Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.

Application Security

Application security is the use of software, hardware, and procedural methods to protect applications from external threats. Security measures built into applications and a sound application security routine minimize the likelihood that hackers will be able to manipulate applications and access, steal, modify, or delete sensitive data. Once an afterthought in software design, security is becoming an increasingly important concern during development as applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of threats.

So to avoid this many organization have their internal security expert finding and responding to information about the latest vulnerabilities and threats to the software employed within business critical systems under their supervision.

Many organization hire third party Company to do penetration testing against their application to discover all the weakness or vulnerabilities in the application.

Once the vulnerabilities or weakness are discovered the next step is to prepare a report and send it to application development team. The report contains the severity of vulnerability, Business impact, Remediation and other details. Next step is to fix the vulnerabilities.

Once the vulnerabilities are remediated by application development team the security team carry out the reassessment of the application. As per the company policy and criticality of application the security team does the periodic assessment of the application.

Custom Application Assessment 

Application security assessment is a unique area of assessment and penetration testing.  Unlike infrastructure based assessments, the methodology utilised by a security professional for identifying security vulnerabilities and significant issues is highly dependant upon the type of application being assessed.

 

Although several high-level methodologies do exist (and some guides can indeed be quite comprehensive), they are often not generic or versatile enough to cope with the wide variety of custom applications commonly encountered.  Many methodologies used by professional security assessment organisations are in fact highly guarded.

In general, the applications are normally subjected to the following groups of tests:
  • Inspection of application validation and bounds checking for both accidental and mischievous input.
  • Manipulation of client-side code and locally stored information such as session information and configuration files.
  • Examination of application-to-application interaction between system components such as the web service and back-end data sources.
  • Discovery of opportunities that could be utilised by an attacker to escalate their permissions
  • Examination of event logging functionality.
  • Examination of authentication methods in use for their robustness and resilience to various subversion techniques.
Regardless of whether it is a web-enabled client-server application or an n-tier compiled application, the methodology actually implemented by the security consultant to assess the security of all client-side functionality will also be subject to the consultants own experience and skill set.
Instead of focusing on an all-encompassing application security assessment methodology, many consultants may find it more practical to cycle through a check-list of questions.  The emphasis of the questions is not so much on how you test the application, but more as to what the consultant should be looking for.