Home
Application security

Application security

October 1, 2019

By Baka DIOP – TheExpert SQUAD: AppSec Tech Leader; SecApp Expert, DevSecOps / Decurity by Design

Definition

The term "application" refers directly to OSI Application Layer 7. ISO 27034 provides a comprehensive definition of application security, demonstrating that application security covers not only the software component but also all security controls and measures in the application SDLC cycle.

Key figures

The first website appeared in December 1990. In 2019, more than 1.5 billion websites were recorded (Figure 1).

The number of websites does not take into account mobile applications, which exceed 2 million. Figure 2 shows the number of Android applications available on Google Play.

These figures show the rapidity and growth of application appearances. However, the metric that is not available is the maturity of the controls performed on these applications.

A few issues need to be considered for monitoring, namely the security management of these applications:

Are code reviews performed before going into production?
How is risk managed for certain applications?

The importance of application security within companies rests on these fundamental issues.

Figure 3 shows the percentage of attacks carried out over a one-year period worldwide, by country.

These figures call for awareness and awareness-raising measures are needed in terms of security.

Some recurring and persistent vulnerabilities are listed in Figure 4.

Analysis of these figures reaffirms the risk posed by the level of application security for a company, regardless of:

The size of the organization,
The place,
The security strategy (Security by design).

Understanding application security requires knowledge of its fundamentals.

OWASP Top 10

The Open Web Application Security Project (OWASP) is an organization that brings together experts working on application security in order to provide open source products (documents, tools, etc.).

Among their publications is a list of the 10 most common vulnerabilities in applications. This list raises awareness of inherent or new vulnerabilities affecting applications. The first list dates back to 2007. It was updated in 2010, 2013, and finally in 2017.

Here is the 2017 OWASP list:

A1: Injection
A2: Bypassing authentication and session management mechanisms
A3: Exposure of sensitive data
A4: External XML Entities (XXE)
A5: Bypassing access controls
A6: Incorrect security configuration
A7: Cross-Site Scripting (XSS)
A8: Unsafe deserialization
A9: Use of components with known vulnerabilities
A10: Insufficient logging and monitoring

This OWASP top 10 list will be detailed and analyzed in a dedicated article.

Conclusion

We are currently in an era where it is no longer possible to ignore the impact that application security has on a business. With all the security measures in the world, it is important not to forget the human aspect of the story. There needs to be good awareness and a good company policy that clearly defines the rules in place. Application security does not only deal with source code, it also concerns all components ranging from processes, stakeholders, servers (machines), hosting, to the application's source code.