Application security encompasses measures taken throughout the code’s life-cycle to prevent gaps in the security policy of an application or the underlying system(vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.
Applications only control the kind of resources granted to them, and not which resources are granted to them. They, in turn, determine the use of these resources by users of the application through application security.
Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle.
Vulnerability scanners, and more specifically web application scanners, otherwise known as penetration testing tools (i.e. ethical hacking tools) have been historically used by security organizations within corporations and security consultants to automate the security testing of http request/responses; however, this is not a substitute for the need for actual source code review. Physical code reviews of an application’s source code can be accomplished manually or in an automated fashion. Given the common size of individual programs (often 500,000 lines of code or more), the human brain cannot execute a comprehensive data flow analysis needed in order to completely check all circuitous paths of an application program to find vulnerability points. The human brain is suited more for filtering, interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to trace every possible path through a compiled code base to find the root cause level vulnerabilities.
The two types of automated tools associated with application vulnerability detection (application vulnerability scanners) are Penetration Testing Tools (often categorized as Black Box Testing Tools) and static code analysis tools (often categorized as White Box Testing Tools).
According to Gartner Research, next-generation modern Web and mobile applications requires a combination of SAST and DAST techniques, and new interactive application security testing (IAST) approaches have emerged that combine static and dynamic techniques to improve testing…”. Because IAST combines SAST and DAST techniques, the results are highly actionable, can be linked to the specific line of code, and can be recorded for replay later for developers.
Importance and relevance to an enterprise
With manifold increase in the application based threats and use of it as a vector to further penetrate network defense system to cause information leak, damage to applications and other services. Nowadays, application vulnerabilities pose significant threats to enterprises, exposing them to costly and increasing cybercrime. In fact, the Ponemon Institute‘s Second Annual Cost of Cyber Crime Study, released in August, revealed that the median annualized cost of cybercrime incurred by a benchmark sample of organizations was $5.9 million per year, with a range of $1.5 million to $36.5 million each year per organization.
With the advent of new applications every alternate day, the opportunity for cyber attackers and other web miscreants have increased significantly giving a platform to intrude and attack, denial-of-service or DDoS, cross site scripting and forgery, SQL injection based intrusion, AJAX and PHP vulnerabilities and many more. This has increased challenges for enterprise and government to stay abreast to the attackers in security for all applications hosted regardless of platform.
There are limited solutions in the market which actually take cognizance of application source code vulnerability and thereby offering security without actual modification of the codes, endowing enough time to the software developers and programmers to either rectify the vulnerability or still stay protected with a patch against the spotted vulnerability exploit within the organization perimeter.
This is also important for enterprise looking to stay PCI-DSS compliant as some pre-requisite of it talks about source code analyzer and a dynamic web-application-firewall.