Jul 18, 2016
Why is testing for application security important? Can't an organisation just respond to an incident if, or when it occurs? Whilst that viewpoint may sound mad to someone security conscious, it is unfortunately the approach that many organisations worldwide still take today. Rather than investing in training software developers on security best practices, and testing their applications for security, they rely on basic internal checks, and resolve vulnerabilities if they become a problem.
Of course, this can lead to disaster when a vulnerability in your application is exploited by a malicious third party, with repercussions such as:
- Tremendous damage to your organisation's brand
- A permanent loss in customer confidence
- Downtime of key software, devastating productivity organisation-wide (or stopping online sales in the case of eCommerce applications)
- Expensive vulnerability remediation costs, which are at their peak post-production
- Legal sanctions and civil lawsuits, depending on the case in question
What happens if all of your organisation's confidential documents get stolen, or that happens to one of your clients? It's not pretty. A major vulnerability making it into your application can completely cripple your business and its reputation in the marketplace.
Appropriate Security Tests Reduce This Risk
There are a wide range of solutions available, from in-program software which checks for common vulnerabilities as your developers write code, to extensive penetration testing. The most common security tests run on applications are penetration tests (or pentests) and code reviews. Another useful practice is threat modelling, which is unfortunately often under-appreciated within organisations. Let's investigate each one.
Application Penetration Testing
Application penetration testing (the most common tests run by organisations and security firms alike) identify security vulnerabilities and threats within your application at any phase of development. A good penetration test will focus on areas where your application is most at risk, report back any issues that are found and provide detailed remediation advice.
Penetration testing is typically done by teams using a mixture of manual attacks and specialised tools. Testing should also be prioritised based on the potential damage that could be done to your organisation should a vulnerability be exploited, and should always produce a report detailing vulnerabilities. No application is completely vulnerability free.
Penetration tests are typically done blind (i.e. the attackers cannot see your source code) in order to replicate a real-world environment.
A code review consists of going through your codebase and locating constructs which lead to vulnerabilities. A code review should produce a detailed report that outlines code issues, and suggested improvements to code for better security. A review allows teams to better understand problem areas of their code, and prevent common logic errors and other mistakes in the future.
There are a number of ways to manage code reviews, but the most effective combine static analysis tools with a manual review.
Threat modelling is a key security testing technique that security, IT and software development teams often under-utilise. Threat modelling allows teams involved in application development to identify critical risks and make better security decisions.
"Experience shows that nearly 50% of security flaws will be discovered from threat modelling because it finds different threats than those found through code review." - Michael Howard, author of "Writing Secure Code" and the Security Program Manager at Microsoft
Threat modelling involves analysing your application and its environment in order to generate a business level threat model that identifies as many potential attack angles as possible. A finished threat model will typically identify:
- The applications that are most at risk
- The most likely potential threats to those applications
- Any specific malicious attacks that could be launched to realise those threats
- Design, implementation and deployment conditions which could lead to successful attacks
- Potential ways to mitigate or additional testing that should be done to reduce identified threats
So don't leave your application's security to chance. By running appropriate tests you can dramatically decrease the chances of vulnerabilities making it into your deployed applications, and remediate vulnerabilities before they have an opportunity to damage your organisation.