6 Tips for Application Security PractitionersSahba Kazerooni is a senior security consultant with Security Compass, a security consulting and training firm specializing in application security based in New Jersey. He is also an internationally-renowned speaker on security topics, and has provided presentations at security conferences around the world, including BlackHat Security Conference in Amsterdam, Security Opus in San Francisco, and IDC WebSec in Mexico City. Here he provides us with tips for best practices in application security.
1. Consider encodings - In the foreseeable future, it is likely that the types of web application vulnerabilities will remain the same, but variations will appear. Development teams will become more security conscious and become much better at preventing input validation attacks. Attackers will therefore be forced to adapt by focusing on obscuring their actions with alternate encodings. There are hundreds of different character sets and encodings such as Hex and Unicode that an attacker can use. Many validation filters will handle some of these cases correctly, but not all of them. How do your input validation filters handle alternate encodings?
2. Train your developers - The most secure applications are built with security in mind. Creating a security-conscious development team significantly reduces the number of application security issues that enter production systems. As a result, the costs associated with finding and fixing vulnerabilities are also reduced. Given the statistics around the average cost of a vulnerability being exploited, training 10 developers in application security is cost effective if only 50 security vulnerabilities are prevented in the lifetime of the application.
3. When using a framework, proceed with caution - Application frameworks are designed to reduce the amount of development time required on a project. Most frameworks are very configurable, and it is important that before using a framework the development team be familiar with the various intricacies. Read all documentation provided and research any configuration options that may have known security implications. Using a framework without adequate research can be detrimental to the security of your application.
4. Standardize application logging - Despite being an often neglected security control, logging is crucial to the detection of attacks and the investigation that follows in the event of a successful attack. Traditionally, the detection of attacks has been in the hands of network administrators who would use Network Intrusion Detection Systems (NIDS) to identify abnormal traffic or known attack signatures. IDS appliances specifically tailored to application security concerns exist, but they are not very effective. It is up to the application developers to ensure that important events and data are logged and are in a consistent format that can be efficiently processed. By creating a logging standard within your organization, you can ensure that the log files produced by your application are usable by log analysis tools.
5. Classify your applications - A typical financial organization has hundreds of internal and external facing applications. It is often not feasible to perform a detailed security assessment on every application. One practical approach is to analyze all of the applications and prioritize them for review. This prioritization, or classification, can be based on a number of factors such as the data handled by the application, the applications network interfaces (i.e. Internet or LAN facing), or the number and severity of findings from an automated vulnerability scan of the application. The most critical applications should be considered for threat modeling, source code review, and vulnerability assessment, while the less critical undergo automated assessments. This 'classify then assess' strategy will ensure that the most risk is mitigated with the least cost and effort.
6. Learn to compromise - One of the biggest challenges that we face as application security practitioners is balancing an application's security with its usability. After a security review, the recommendations that may have an effect on the user's perception of the system are often presented to the business group who will determine if a change should be made. The suggestions might not always be acceptable to the business group. It is extremely important to prepare solutions that strike a compromise between security and usability by providing business-friendly alternatives for user-sensitive recommendations. After all, mitigating some risk is better than mitigating no risk at all. An effective security assessment produces solutions that try to balance technical issues with the firm's appetite for risk.