Application Security

By Prof.Vidya Harkal
 Unit I

● Introduction To AppSec:
● Overview of AppSec
● Architecture
● AppSec Throughout SDLC
Overview of Attacks Against
Course Outline ●

●
Applications
Attacking SUID Programs,
Environment Attacks, Input
Argument Attacks, File Access
Attacks
● Application Security Tools and
Solutions
Introduction To Application Security

What Is Application ?An application is a type of software designed to perform specific tasks or solve particular
problems for users. Applications can run on various devices, including computers, smartphones, tablets, and other electronic
systems.

Key Characteristics of Applications

1. Purpose-Specific: Applications are built to help users perform tasks, such as editing documents, browsing the internet, or
managing finances.
2. User Interface (UI): They typically have a graphical interface to interact with users.
3. Platform Dependent: Applications may run on specific operating systems (e.g., Windows, macOS, Android, iOS).
1. Types:
○ Web Applications: Accessed via a web browser (e.g., Gmail, Google Docs).
○ Mobile Applications: Installed on smartphones (e.g., Instagram, WhatsApp).
○ Desktop Applications: Installed on computers (e.g., Microsoft Word, Photoshop).
○ Embedded Applications: Run on hardware like IoT devices.
“All Software is going to have
Security vulnerability ”
No S/W is 100% Bug Free
What Can we Do to reduce it ?and
Why do we need to do it ?
“Software from concept to production”
 Where does application security fit?

Dev Ops

Design Coding Testing Realse

Traditional Linear Development

Linear slow
Siloed Inflexible
Over the wall Security introduce later in the stage
Modern Approaches to Development
Where Does AppSec Fit?

● Throughout the SDLC: AppSec practices should be integrated at every phase to proactively address
vulnerabilities.

Role of an AppSec Program

An Application Security (AppSec) program:

● Integrates Security into Development: Embeds security throughout the Software Development Life Cycle (SDLC).
● Provides Tools and Processes: Offers automated scanning tools, manual code reviews, and penetration testing.
● Educates Developers: Trains teams to write secure code and follow best practices.
● Monitors and Responds: Continuously monitors applications for vulnerabilities and responds to emerging threats.
● Enforces Security Standards: Ensures adherence to organizational security policies and compliance regulations.
Current State Of Application Security ?

● Growing Threats: Increasing complexity of applications (e.g., microservices,

APIs) introduces new vulnerabilities.
● Shift to Cloud: Cloud-native applications require specialized security measures.
● Automation: Widespread adoption of security tools like SAST, DAST, IAST, and
RASP.
● Compliance-Driven Security: Organizations are investing in AppSec to meet
regulatory requirements.
● Challenges: Shortage of skilled security professionals and limited developer
awareness.
Shifting Right vs. Shifting Left

● Shifting Left: Focuses on identifying and fixing vulnerabilities earlier in the SDLC (e.g., secure coding practices,
SAST during development).
● Shifting Right: Emphasizes monitoring and incident response during production (e.g., runtime protection,
observability tools).
● Optimal Strategy: A balance of both approaches ensures robust security.
Security Shifting Left or Right ?
Introduction DevSecOPs
DevSecOps principles

DevSecOps practices concentrate on splitting down silos, enhancing collaboration,

and, last but not least, changing security to integrate it early in the development
process before moving on to production. Let’s deep dive into some key principles of
DevSecOps:
• Unifying the CI/CD pipeline
• Fail fast automation
• Empowering teams to make decisions
• Cross-skilling and educating teams
• Proper documentation
• Relevant checkpoints
• Building and managing secure dev environments and toolchains
DevSecOPS
What is Shift Left? (Build Secure)

Shift Left is all about bringing security into the development process right from the earliest stages of
software development. Here what key things it involves:

Developer-focused security training: Raising awareness of secure coding practices to reduce

common vulnerabilities. Provide developers with the necessary security education and resources to
create inherently secure code right from the start.

Vulnerability Scanning: Utilize SAST (Static Application Security Testing) and SCA (Software
Composition Analysis) tools within the development environment to identify potential security flaws
before they reach production. Integrate scanning tools in the CI/CD pipeline, ensuring security
checks at every step.

Faster, Cheaper Fixes: Fixing a bug during development is significantly more economical than
dealing with a security breach after deployment.

Did You Know? Shifting Left Catches 80% of Software Vulnerabilities

 What is Shift Right? (Protect and Respond)

It is opposite to Shift Left, Shift Right focuses on security measures post-deployment to protect production environments, such as real-time monitoring,
incident response, and threat detection. With Shift Right, organizations proactively identify and address security issues in production environments,
minimizing the impact of potential breaches.
Here what key things it involves:

1. Runtime Application Security: Implementing firewalls, threat detection systems, and anti-malware solutions to keep secure live
applications against potential threats.
2. Real-time Monitoring: Implement tools like SIEM (Security Information and Event Management) that continuously monitor networks,
systems, and applications for any abnormal activities or potential threats, enabling quick response to emerging issues.
3. Threat Intelligence: Stay updated on the latest threats and attack methods by collecting and analyzing relevant data, allowing for proactive
measures to mitigate risks before they escalate.
4. Incident Response Automation: Implement SOAR (Security Orchestration, Automation, and Response) solutions to remediate attacks
and minimize their impact asap.
 Economic Benefits of a Combined Approach

1. Cost Reduction: Detecting and fixing security issues during development phases significantly cuts down expenses compared to addressing them after release.
This minimizes resources, downtime, and potential harm to company repo.
2. Improved Efficiency: Implementation of security early in the development cycle makes sure software is secure from the start and helps it get to market faster.
Fixing security issues early saves time. This means companies can release their products faster
3. Stronger ROI (Return on Investment): Proactively investing in security in the development lifecycle typically yields higher returns compared to the
reactive approach and risk recovery, making it a more financially rewarding approach in the long run.

While both Shift Left and Shift Right strategies require initial investment, adopting a balanced approach can lead to significant future cost reduction. By prioritizing both
proactive prevention and efficient incident response, organizations can minimize the overall financial impact of security breaches over time.
Here are some examples of how companies are implementing this:

Ecommerce sector: Companies are leveraging Shift Left and Shift Right approach to their cybersecurity efforts:

● Shift Left: Ecommerce platforms invest in early security measures to keep data secure. This involves integrating security practices into the software
development lifecycle, such as secure coding practices and vulnerability assessments in their applications, to identify and mitigate potential risks before
deployment.
● Shift Right: Continuous monitoring is essential for e-commerce platforms to detect and mitigate security threats after deployment. By implementing real
time monitoring of transaction systems, networks, and user activity, companies can identify and respond to suspicious behavior, such as fraudulent
transactions or unauthorized access attempts, thereby safeguarding customer data and maintaining trust.

Financial services sector: Banks are implementing Shift Left and Shift Right approach to their cybersecurity:

● Shift Left: Banks invest a lot in early security measures to safeguard customer data and their services. This involves integrating security practices into the
software development lifecycle to identify and mitigate vulnerabilities early on.
● Shift Right: Additionally, banks utilize Right Shift also, monitoring to detect and prevent fraud in transaction systems. Continuous monitoring of networks
and devices helps to identify unauthorized access and suspicious activities in real-time, enhancing overall security posture.
DevSecOps pipeline
Key Stages of a DevSecOps Pipeline

1. Plan
○ Incorporate security requirements during the planning phase.
○ Perform threat modeling to identify potential risks.
○ Define compliance and regulatory needs (e.g., GDPR, PCI DSS).
2. Develop
○ Implement secure coding practices.
○ Use Static Application Security Testing (SAST) to scan code for vulnerabilities
during development.
○ Integrate Software Composition Analysis (SCA) to identify vulnerable third-party
dependencies.
○ Enforce secrets management to avoid hardcoding sensitive data like API keys
and credentials.
Key Stages of a DevSecOps Pipeline

Build

● Automate security checks in the build process.

● Use Infrastructure as Code (IaC) scanning to identify configuration issues in scripts (e.g.,
Terraform, Ansible).
● Scan container images for vulnerabilities.
● Implement dependency management tools to ensure secure libraries and frameworks.

Test

● Perform Dynamic Application Security Testing (DAST) on staging environments.

● Run Interactive Application Security Testing (IAST) to monitor application behavior
during testing.
● Automate penetration testing where feasible.
● Include fuzz testing to detect unusual or edge-case behaviors.
Key Stages of a DevSecOps Pipeline

Release

● Validate that security policies are met before deployment.

● Use Runtime Application Self-Protection (RASP) tools to safeguard applications in
production.
● Ensure CI/CD pipelines enforce role-based access control (RBAC) and secure secrets.

Deploy

● Implement container orchestration security (e.g., Kubernetes security policies).

● Use cloud-native security tools (e.g., AWS Security Hub, Azure Security Center).
● Validate runtime configurations, ensuring no unnecessary ports or privileges.
Key Stages of a DevSecOps Pipeline

1. Monitor
○ Continuously monitor applications with Security Information and Event
Management (SIEM) tools.
○ Integrate tools like RASP or Application Performance Monitoring (APM) to
detect and mitigate real-time threats.
○ Automate alerting and remediation for vulnerabilities detected in production.
2. Respond
○ Define an incident response plan for handling breaches.
○ Automate rollback or patching workflows to minimize downtime.
○ Conduct post-incident reviews to identify and address root causes.