Application Security – The Basics

February 7, 2011, by | Start Discussion


The Institute for Security and Open Methodologies (ISECOM) defines security as "a form of protection where a separation is created between the assets and the threat".
Security in general has many categories, it can be the security of physical assets like Home, Airport, Infrastructure, or some kind of political security like Human security, national security or computer security which itself  has many categories.
 Despite of so many categories for security, two entities are always involved i.e. Asset and Threat. In all scenarios the “asset” has to be protected from the “threat”. Considering our home security, we all lock our doors before going out. Here home is  the asset and threat is the thieves. If the thief is intelligent enough he will gather all our information like at what time the home is usually vacant, how many people live there, or what kind of lock you have applied. This all information will help him to breach your home security.
Similarly in the IT security world, asset may be the data flowing through Network, data stored on a Server, or a Database and threats are the hackers. Same as thieves  the hackers first step is “Information Gathering”.
With Reference to information security we can divide security into categories like Application Security, data security, Network
Security and others. In this article we will focus more on the Basics of Application Security.
‘Wiki’ says Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application. In simple words it comprises the security issues involved in any type of application, including but not limited to java, PHP, C++, and python.

Application Security Trends
The world of internet is growing in tremendous way with IPv4 addresses getting depleted. With growth in number of users, sophistication in technology, the attack vectors have also increased. The graph below shows the study by SANS institute, depicting the growth in the number of attack vectors in first half of year 2010.

Thus, with the increasing sophistication and numbers, of attacks and defense techniques, it has become a cat and mouse game.

The attacks earlier focused on the Operating Systems themselves. However, with a continuous effort and improvement  on the Operating Systems, the vulnerabilities are difficult to find in them, hence resulting in the shift of the fulcrum from the Operating System to the targeted applications. The graph below shows the trend for four popular applications, i.e. Adobe reader, Ms Word, Ms Excel and Ms Power point. If you look at the Adobe, you will see that the vulnerabilities increased drastically for year 2010.

So, it can be said that the two sides of the application security, both good and bad, are in a constant state of evolution.

The malicious guy comes in: THE HACKER
There might be some guys with the malicious intent, who might be looking to compromise your assets. They might be technology geeks, freaks and motivated hackers, attacking your applications just for fun, or for profit. Many times, they are also funded by high profile companies or even governments to target the sensitive data and assets of companies or countries they are in competition. Well known Stuxnet worm and the Aurora attacks are just a few examples; of this; however, there might be many attacks that go unnoticed by the governments and the organizations.

These attackers try to gather as much information as possible for the target. This will involve a lot of searching on the search engines, news groups, job sites, your own site, public forums, social networks like facebook, myspace, orkut etc. A lot of information can be harvested in this manner which can be later misused to breach security. This information includes email ids, date of birth, likings and disliking, girl friends and boyfriends, the software used in the company, location and much more. A popular quote in the hacking world says “Deterministic hackers spend 90% of their time in information gathering phase, rest 10% is spent on the breach”.
 

Knowing the threats: Build your walls strong enough
The assets need to be secured from the threats. However, for securing the assets, there needs to be a proper knowledge on the boundaries of the application from which input comes. In other simple words, the first rule of security is “the user input MUST not be trusted”. So, for securing the application, the application castle should be strong enough to stop the malicious input on the walls itself. This approach is called as input validation. The other approach is that even if the enemy enters the castle, don’t let them go away, or cripple them. This approach is termed as output validation. These threats can come from any input, which may include a form field, url, cookies, post parameters etc. These inputs should not be trusted in any manner, as this “trust” is what leads to the compromise.

Deeply understanding the threats: Ohh… they are so many
The attack techniques have evolved over time, and there are many ways in which the applications can be compromised. The attacks can be following but not limited to:
•    Cross site scripting
•    SQL injection
•    Buffer overflows
•    Cross site request forgery
•    XPATH injection
•    Format string attacks
•    Heap overflows
•    Redirection attacks
•    Authentication attacks
•    Authorization attacks
•    Canonicalization attacks
•    OS commanding
•    SSI includes
•    Parameter pollution
•    Session based attacks
•    Sniffing
•    Spoofing
•    Phishing
These are only a few examples. Many more exist and the list keeps on getting updated on a regular basis. A simple Google search on “Cross site scripting” or any of these will give you thousands of results, which are enough to explain the vulnerability. There are many security projects(OWASP) and institutes(SANS) working to create freely-available articles, methodologies, documentation, tools, and technologies to provide unbiased, practical, cost-effective information about application. These communities also release a list of the top vulnerabilities at regular interval of time.
 

Save Me Please
For each of the vulnerabilities, there exist different ways to mitigate them. However, speaking in a generic manner, all the vulnerabilities can be prevented by proper validations, both on input and output. If only one of these is done, this vulnerability can surely be exploited by an attacker. So, it is always better to have a two way defense mechanism, which acts as a double shield to prevent the attacks against the application. When the development of a application is done, an approach that ensure both these validations at the same time should be followed. This is the best possible solution to mitigate the attacks. As far as targeted application like Acrobat Reader or Microsoft applications are concerned the only way to save yourself, is to have updates which are, released by the vendors. Even if you miss a single update your machine is vulnerable to any type of attack. Presently there are many tools to prevent applications from getting hacked but at the end it’s in the hands of the application developer to make his application secure enough and not only checks if all the doors are locked but ensure that every other entry point is also locked and secured.
 

Conclusion
Thus, we can conclude that the threats on the applications are on a continuous rise, and developers need to be aware of these and educate themselves so as to involve a secure methodology in the lifecycle of the development. These vulnerabilities are large in number, and hence require a thorough study.


He is working in Infosys Technologies Limited. His primary responsibility is to provide Enterprise Security Solutions to our clients. He has a good understanding on Application Security dealing with Threat Modeling, Secure code analysis and Penetration testing.

Leave a Reply