What is Application Security?
Application Security is arguably the hardest job in all of information security. But it’s also one of the most vital. Application security is vital to protecting your company’s brand reputation, and if you process any kind of payments online, potentially even essential revenue streams.
Imagine how bad it would be if an attacker could overlay their own code on top of your payment site, and then skim money off it as your customers pay their bills. That’s a real world application of a vulnerability called cross site scripting, and it’s just one of many problems an application security program prevents.
The famous Bobby Tables XKCD cartoon is a joke about application security, specifically, SQL injection. A potential weedout question in a job interview for an application security position would be to show the applicant that cartoon, and then ask why it’s funny.
Why Application Security is Hard
Saying that application security is the hardest job in all of information security is a bold statement. But it takes a special kind of person to do application security right. The ideal application security professional knows enough about programming to be able to understand and explain the flaws they are looking for. Otherwise they can make silly mistakes like looking for SQL injection flaws in a web application that doesn’t have a database backend.
A good application security professional also has a bit of a mischievous mindset, or at least a strong sense of curiosity and a willingness to try something weird just to see what will happen. When applying for a job, it might not occur to you to try uploading the Windows 11 ISO when the web site asks for your resume. On the other hand, if that sounds exactly like something that would cross your mind and you would be tempted to try, maybe you should consider going into application security. (Pro tip: Don’t try something like that without permission.) (Pro tip #2: Having a policy regarding such things and stating somewhere how one goes about getting permission to do so and report the results to you is a valuable part of an application security program.)
But the key piece that makes application security hard is that the person doing it has no direct control over the outcome. Their job is literally finding a problem they are not allowed to solve and convincing someone else to fix it. A good application security professional not only has good technical skills, but ideally has good enough persuasive skills to sell used cars.
Application security has one more thing going against it. Competent tools for network scanning have existed for more than 25 years. It took much longer for good tools for application security to appear, and longer still for automated tools to present a unified view of your application and network security issues and help automate those workflows. That’s what Nucleus Security specializes in.
Good application security requires a hybrid approach. Some application security problems lend themselves to scanning. Some of them require manual testing to find. Using automated tools when possible helps to free your human resources for those higher value problems that require manual testing.
The Importance of Application Security
The modern organization is spread across many hundreds (or thousands) of users and cloud-connected networks. It goes without saying that as your company grows, the potential for exploitable vulnerabilities grows along with it.
- Cloud Application Security: Sensitive data in the cloud is particularly susceptible to malicious intent, as cloud-based data must travel from a user to the application and back again. Cloud app security protects your collaborative environments (think Microsoft Office 365 or Salesforce Box) by way of a set of controls, processes and policies to “watch over” exchanges in information. Common threats to your cloud include the misconfiguration of app setup, insecure APIs and unauthorized web access.
- Mobile Application Security: Mobile apps present a particularly unique challenge, as employees may transmit and receive sensitive data in an insecure environment. It takes more than slapping traditional security controls like virtual private networks (VPNs) or two-factor authentication to fully secure them.
- Web Application Security: Web app security is designed to mitigate web application risk — including apps and services — reached via a web browser. Because web apps are transmitted to and from a remote server rather than locally, they are prone to cyber attacks. Tools like a web application firewall (WAF) can mitigate some of the more common web application security flaws but are only a part of a functioning application security program, not a substitute for one. Nucleus Security’s product helps you track mitigations like a WAF and factor them in when prioritizing the vulnerabilities an application security program finds. Note that a traditional network based firewall does little to mitigate application security vulnerabilities. They are designed to help network security, not application security.
Application Security Tools
To properly manage your application security program, you need to understand the risk. And many risk-based security products either do not apply their risk calculations to application security, or cannot provide a unified view of both your network and application security flaws. Nucleus Security’s product does both.
According to 2020 Common Weakness Enumeration’s Most Dangerous Software Weaknesses list, the top 5 aspplication security flaws are as follows:
- Cross-site scripting (XSS)
- Out-of-bounds write
- Improper input validation
- Improper restriction of operations within the bounds of a memory buffer
- SQL injection
A variety of tools exist to help an application security professional do their job. The two most critical markets for application security are security testing tools and application shielding products. According to Gartner’s Magic Quadrant for Application Security Testing, these are the most important categories for app security tools:
- Static testing: Allows developers to check code as it’s being written in order to side step security issues.
- Dynamic testing: Simulates cyber attacks and patterns by analyzing running code.
- Mobile testing: Provides insight into how your organization’s mobile operating systems can be compromised.
- Interactive testing: When extra flexibility is needed, interactive testing allows both static and dynamic testing to complete simultaneously.
No single tool can do all four things well, so a good application security program will employ several tools, as well as manual testing. Unfortunately, managing the output of all those tools can become a full-time job in itself. Even if you buy as many tools as possible from the same vendor, it is usually not possible to get an aggregate view of all of your application security vulnerabilities, let alone an aggregate view of your application security vulnerabilities and your network security vulnerabilities.
Nucleus Security’s product is unique in the marketplace in that it brings the data from all of your tools together in one place, then takes it a step further by integrating with ticketing systems and alerting systems so the people responsible for fixing the vulnerabilities you find can be alerted in the technology they prefer. Rather than spend valuable time and effort learning security tools, they can focus their time and talent on what makes a real difference, which is fixing vulnerability-harboring bugs. Then the application security tools rescan and sync with Nucleus, which measures and reports on success and will usually even close the tickets automatically for you. With this feedback loop in place, success leads to further success. You spend more time finding and fixing problems and Nucleus handles pushing the (virtual) paper.