It is essential that all applications used by your organization have their security assessed regularly. It is not enough to build security into your application or to check the security when going live. Applications are constantly changing and evolving, and with that come security risks that must be monitored for and caught and resolved sooner rather than later. Don’t treat this necessary tool as optional. It is important that you allocate a part of your security budget to regular application security assessment, especially given the amount of damage and expense that could result from an undetected security breach.
Benefits of an Application Security Assessment
1. Data Security
Your business almost certainly has security systems in place to secure the data it saves and transmits through its various applications. But do you know just how secure that data is? As applications are added and updated, the safety of the data within them can be compromised. You will only know about this, and be able to take the necessary steps to deal with it, if you are regularly performing application security assessments.
2. Due Diligence
It can be difficult to measure the value of the security you are offering to your company and its applications. How do you measure the money saved when a security breach is prevented? And if your company does encounter a security breach, how can you show that you were doing your due diligence and keeping things as secure as possible? Being able to produce a security risk assessment will show just how secure you have been keeping your applications and ensure your company that the security they are paying for is money well spent.
3. Market Reputation
No one is completely safe from cyberattackers, data breaches, and other gaps in security. But the companies that manage to stave off these vulnerabilities gain a reputation for having best-in-industry practices and end up with more customers and greater revenue because of it.
4. Compliance requirements
Some industries, such as the health insurance industry and the payment card industry, require security assessments as a condition of compliance.
Components of an Application Security Assessment
- Identification - All assets of the technology infrastructure must be determined. Then any sensitive data that is created, transmitted, or stored by these assets can be diagnosed, and a risk profile created for each one of them.
- Assessment - Careful evaluation and assessment of the identified security risks and analyzation of the correlation between assets, vulnerabilities, threads, and mitigating controls. As part of the assessment, a determination will be made as to how time and resources should be effectively and efficiently allocated toward risk mitigation.
Depending on your specific type of application and the requirements you have, an application security assessment should include:
a. Examination of client-side/external visible code for information that might be used for social engineering purposes or for a more focused attack.
b. Discovery of information on the type of server-side environment.
c. Bounds checking and inspection of application validation for accidental and/or mischievous input. This involves buffer overflow attempts to establish performance continuity and system resilience.
d. Manipulation of locally-stored information (such as cookies) and client-side code (such as session information). Alteration of URL request information and GET/PUT requests to access confidential information and to achieve unexpected system responses.
e. Examination of application-to-application interaction between system components. (For example, back-end data sources and the web service.) Attempt to reference system components by impersonating other sources or system functions. Close examination of redirection methods and messaging functions.
f. Discovery of techniques that potential attackers could employ to exploit race conditions to identify lax authentication checking or permissions, or to escalate those permissions.
g. Attempt to subvert in-transit data between server system and client. Examination of data delivery methods and how likely they are to be subverted or used in a replay-type attack or other session-oriented attacks. This includes analysis of system responses to the data.
h. Examination of authentication methods for their resilience to various subversion techniques. Attempts to impersonate valid logged-in users or bypass authentication processes. Detailed study of user segregation methods and analysis of server-side responses to failed attempts.
i. Examination of the application’s overall deployment and security configuration from perceived threat models. Advisement on secure deployment methodologies based on market considerations, attack methodologies, and new vulnerability developments.
3. Mitigation - Definition of a mitigation approach and enforcement of security controls for each risk.
4. Prevention - Implementation of tools and processes that will minimize vulnerabilities and threats.