Welcome to crimson security group
we yearn security ......
It's my dream to share information regarding to security. so, My first step on web application security. Here, I am going to give an valuable information regarding to web application security.
Introduction web application security
What is Application Security?
Definition from wiki --
Application security encompasses measures taken throughout the Code's
life-cycle to prevent gaps in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance or database of the application.
What is the need of Application Security ?
* To prevent Attackers from hacking our applications
* 70% - 80% attacks occurs at Application layer
* 80% web applications are vulnerable
* Custom code = Human error
* Deliver deadlines = Open loopholes
* Lack of security knowledge among developers
* Security not embedded in to SDLC (Software Development Life Cycle)
What is SDLC ?
SDLC, Software Development Life Cycle is a process used by software
industry to design, develop and test high quality software's. The SDLC
aims to produce a high quality software that meets or exceeds customer
expectations, reaches completion within times and cost estimates.
The following figure is a graphical representation of the various stages of a typical SDLC.
Reference link : http://www.tutorialspoint.com/sdlc/sdlc_overview.htm
However, the increasing concerns and business risks associated with
insecure software have brought increased attention to the need to
integrate security into the development process. Implementing a proper
Secure Software Development Life Cycle (SSDLC) is important now more
than ever.
SSDLC: What is it and why should I care?
In the past, it was common practice to perform security-related activities only as part of testing. This after-the-fact technique usually resulted in a high number of issues discovered too late (or not discovered at all). It is a far better practice to integrate activities across the SDLC to help discover and reduce vulnerabilities early, effectively building security in.It is in this spirit that the concept of Secure SDLC arises. A SSDLC process ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort. The primary advantages of pursuing an SSDLC approach are..
* More secure software as security is a continuous concern
* Early detection of flaws in the system
* Cost reduction as a result of early detection and resolution of issues
* Overall reduction of intrinsic(essential) business risks for the organization
* Increased Security awareness among team
Types of Application Security Testing
Basically there are three types of testing WhiteBox, BlackBox and GrayBox.
Each approach has specific advantages and disadvantages, and selecting a testing approach needs to be done based on the time and resources available, as well as the overall goals of the test being performed.
Black Box :
Refers to testing a system without having specific knowledge to the internal workings of the system, no access to the source code, and no knowledge of the architecture.Black box tests must be attempted against running instances of applications, so black box testing is typically limited to dynamic analysis such as running automated scanning tools and manual penetration testing.
White Box :
which is also known as clear box testing, refers to testing a system with full knowledge and access to all source code and architecture documents. Having full access to this information can reveal bugs and vulnerabilities more quickly than the "trial and error" method of black box testing. Additionally, you can be sure to get more complete testing coverage by knowing exactly what you have to test.
Also, specialized knowledge and tools are typically required to assist with white box testing, such as debuggers and source code analysers.
In addition, if white box testing is performed using only static analysis techniques using the application source code and without access to a running system, it can be impossible for security analysts to identify flaws in applications that are based on system misconfigurations or other issues that exist only in a deployment environment of the application in question.
Gray Box :
When we talk about Gray Box testing, we're talking about testing a system while having at least some knowledge of the internals of a system. This knowledge is usually constrained to detailed design documents and architecture diagrams. It is a combination of both black and white box testing, and combines aspects of each.
Gray box testing allows security analysts to run automated and manual penetration tests against a target application. And it allows those analysts to focus and prioritize their efforts based on superior knowledge of the target system. This increased knowledge can result in more significant vulnerabilities being identified with a significantly lower degree of effort and can be a sensible way for analysts to better approximate certain advantages attackers have versus security professionals when assessing applications
Application security Standards
Referrence Link : http://security.stackexchange.com/questions/45386 /are-there-any-web-application-security-standards
the reason, usage and the brief defination given in the blog n the resources of the secure software development are very well explained and highly appreciable in term of the quality content and high knowledge. "
ReplyDelete