Simone Q., Principal Security Consultant, took Nick Hayes, Senior Director of Cyber Solutions at SureCloud, through what AppSec means and how we can ensure app developers address security threats thoroughly in their vulnerability management plans.
Here, we’ve rounded up his thoughts.
AppSec is something web and device users unknowingly feel the benefits of every day. AppSec concerns the security of all applications, whether web apps, binary apps, mobile apps, or application programming interfaces (APIs). Laptops, phones, smart TVs, and smart devices (e.g., Alexa and Google Home) all speak the API language and therefore require AppSec to provide security against threats that exploit preventable vulnerabilities.
Whether you need an AppSec program for an app you have designed for your business, or are developing one on behalf of someone else, it is important to approach a company like SureCloud before you set it into production. Cybersecurity expertise is essential for checking that your app is secure before it reaches the user and begins storing sensitive data.
SureCloud can provide assurance and advice on which pieces of the AppSec jigsaw puzzle to use.
These three terms are often used in conjunction with each other when discussing vulnerability management for apps. While their meanings are interlinked, they are not interchangeable.
1. Shift-left testing: Performing testing earlier and more often in the software development lifecycle (SDLC). Software testing is literally ‘shifted left’ on the timeline.
2. AppSec: Vulnerability management (preventing, finding, and resolving) at the application level.
3. DevSecOps: DevSecOps, or, development, security, and operation, automates the integration of security at every level of the SDLC. It makes everyone accountable for security at every stage, rather than a specialized team at the end of development.
The three concepts complement each other. Shift-left provides the basis of DevSecOps, and AppSec feeds into DevSecOps by highlighting the vulnerabilities that must be addressed, in a language that is understandable to the chain.
Agile allows for faster build and development of apps by delivering in smaller increments, enabling AppSec to be embedded at every stage. A code review tool can be used to highlight common vulnerabilities in the code base as development progresses.
There are two essential steps to software testing for web applications:
1. Automated tools can uncover common vulnerabilities with a series of prescribed scans
2. Manual assessment of the application uncovers vulnerabilities that aren’t as obvious; for example, a logic flow vulnerability
Both of these steps will have slightly different outcomes and require different levels of expertise. Crucially, however, they are both important.
The short answer is yes.
Testing a mobile app can be done much the same way, although fewer automated tools are available. Most assessments will have to be performed manually.
Mobile app software testing is carried out on modified devices — often jailbroken or rooted — and generally consists of acting out specific attack scenarios.
APIs are the basis for communication for all mobile apps and Internet of Things (IoT) devices. They are not visual, instead forming request and response exchanges that are only understandable by a computer.
The best form of vulnerability management and testing for APIs is by intercepting and tampering with requests (or sending invalid requests) and seeing how the system reacts. This can highlight what harmful data, if any, the API is delivering.
The cybersecurity landscape is changing fast. New threats emerge every year, so new security methods must be developed to manage them. To assist with ongoing vulnerability management, testers can refer to the OWASP Top 10 Vulnerabilities. This list is updated every year.
Common vulnerabilities include:
Broken Access Control – Can a user access X instead of Y
Injection Vulnerability – Cross-site scripting and SQL injection are still widespread
Security Misconfiguration – Incorrect or missing security implementations
Out-Of-Date Components – Components no longer supported by the developer will not get fixed
Common vulnerabilities in mobile apps usually concern data at rest:
- How is data stored?
- Is a user session secure?
- How does the app protect its users?
More sophisticated attacks that we at SureCloud have come across while running penetration tests include:
Remote Combat Execution – A vulnerability that grants control over the machine running the app.
Account Takeover – A vulnerability introduced by the cloud, which gives the attacker control over password reset links, effectively granting them access to user accounts. This is a good example of how new threats emerge as technology develops.
Annual training helps dev teams understand new threats and build them into vulnerability management plans.
Threat modeling, particularly for complex apps, allows the dev team to build security controls into the app. Threat modeling consists of identifying security requirements, determining threats and vulnerabilities, assessing their risks, and ranking remediation priorities.
The OWASP Application Security Verification Standard forms the basis of AppSec vulnerability management. It provides a list of rules, used as a checklist, to help vulnerability testers follow a consistent standard.
The best approach to choosing AppSec tools is to focus on the codebase, as this will feed positively into the overall DevSecOps program. Therefore, a good SDLC, plus the use of code review tools for common vulnerabilities, is essential.
A web app firewall (paid or free versions available) will increase security against other common vulnerabilities.
When you are close to the final product, penetration testing will identify vulnerabilities that other tools will not, including payloads that can bypass web app firewalls. Penetration tests are run in a staging environment to ensure an app is secure enough for production.
A key thing to remember about penetration testing is that it is not a one-off quick fix. It must be repeated regularly to reflect the changing threats.
To conclude our breakdown of AppSec implementation, Simone shares the most important things to remember:
1. A good SDLC is paramount when implementing AppSec and DevSecOps.
2. Regular penetration tests will keep you ahead of new threats.
3. Your security response to vulnerabilities must move as fast as the changing threat landscape.