Basically, application security is the security
profile of application level software and communication. So what does
that mean? and what does that look like? and really, who cares?
Well,
let’s start from the first question and work our way backward.
Applications are becoming much more important as initial attack vectors
into systems. Over the past decade or so, operating system vendors and
developers have become much more conscious of the security of the
systems they deliver. They’re spending much more time reviewing the code
they deliver and becoming more disciplined in refining what exactly
they deliver. They’re also incorporating more and more advanced
cyber-security techniques into delivered operating systems everyday. In
fact, Microsoft Windows, once the butt of just about every
cyber-security joke told, is arguably the most secure baseline operating
system on the market today - certainly much more secure than it was
five years ago. As operating systems and related systems become more
secure, attackers need to begin to look at other areas to exploit. More
and more of these attackers are looking, today, at applications.
So
who cares? Well, attackers really care. They’re really interested in
finding applications that are running with open network connections,
with system privileges, and with security flaws. Really, they don’t care
that much about the authority the applications run with - the more the
better, but any foothold is better than nothing. And since attackers
care, application vendors need to care, and because the vendors care, we
developers need to pay attention too.
It
doesn’t look like things are going to change anytime soon in this regard
either. Today, companies are beginning to be held liable for
information leakage. We’ve seen lawsuits brought against companies,
we’ve seen C-Level executives fired, and we’ve seen profound differences
with respect to how liability for cyber-security negligence is
determined today when compared to event a few years ago. The stakes are
higher, and people way above our pay grade are paying attention.
Application
software isn’t clearly defined, really, but we can do a little better
than that. Fortunately, operating systems and network communication
models have this nifty application layer that runs on top of the
software delivered by infrastructure and operating system vendors. The
OSI model has it, Windows has it, Linux and Unixes have it, and TCP/IP
has it. So from a network communication perspective, anything that runs
in the application layer is fair game for an application security
analysis. HTTP, for example, is an ubiquitous application level
protocol. I mean, it’s everywhere. If you ever look at a typical packet
capture, it is just riddled with HTTP traffic. And applications use HTTP
for just about everything today. Need RPC? use REST/JSON. Need to send
information for storage? POST or PUT that information to an HTTP
endpoint. Need to grab some data? go GET it from a web server. It’s
absolutely everywhere. And there’s other cross-platform application
protocols too, like Apache Thrift or Avro, or Google’s Protocol Buffers.
In fact, from the perspective of the TCP/IP stack, if you’re above the
TCP layer, you’re in application space.
Likewise,
any program that runs in userland is an application too. This isn’t
limited to third-party programs either. Anything from any vendor that
runs above the kernel is fair game for application security reviews. On
linux or windows, this includes everything from in-house enterprise
applications to word processors and utilities to unix commands like ls
or ssh. On mobile devices, this includes apps in Swift or Objective-C on
iOS and Java or C++ on Android. It doesn’t include drivers, kernel
modules, network infrastructure firmware, or anything like that.
originally published on DZone
originally published on DZone
