Today I'd like to share with you some fundamentals of application security. I'll probably create some more articles about security in the future, so please drop a message in the comments section below if you think it's an interesting topic, and you want to read something more.
Secure application has to meet three security goals - they are also known as CIA triad:
- Confidentiality - the goal is to prevent unauthorized disclosure of or access to sensitive data managed by applications, such as personal and financial data.
- Integrity - the goal of integrity is to protect data from unauthorized modification or deletion.
- Availability - the goal of availability is to ensure that the application and its services remain accessible to users.
Reasons for Application Security
- Potential loss of revenue
- Potential for damaged credibility
- Potential cost savings from prevention
Understanding the attacker
Attackers are highly incentivized to attack applications that may contain valuable data. For example, stolen credit card numbers are readily available on the unethical market for a relatively affordable amount.
Medical records and taxpayer identification data can fetch even more because users can't simply cancel their medical records or their taxpayer IDs as they could do with a credit card.
Vulnerability - a weakness in your application that an attacker could exploit
Exploit - a malicious application or set of commands used to take advantage of vulnerabilities in your application
Attack - an action that leverages one or more vulnerabilities to realize a threat
Threat/Threat Agent - an event that could exploit a vulnerability in your application code and cause some undesirable behavior
Asset - a resource of value
Risk - the potential for loss or damage to an asset
Countermeasure - a step taken to address or reduce the potential for damage caused by a vulnerability in your application code
Managing Application Security Risk
It's important to underscore the principle that no application can be completely secure. The key to great application security is to correctly manage your risk.
There are 4 approaches to managing risk:
- Accept risk
- Avoid risk
- Transfer risk
- Mitigate risk
Accepting risk means that you take no proactive measures to address your risk, and that you are willing to accept the full consequences of a threat to an asset.
This is sometimes a reasonable approach if the cost of addressing the risk exceeds both the value of the asset you wish to protect, and the consequences should the risk be realized.
Avoiding risk is the opposite of accepting risk. To avoid risk you remove the exposure of an asset to the threat, or you remove the asset entirely.
For example, let's say your application manages customer credit card data, which certainly involves risk. Your organization can choose to avoid this risk altogether by not handling credit card data at all.
Transference means you transfer the burden of the risk onto a third party. Insurance is a classic example of transferring risk.
You take proactive steps to reduce an asset's exposure to risk. For example, you can reduce the risk of an attacker guessing user account passwords by requiring all users to use strong passwords. Or, to reduce the chances of an attacker intercepting sensitive data transmitted between your online application and users, you could protect the data in transit using Transport Layer Security(TLS).
Mitigation is the most common and recommended way to address application security risks.
After reading this article you should have a basic understanding what's application security, what are its goals, and how to manage application security risks. If you are interested in more topics like this, put your comment in the comments section.
If you like this article please share it on your social media, and follow me on Twitter where I am always posting info about my new writings.
Did you find this article valuable?
Support Dominik Gebert by becoming a sponsor. Any amount is appreciated!