Instana

Instana

The community for performance and observability professionals to learn, to share ideas, and to connect with others.

 View Only

Detecting application vulnerabilities and remediation guidelines

By K M Abhijith posted Thu July 06, 2023 06:45 AM

  

Co-authors : @Shibu N, S Sankara Subramanian, @SHILPA MOHANDAS

Any system defect that a hacker can use to compromise an application is known as an application vulnerability. Attacks on applications pose a serious risk to companies of all kinds. These attacks may lead to data breaches, a loss of customer trust, and repetitional harm to a business.

Detecting vulnerabilities

Techniques used in vulnerability detection include static analysis, dynamic analysis, penetration testing, and code review. This process helps developers to identify and address security flaws in their applications by ensuring a secure and reliable user experience across various platforms. Web Application Vulnerability Scanners are a set of such automated tools that scan applications normally from the outside to look for security vulnerabilities, such as accidental access specifiers, Cross-site scripting, SQL Injection, Command Injection, Path Traversal, and insecure server configuration. The scans are classified into the following types:

Static Application Security Testing (SAST) is a frequently used Application Security tool, which scans an application’s source, binary, or byte code. A white-box testing tool identifies the root cause of vulnerabilities and helps remediate the underlying security flaws. SAST scans reduces security risks in applications by providing immediate feedback to developers on issues introduced into code during the development. It helps educate developers about security while they work by providing them with real-time access to recommendations and line-of-code navigation, which allows for faster vulnerability discovery and collaborative auditing. 

Dynamic Application Security Testing (DAST) is the process of analyzing a web application through the front-end to find vulnerabilities through simulated attacks. This type of approach evaluates the application from the “outside in” by attacking an application like a malicious user would. After a DAST scanner performs these attacks, it looks for results that are not part of the expected result set and identifies security vulnerabilities.

Interactive application security testing (IAST) is a testing methodology that combines the functions of both SAST and DAST. It uses a monitoring mechanism (sensor or agent) in the application’s backend to gather information during runtime. These tools alert administrators over various channels whenever any unexpected events are detected.

Runtime application self-protection (RASP) tests and protects applications against common vulnerabilities during execution or runtime. DevOps can use RASP to monitor applications in production and take corrective steps when it detects abnormal activity, such as a cyberattack or other malicious action.

Hybrid application security testing (HAST) combines SAST and DAST methodologies to discover and fix application security vulnerabilities. Although this approach requires more time and budget, it is optimal for designing secure applications.

Issues with the tools used for vulnerability scans

  • Incomplete coverage: Traditional scanners may not detect all vulnerabilities, especially those that are more complex or require manual testing. It is important to choose a tool that provides adequate coverage for the organisation’s deployed applications and the types of vulnerabilities that are most relevant to their business.

  • Time-consuming scans: Some of the scanners take a long time to complete, which can be a significant burden on resources leading to delays in addressing vulnerabilities.

  • False positives: The scan result may generate many false positives, which can be time-consuming to review, identify and ignore them. The accuracy of a scanning tool is another important factor to consider before making a decision to subscribe to it. So, it is important to choose a tool that has inbuilt ability to filter false positives and provides accurate results.

Where to look for trending vulnerabilities

OWASP : The Open Web Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security. The OWASP Top 10 provides rankings and remediation guidance for—the top 10 most critical web application security risks called the OWASP Top 10 Vulnerabilities. These are organised based on their significance, the security risk they pose, and possible countermeasures. More details of the trending vulnerabilities identified as potential threats by OWASP can be found here. The purpose of the report is to offer developers and web application security professionals insight into the most prevalent security risks thereby minimising the presence of known risks in their applications.

CVE: Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed information security vulnerabilities and exposures. The Common Vulnerability Scoring System (CVSS) is a set of open standards for assigning a number to a vulnerability to assess its severity. A CVSS score ranges from 0.0 to 10.0. The higher the number the higher degree of security severity. The CVE database allows organisations to set a baseline for evaluating the coverage of their security tools. CVE's common identifiers allow organisations to see what each tool covers and how appropriate they are for your organisation. More details of CVE can be found here.

Details of popular tools and the stages at which they are used

Testing your applications for vulnerabilities and fixing them is the most efficient technique to prevent web application vulnerabilities. The following table lists the details of some of the tools used for performing different type of vulnerability scans and the stages at which they are used.

Aspect

SAST

DAST

IAST

RASP

HAST

Penetration Testing

Tools Used

Fortify, Checkmarx, SonarQube

OWASP ZAP, Burp Suite, Acunetix

Contrast Security, Veracode

Sqreen, Contrast Security, Veracode Runtime Protection, Waratek AppSecurity for Java, Aqua Trivy

Apache JMeter,LoadRunner,BlazeMeter,

Locust

Metasploit, Nmap, Nessus, Wireshark, OpenVAS

Type of Testing

White-box testing

Black-box testing

Gray-box testing

White-box testing

Black-box testing

Black-box testing

Requirements

Access to source code

Access to running application

Access to running application

Requires deployment of agents within the application

Requires test environment setup and test scenarios

Access to running application

Purpose

Analyze source code for vulnerabilities

Test web applications for vulnerabilities

Combine static and dynamic analysis

Protects applications during runtime

Measures system stability and resilience

Simulate real-world attacks to identify weaknesses

Scope

Limited to source code analysis

Tests the entire application

Tests the entire application

It operates at the application layer and monitors the application's behavior during runtime

Identifies system vulnerabilities under stress

Tests the entire application

Key Features

Code analysis, vulnerability detection

Web scanning, Crawling, Input fuzzing

Agent-based instrumentation, Runtime analysis

Real-time monitoring and response

Load generation, fault injection, and performance analysis

Exploitation, network scanning, vulnerability scanning

Integration

Integrated into IDEs and CI/CD pipelines

Web-based scanning of live applications

Runtime instrumentation with application

Directly integrated within the application stack

Integrated as part of the testing environment

Standalone tools used by ethical hackers

Stages of SDLC Integration

Early stages of development

After application deployment

Throughout the application lifecycle

Integrated as a security measure during development and deployment

Typically used during the testing phase of SDLC

Any stage of application lifecycle

Use Cases

Early-stage development, code reviews

Testing deployed web applications

Continuous monitoring during application usage

Web application security, threat detection and response

Infrastructure validation, scalability testing, reliability testing

Identify weaknesses in systems and networks

Secure coding practices to deal with vulnerabilities

  • Keep code simple and modular. Include things that are required in minimum lines, the less the code, less are the chances for errors to get in. 

  • Choose proven and trending libraries as dependencies as they go through more reviews and checks often. 

  • Make use of the features that the programming language provides to restrict accidental exposure of data through access specifiers and modifiers. 

  • Handle exceptions wisely, knowing the resources involved and propagating exceptions as required. Ensure no accidental exposure of resource or code reaches the end user.

  • Package applications wisely in such a way that it is difficult to relate modules even through accidental disclosure. 

  • Use serialisation wisely and as needed as it exposes the underlying data structure.  

  • Ensure that secure information is never logged and if required they must be masked or hashed. 

  • Have sufficient server side validations to prevent injection based attacks, and ensure usage of parameterised SQL query construction.

  • Use stored procedures where ever possible, and expose minimum data required for the client programs.

  • Implement server and network security measures, such as firewalls and intrusion detection systems, to protect web applications from attacks like DDoS and SQL injection.

  • Keep web applications and supporting software up to date with the latest security patches and updates to address known vulnerabilities.

  • Use secure communication protocols, such as HTTPS, to ensure that data transmitted between web applications and users is encrypted and protected from interception.

  • Have a well defined access process and validate roles before allowing access to data. Provide access to modules to the minimum level as much as possible.

  • Escape user supplied input when dealing with XML’s and SQL parameters, enforce strict data type and format checks. 

  • Filter your inputs with a whitelist of allowed characters, and use a proven library to HTML encode your output for HTML contexts to secure applications against XSS (Cross site script) vulnerabilities.

  • Regularly check the code for vulnerabilities, and take in latest security updates in the dependencies.

  • Design a good logging strategy to track user activity in the application.

  • Integrate the build pipeline with code scanners to detect and fix vulnerabilities earlier.

  • Continuously update yourself about the common and current vulnerabilities.

  • Have a good code release process involving peer or external reviews, usage of formatting and code analysis tools like checkstyle, PMD, checkmarx which can be easily be plugged in to the IDE.

Conclusion

Application security is vital to protect businesses from potential vulnerabilities. The application security tools work alongside the security professionals and application security controls to deliver security throughout the application lifecycle. Having the security tools available and in place is critical in dealing with the security threats surrounding the software development. With multiple types of tools and methods available for testing, achieving application security is within the reach.


#Remediation
0 comments
270 views

Permalink

https://community.ibm.com/community/user/blogs/k-m-abhijith/2023/07/06/detecting-application-vulnerabilities-and-remediat