Basics of Application Security

This is my first article on how do I do security testing and my thoughts on how to do it a right way in general.

For the start I'll introduce myself and provide basic security definitions.

Let's go.

About me

I'm a professional application security analyst. I've got my degree in the field of Information Security in St. Petersburg, Russia. Currently I'm working as a security professional for 7 years already, got couple of certifications (Certified Ethical Hacker and usable security specialist). Before that I've worked as a software testing engineer providing a product quality feedback for the security-related software.

What is all this about

Security is a quickly emerging area of expertise in IT as for now. Application security experts are highly valuable and have no issues finding a decent job. Why is that? Because the world grows fast and connectivity of the world expands very quickly. Each day thousand of new devices are connected to the Internet, millions of pages are created and terabytes of data travel through networks back and forth.

Of course no one cares about public data like price catalogs, newspapers and useless stuff like funny pictures with kittens. Oh. Frankly, I should take my words back on kittens :) Aside from that there is a data that you really care about - your payment details, your personal info, your location and habits, you corporate secrets. And, taking it to a larger extent - the state and governmental data. There are also someones who lurk for such data for fun and profit. And ensuring the data is secure is one of the goals of the information security.

Ok, now to the basics.

Security triangle

One of the most difficult questions the security specialist needs to solve is finding a proper balance between following capabilities of the system he cares about: Security, Usability, Functionality.

Finding a balance is not easy. You can design completely secure system, but it will be useless, because it will be all about security - you won't be able to do anything. Or you can design perfectly usable and functions-rich application which will be as insecure as it could be, because every function usually adds more to the scope of the security analysis and it is merely impossible to cover all opening possibilities for a malicious user to exploit flaws of the functionality.

Vulnerabilities, risks, threats, controls and assets

Below are common security terms I'll use throughout my articles:

Asset is every valuable bit of information, every application, system, service or even piece of hardware that you are trying to protect. The better you know what is valuable and what is not - the better you can understand what is needed to secure that.

Threat is anything that can harm your assets. Be it a malicious user, dangerous fire situation in the area or computer virus.

Risk is a combination of factors which may affect secure state of your asset. These factors are: probability (or likelihood) of the threat and impact of the threat. In other words - how it is probable that this one specific situation or agent may cause some significant impact on your assets.

Controls are all the measures you undertake to decrease risk. In order to decrease the likelihood of the virus attack we tend to install antivirus as a preventive control decreasing the risk of such event.

Vulnerability is a weakness in infrastructure, hardware, people's way of thinking, application code or in the application design. If a malicious agent discovers the vulnerability - he may exploit it to access your asset and cause damage to it.

Good guys vs bad guys

There are basically 3 types of security-minded people:

• Good guys aka 'white-hats' which are security professionals aimed to make our world a safer place by putting the defences up, by educating people on secure habits, by performing agreed security assessments of systems, finding security issues before bad guys do and by writing articles on security on LinkedIn... oh, sorry :)
• Bad guys aka 'black-hats' which exploit security flaws in system for profit or e.g. as a revenge.
• Somewhere in the middle there are 'gray-hats'. These guys could be partially on both sides of Good and Evil.

Holy trinity of Security - CIA

Another thing which comes in a triad regarding information security - CIA. No, it's not what you might've expected :)

It is short for Confidentiality, Integrity and Availability.

These are the properties of most information systems and a vast majority of attacks will in fact try to compromise these properties. Whenever we talk about security testing we must consider these three items.

Confidentiality - everything that is related to secrecy and privacy of information. Every mean that helps preventing disclosure of information and every attack vector aiming to disclose sensitive data. For example, implementing a password-based access to the data/application you are trying to protect is a measure, that protects confidentiality. Contrary, trying every possible password for some username is an attack against confidentiality.

Integrity - everything that protects a benign user against unauthorized alteration of data or helps a malicious user to amend data without any permissions to do so. For example, you don't want your shop order to be intercepted by an adversary and changed the way the order would be shipped to another address, not yours.

Availability - everything that keeps systems running or, contrary, everything that the attacker can exploit to disrupt normal workings of the system. You, as an authorized and legal user have your right to access data or a system whenever you want to, without any disturbances. On the other hand - a malicious user might want to prevent you from doing so. Imagine an adversary, who is taking down a guarding system of some bank by blocking all its outgoing signals (so noone can notice a security breach) and then sneaking in and robbing it.

Ok, that's it for the start. I'll be happy to answer any questions or provide any guidance :)