Application security encompasses measures taken throughout the application’s life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design,development, deployment, upgrade, or maintenance of the application.
Applications only control the use of resources granted to them, and not which resources are granted to them. They, in turn, determine the use of these resources by users of the application through application security.
Open Web Application Security Project (OWASP) and Web Application Security Consortium (WASC) updates on the latest threats which impair web based applications. This aids developers, security testers and architects to focus on better design and mitigation strategy. OWASP Top 10 has become an industrial norm in assessing Web Applications.
Security testing for applications
Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle.
Vulnerability scanners, and more specifically web application scanners, otherwise known as penetration testing tools (i.e. ethical hacking tools) have been historically used by security organizations within corporations and security consultants to automate the security testing of http request/responses; however, this is not a substitute for the need for actual source code review. Physical code reviews of an application’s source code can be accomplished manually or in an automated fashion. Given the common size of individual programs (often 500,000 lines of code or more), the human brain can not execute a comprehensive data flow analysis needed in order to completely check all circuitous paths of an application program to find vulnerability points. The human brain is suited more for filtering, interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to trace every possible path through a compiled code base to find the root cause level vulnerabilities.
Search the site
- Vuln: Novell ZENworks Configuration Management CVE-2013-1095 Cross-Site Scripting Vulnerability
- Vuln: RETIRED: Oracle Java SE Critical Patch Update June 2013 Advance Notification
- Vuln: X.Org libFS 'FSOpenServer()' Memory Corruption Vulnerability
- Vuln: Linux Kernel '__skb_recv_datagram()' Local Denial of Service Vulnerability
- Bugtraq: APPLE-SA-2013-06-18-1 Java for OS X 2013-004 and Mac OS X v10.6 Update 16
- Bugtraq: [SECURITY] [DSA 2628-2] nss-pam-ldapd update
- Bugtraq: [SECURITY] [DSA 2698-1] tiff security update