Cybersecurity: Application Security
What is Security as Code/ SaaC /DevSecOps?
DevSecOps is a software development methodology that aims to integrate security practices into the DevOps process. It is a collaborative and proactive approach to software development that involves the participation of security teams, developers, and operations teams in the development process from the start.
The term DevSecOps is derived from the words Development, Security, and Operations. The main goal of DevSecOps is to ensure that security is built into the software development process from the beginning, rather than being added as an afterthought. By integrating security into the development process, teams can detect and address security issues earlier in the software development life cycle, reducing the risk of security vulnerabilities and breaches.
DevSecOps involves implementing security measures, such as vulnerability testing, code analysis, and automated security testing, throughout the development process. It also involves educating developers and other team members on best practices for secure coding and providing them with the tools they need to build secure software.
OWASP Top 10:
A1 - Injection: Prevents using Input Validation against white list as soon as input is received.
SQL
LDAP
XML xpath
Log: Logging confidential data
OS Command
XSS (cross site script)
A2 - Broken Authentication and session management:
-> encrypt url using https
A3 - Cross-Site Scripting
A4 - Insecure Direct Object Regerence
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - CSRF
A9 - Using Components with known vulnerabilities
A10 - Unvalidated Redirects and Forwards
Security Principles:
Least Privileges: Think about security from the starting of project
Complete Mediation: Central gateway for a security
Defence in Depth: Prevent, Detect and React
Trust Nothing: Sanitize or validate everything you receive
Security Testing:
It is the process for reviewing our code before launch.
Manual Security Testing: Put malformed input and test manually whether the application has vulnerabilities or not. For example testing SQL injection.
Dynamic Application Security Testing (DAST): Acunetix, OWASP Zap
Purpose: DAST is used to identify vulnerabilities in an application that is already deployed or running in a testing environment.
Method: DAST works by sending various HTTP requests to the application to simulate attacks and identifying potential vulnerabilities such as SQL injection, cross-site scripting, and parameter tampering.
Advantages: DAST can identify vulnerabilities that may not be detected through other testing methods and can provide a more realistic view of the application's security posture.
Disadvantages: DAST can produce a large number of false positives and may not detect vulnerabilities that are introduced after the test is completed.
Static Application Security Testing(SAST): SonarQube
Purpose: SAST is used to identify vulnerabilities in the application's source code before the code is compiled or deployed.
Method: SAST works by analyzing the application's source code and identifying potential security vulnerabilities such as SQL injection, cross-site scripting, and buffer overflows.
Advantages: SAST can identify security vulnerabilities early in the development process when they are easier and cheaper to fix. It can also help to prevent vulnerabilities from being introduced in the first place by educating developers about secure coding practices.
Disadvantages: SAST can produce a large number of false positives and may not detect vulnerabilities that are introduced later in the development process.
Software Composition Analysis (SCA): Sync, WhiteSource
Purpose: SCA is used to identify and manage third-party software components or open-source libraries that are used in an application to ensure they are secure and up-to-date.
Method: SCA works by analyzing the software composition of an application and identifying potential vulnerabilities or outdated components or libraries.
Advantages: SCA can identify vulnerabilities that are introduced through third-party components or open-source libraries and can help to ensure that they are updated or replaced when necessary.
Disadvantages: SCA may not identify vulnerabilities that are introduced through custom code or that are not related to third-party components or open-source libraries.
How SAST can be done?
Select a SAST tool: There are various SAST tools available in the market that can be used to perform static code analysis. Some popular examples include SonarQube, Checkmarx, and Fortify.
Configure the tool: The SAST tool needs to be configured to analyze the code in the correct programming language and framework. The tool may also need to be customized to exclude certain code files or directories, or to include specific rules for identifying vulnerabilities.
Initiate the analysis: The SAST tool can be run locally on the developer's machine or integrated into the software development pipeline to automatically analyze the code during the build process. The analysis can take some time to complete depending on the size of the codebase and the complexity of the application.
Review the results: Once the analysis is complete, the SAST tool will generate a report that lists potential vulnerabilities and provides recommendations for remediation. The results can be reviewed by the development team, security team, or a combination of both.
Remediate the vulnerabilities: The identified vulnerabilities should be prioritized based on their severity and addressed by the development team. The SAST tool may provide detailed information on the location of the vulnerability in the code, which can help developers to fix the issues more easily.
Repeat the process: SAST testing should be done regularly throughout the software development lifecycle to ensure that new vulnerabilities are not introduced and that the application remains secure.
How DAST can be done?
Select a DAST tool: There are various DAST tools available in the market that can be used to perform dynamic security testing. Some popular examples include OWASP ZAP, Acunetix, and Burp Suite.
Configure the tool: The DAST tool needs to be configured to test the correct application URL and provide the required authentication credentials if the application is protected.
Initiate the scan: The DAST tool will start to scan the application by sending various HTTP requests to simulate attacks. The tool may try various attack vectors, such as SQL injection, cross-site scripting (XSS), or parameter tampering.
Review the results: Once the scan is complete, the DAST tool will generate a report that lists potential vulnerabilities and provides recommendations for remediation. The results can be reviewed by the development team, security team, or a combination of both.
Remediate the vulnerabilities: The identified vulnerabilities should be prioritized based on their severity and addressed by the development team. The DAST tool may provide detailed information on the location of the vulnerability in the application, which can help developers to fix the issues more easily.
Repeat the process: DAST testing should be done regularly throughout the software development lifecycle to ensure that new vulnerabilities are not introduced and that the application remains secure.
How SCA can be done?
Select an SCA tool: There are various SCA tools available in the market that can be used to analyze the software composition of an application. Some popular examples include Snyk, WhiteSource, and Black Duck.
Configure the tool: The SCA tool needs to be configured to scan the application and identify the third-party components and open-source libraries used in the application. The tool may also need to be customized to exclude certain components or libraries, or to include specific rules for identifying vulnerabilities.
Initiate the analysis: The SCA tool can be run locally on the developer's machine or integrated into the software development pipeline to automatically analyze the software composition during the build process. The analysis can take some time to complete depending on the size of the codebase and the complexity of the application.
Review the results: Once the analysis is complete, the SCA tool will generate a report that lists potential vulnerabilities and provides recommendations for remediation. The results can be reviewed by the development team, security team, or a combination of both.
Remediate the vulnerabilities: The identified vulnerabilities should be prioritized based on their severity and addressed by the development team. The SCA tool may provide detailed information on the location of the vulnerability in the code, which can help developers to fix the issues more easily.
Monitor for new vulnerabilities: SCA should be done regularly to ensure that new vulnerabilities are not introduced when new versions of third-party components or open-source libraries are used in the application. The SCA tool may provide alerts for new vulnerabilities or updated versions of the components or libraries.
Why do we need DAST if we already have SAST
SAST analyzes the application's source code to identify security vulnerabilities that can be identified statically, before the application is deployed. SAST can detect common vulnerabilities such as SQL injection, cross-site scripting, and buffer overflows. However, it cannot detect vulnerabilities that only manifest themselves during runtime, such as authentication bypasses or logic flaws.
DAST, on the other hand, tests an application by simulating attacks against a running instance of the application. It can detect vulnerabilities that can only be identified dynamically, such as input validation errors, session management issues, and other runtime-specific vulnerabilities.
What is NIST ?
The NIST (National Institute of Standards and Technology) Cybersecurity Framework is a widely used set of guidelines for improving cybersecurity risk management in organizations. It provides a structured approach for organizations to assess their current cybersecurity posture, identify areas for improvement, and develop and implement a cybersecurity risk management program.
Here's how the NIST Cybersecurity Framework works:
Identify: The first step is to identify the assets and data that are critical to the organization's mission, the threats and vulnerabilities that could impact these assets and data, and the potential impact of a cybersecurity incident. This step also involves identifying legal and regulatory requirements related to cybersecurity.
Protect: The protect step involves implementing safeguards to protect critical assets and data from potential cybersecurity threats. This can include measures such as access controls, training and awareness programs, and incident response planning.
Detect: The detect step involves implementing measures to quickly detect cybersecurity incidents. This can include implementing intrusion detection systems, monitoring logs and network traffic, and implementing automated alerting systems.
Respond: The respond step involves having a plan in place to respond to cybersecurity incidents. This can include having an incident response team in place, developing response procedures, and having backup systems and data in place.
Recover: The final step involves recovering from a cybersecurity incident. This can include restoring systems and data, conducting a post-incident review, and updating policies and procedures based on lessons learned.
The NIST Cybersecurity Framework is a flexible and scalable approach that can be used by organizations of any size or industry. It can also be integrated with other cybersecurity frameworks and standards, such as ISO 27001 and COBIT. Organizations can use the framework to assess their cybersecurity posture, develop a risk management program, and continuously improve their cybersecurity practices over time
