simulated phishing attacks, you should record what percentage of employees fail, pass, and do not respond. This will help you track improvement over time and the effectiveness of your phishing awareness training.
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
Although the OWASP Top 10 is a de facto standard in the AppSec industry, it is intended mostly to bring awareness to threats and be a starting point for an AppSec program. What steps or documents in addition to the OWASP Top 10 could assist in building a robust AppSec program?
Historically, appsec has been mostly an afterthought because functionality and a complete application were driven by the business goals and security was not implemented initially. OWASP is good for finding web app vulnerabilities, but security has to be implemented by design, so a good question to ask is: Are we implementing security in our application design process?
Aside from being more or less common, does anyone think that one of the OWASP top 10 common web app vulnerabilities holds more weight than another and why?
Hello Antonio,
I would say the Broken Authentication would hold more weight than other once. Broken Authentication is using an weak or well-known password on the websites. Therefore, it would allow the attackers easy access to the websites.
Hello Zijian,
There are many ways to protect the web application. However, on of the most important way I think would be by validating the inputs that the website would be accepting such as username and password or a comment section. This would also ensure the risk of SQL or Cross-Site scripting would be migrated.
Maintain Security During Web App Development
Before you run out and hire a team of security consultants, realize that you can maintain security in your web applications during the actual development of those tools.
Should AppSec be a perpetual thought in the minds of application programmers when creating new applications, or is it better to just code the whole application for functionality and then test and change code after reviewing/auditing for security in the end?
Personally, I think that it is probably better to incorporate main security points into the design/plan of the application (authentication, authorization, etc.), create it, and then go back and modify for specific security faults afterwards. I say this because applications are typically created with functionality in mind, which is what users want and how the money is made on the development side, and there will still be vulnerabilities that are discovered after deployment anyways. I don’t think (in most cases) it would be worth it to stress over AppSec the entire time an application is being created.
One of the best ways to protect against SQL injections is security-driven programming. Train employees on the risks and how you can avoid SQL injection, and then enforce accountability through audits. One of the methods you should train your employees in is input validation and sanitation. This sanitation process should modify or remove queries made by the user which includes double quotation marks or other code that could modify the SQL database.
One way will be the use of firewall. Consider a web application firewall (WAF) – either software or appliance based – to help filter out malicious data. Good ones will have a comprehensive set of default rules, and make it easy to add new ones whenever necessary. A WAF can be particularly useful to provide some security protection against a particular new vulnerability before a patch is available.
At least annually, you should assess any changes in your attack surface and make sure that your key data/systems are protected. To calculate the attack surface, you will need to take inventory of the all entry and exit points into the system, all valuable data on the system or used in the system, and the code that protects these items. Once you add all of this together, you get the attack surface.
Madalyn Stiverson says
What’s the very first step to application hardening?
Kelly Sharadin says
Hi Madalyn,
The first step to application hardening is to identify/define the attack surface of the application. This is accomplished through logically mapping how data flows through the application, what types of data the application ingests and applying the proper controls to prevent exploitation.
Kelly
Victoria Zak says
With Web Application, what is the biggest challenge?
Antonio Cozza says
The biggest applications with web applications in general is securing them, as there are a plethora of security downfalls in implementing applications, developers are not always informed of best security practices rather than completing functionality of the application.
kofi bonsu says
Hello Victoria,
Thanks for sharing your thought on question to discuss with your classmates. I believe that Web security is always the biggest challenge in developing the application. No matter what, security should always be included throughout the development lifecycle. Web app developers should take proper measures while coding and make sure that they include appropriate encryptions to safeguard their products against the threats mentioned above.
Dhaval Patel says
Is it more difficult to secure applications or operating systems?
Victoria Zak says
Dhaval,
It is easier to secure operating systems than applications.
With operating systems, an individual has to keep up with the system and software security updates (there are automatic push for software updates available), enable a firewall, password protect and lock your device, encrypt your data, and use a VPN.
However to secure an application, an application security audit, proper logging, real-time security monitoring and protection, encrypt and harden everything, keeping severs and softwares up to date, and keep an eye on OWASP top ten are ways to protect an application.
Antonio Cozza says
I think that in theory it is easier to secure an OS if it is linux/unix, Windows is inherently more difficult because the GUI adds many more attack vectors and kernel vulnerabilities, and Windows kernel is maintained only by a small sample of Microsoft employees. Applicatons are created by all kinds of developers with a wide variety of skill ranges and there are a high number of possible attack vectors, inevitably 1 or several seem to always make it past developers, especially the lazier they are with development, the more vulnerable an application will be, with clear indications to attackers of certain attack methods to check for based on picking up that a developer is using a subpar practice.
Dan Xu says
What measures are in place to protect patches of critical assets, systems and data on the network?
Kelly Sharadin says
What is one measure an organization can take to improve email application gateway security?
Victoria Zak says
Kelly,
One way an organization can improve an email gateway is ensuring the user is an actual employee before creating an account. The organization must keep track of employees (who is leaving/ will be immediately terminated) and terminate their access in a reasonable amount of time in order to disregard any threat. Another way to improve email application gateway security is to enable the account hijack detection. If an attacker guesses the account’s password, in order to limit the ability to a compromised account, the account hijack detection is able to set a maximum number of messages given in a timeframe One ether limit is reached, the account is disabled and the administrator is notified.
Madalyn Stiverson says
Hi Kelly,
One of the most important things is to train the people. You should implement at least annual training on security awareness and phishing awareness. You can also use simulated phishing attacks to test employee’s awareness. When you send out the simulated phishing attacks, you should record what percentage of employees fail, pass, and do not respond. This will help you track improvement over time and the effectiveness of your phishing awareness training.
kofi bonsu says
The question I intend to discuss with my classmates is explain what does OWASP Application Security Verification Standard (ASVS) project includes?
Kyuande Johnson says
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
Patrick Jurgelewicz says
Although the OWASP Top 10 is a de facto standard in the AppSec industry, it is intended mostly to bring awareness to threats and be a starting point for an AppSec program. What steps or documents in addition to the OWASP Top 10 could assist in building a robust AppSec program?
Antonio Cozza says
Historically, appsec has been mostly an afterthought because functionality and a complete application were driven by the business goals and security was not implemented initially. OWASP is good for finding web app vulnerabilities, but security has to be implemented by design, so a good question to ask is: Are we implementing security in our application design process?
Antonio Cozza says
Aside from being more or less common, does anyone think that one of the OWASP top 10 common web app vulnerabilities holds more weight than another and why?
Vraj Patel says
Hello Antonio,
I would say the Broken Authentication would hold more weight than other once. Broken Authentication is using an weak or well-known password on the websites. Therefore, it would allow the attackers easy access to the websites.
zijian ou says
What is the most effective way to protect web applications?
Vraj Patel says
Hello Zijian,
There are many ways to protect the web application. However, on of the most important way I think would be by validating the inputs that the website would be accepting such as username and password or a comment section. This would also ensure the risk of SQL or Cross-Site scripting would be migrated.
Kyuande Johnson says
Maintain Security During Web App Development
Before you run out and hire a team of security consultants, realize that you can maintain security in your web applications during the actual development of those tools.
Michael Jordan says
Should AppSec be a perpetual thought in the minds of application programmers when creating new applications, or is it better to just code the whole application for functionality and then test and change code after reviewing/auditing for security in the end?
Personally, I think that it is probably better to incorporate main security points into the design/plan of the application (authentication, authorization, etc.), create it, and then go back and modify for specific security faults afterwards. I say this because applications are typically created with functionality in mind, which is what users want and how the money is made on the development side, and there will still be vulnerabilities that are discovered after deployment anyways. I don’t think (in most cases) it would be worth it to stress over AppSec the entire time an application is being created.
Michael Jordan says
I also think this is why extensive testing is important. I wanted to clarify that I did not mean applications should be deployed prematurely.
Vraj Patel says
Is the Soft Phones more secure than IP Telephones? If so, how are they more secure?
Kyuande Johnson says
How to mitigate SQL Injection risks?
Madalyn Stiverson says
Hi Kyuande,
One of the best ways to protect against SQL injections is security-driven programming. Train employees on the risks and how you can avoid SQL injection, and then enforce accountability through audits. One of the methods you should train your employees in is input validation and sanitation. This sanitation process should modify or remove queries made by the user which includes double quotation marks or other code that could modify the SQL database.
Bernard Antwi says
Hi Kyuande
One way will be the use of firewall. Consider a web application firewall (WAF) – either software or appliance based – to help filter out malicious data. Good ones will have a comprehensive set of default rules, and make it easy to add new ones whenever necessary. A WAF can be particularly useful to provide some security protection against a particular new vulnerability before a patch is available.
Lauren Deinhardt says
What methodologies can you use to measure changes to an attack surface, and how?
Madalyn Stiverson says
Hi Lauren,
At least annually, you should assess any changes in your attack surface and make sure that your key data/systems are protected. To calculate the attack surface, you will need to take inventory of the all entry and exit points into the system, all valuable data on the system or used in the system, and the code that protects these items. Once you add all of this together, you get the attack surface.
Olayinka Lucas says
What is a disadvantage of application hardening?
Bernard Antwi says
What is the latest OWASP in 2022?