Identify Common Application Security Threats
Learning Objectives
After completing this unit, you’ll be able to:
- Describe the importance of inventorying and prioritizing applications and their risks.
- List key account access information that application security engineers should identify.
Learn About Applications and Their Risk
Application usage by both consumers and businesses has risen steadily over the past few years and is expected to continue to increase. In recent years, application development has become easier while requiring fewer resources. In large organizations, dispersed teams of developers can spin up new programming code sometimes without the IT and security departments even being aware. If these business units also make technology purchasing decisions on their own, several technology solutions could store the company’s data with little standardization and control.
Additionally, as companies push for quicker turnaround for their software projects, developers have to deliver business functionality at a speed that can risk the security of applications and their data. The need to deliver functionality quickly also has led to a push to use more automated processes, including automating security scanning whenever possible.
These dual trends point to the need for application security engineers to begin to approach their jobs by first identifying the applications in their environment and the risks they pose. Just as a business that deals in physical products performs inventory in a warehouse, application security engineers start by inventorying applications in their environment. The goal of identifying risks in the application is to understand the threats, vulnerabilities, and business impact posed by each application and use this information to prioritize associated protections. The Open Web Application Security Project (OWASP) provides a wealth of practical information for application security engineers, including details on an approach to risk rating that evaluates which security risks are most serious for a particular business environment.
To identify a security risk, think about the threats involved, the methods that can be used, the vulnerabilities that can be exploited, and the potential impact on the business. Application security engineers are aware of, and protect against a variety of risks, some of which are described in the OWASP Top 10. You will learn about a few of these, including injection, cross-site scripting (XSS), security misconfiguration, broken authentication, broken access control, sensitive data exposure, and insufficient logging and monitoring in more detail in the following units.
Track Application Access
When taking inventory of applications and their associated threats, vulnerabilities, risks, and impacts, you’ve already spent time thinking about threat actors and what they want. Application security engineers also need to think about how attackers could access a system to steal sensitive information or otherwise cause damage. Any point of entry that a legitimate user or nonuser could make use of can also be exploited by an attacker. It’s crucial the engineer identify and understand the different types of application access that make up their environment.
Application security engineers ask themselves the following questions about application access.
- Who will access the application? Is this application for customers, business partners, employees, or third-party vendors? What types of access do each of these users need? What permissions or functions will they need to perform? For example, will the application be used to make financial transactions? Will it need to be interoperable to allow access to other applications, or a browser session?
- From where will users access the application? Is this a mobile or a desktop application? Is it available only to internal users, such as employees on a company intranet or is it available externally (for example, from the Internet)? Have sensitive applications been segmented from less sensitive areas of the network?
- What privileged administrative functions are available? What functions can an administrator perform and how are they controlled? How are these accounts monitored?
In considering each of these points, remember that malicious actors can potentially harm a business by taking various paths through the application. Application security engineers evaluate each of these potential entry points and subsequent paths and put in place proper protections. In the next module, let’s dive a bit deeper into how applications can be protected, starting with securing the software development lifecycle.
Sum It Up
In this module, you learned more about what an application is, covered what skills application security engineers need, and discussed how application security engineers identify the applications, risks, vulnerabilities, and threats specific to their organization’s environment. We’ve also previewed some common application security scenarios. In the Application Security Engineer Responsibilities module, we’ll learn more details about each scenario and how application security engineers protect against them by following the Software Development Lifecycle (SDLC). Interested in exploring more cybersecurity-related information? Check out the Cybersecurity Learning Hub on Trailhead.