Detect Application Intrusions
After completing this unit, you’ll be able to:
- Explain the importance of implementing sufficient application monitoring.
- Describe how adversarial testing can be used to strengthen security.
Detect Intrusions with Application Monitoring
As an application security engineer, you will likely see far fewer issues with excessive logging than with insufficient logging. Insufficient logging and monitoring is a widespread security weakness. Logging is the process of collecting and storing data to analyze trends or record events and actions taken by an application, a user, or another technology.
An application log is a file of events that are logged by a software application. The log contains information about errors, events, warnings, and alerts. Application security engineers have an important role to play in determining the format and content of application logs.
Collecting sufficient logs is crucial to enabling security professionals to monitor the IT in their environment. Monitoring applications allows application security engineers to ensure that the application is performing in an expected manner. If there are abnormalities, these may be a sign of an intrusion or attempted intrusion by a malicious actor.
Without sufficient logging and monitoring, malicious activity by attackers may go undetected by security analysts. This can allow attackers to compromise systems, maintain persistence (access in the system), and even pivot to compromise other connected systems. All of this allows an attacker to compromise the confidentiality, integrity, or availability of an application’s data. Some studies have found that the average time for organizations to detect a breach is over 200 days and these breaches are often detected by external, rather than internal parties.
Application security engineers also work to integrate logging and monitoring with incident response functions to enable the organization to take rapid action when analysts discover anomalous activity.
What else can application security engineers do to help? Engineers continually monitor, fix, and prevent application security vulnerabilities. They try to detect malicious intent before damage occurs, by monitoring application processes and user behavior. They first do this by configuring logs to include the right information and ensuring logs are well integrated across the technology stack and with incident response. They make sure events like logins, failed logins, and high-value transactions are logged. They ensure warnings and errors generate adequate log messages. They also ensure the part of the organization responsible for monitoring, usually the Security Operations Center (SOC), is monitoring the logs for suspicious activity. They work to ensure alerting thresholds and response escalation processes are in place to help analysts quickly identify and respond to threats.
Use Adversarial Testing
Application security engineers use adversarial testing to gauge the ability of an application to withstand cyber threat activity. Adversarial testing involves a security team thinking like an attacker to help identify and mitigate potential risks before they are exploited with malicious intent.
One type of adversarial testing common in application security is penetration testing. Penetration tests can be performed by a separate group of security professionals within the organization or by a third party. The penetration testing team goes in-depth to imagine all possible lines of attack on an application and test them to see whether they can perform unauthorized actions or exfiltrate sensitive data.
Another common type of adversarial application testing is called bug bounty. In bug bounty, organizations announce that they are willing to pay a reward “bounty” to ethical hackers who find and inform them about vulnerabilities in their applications. Monetary rewards can be small or large.
Many large companies have bug bounty programs and invite both internal and external ethical hackers to participate. By crowdsourcing attempts to expose an application’s weaknesses, bug bounty programs can reduce the risk of a security incident in which a malicious actor exploits a vulnerability. If you are interested in a career in application security, participating in bug bounty programs can be a great way to learn more about the skills you need in the field and maybe even earn some extra cash while you’re at it!
Application security engineers have a role to play in responding to the findings from penetration tests and bug bounty programs. They work with the application development team and business owners to resolve findings, by advising and enforcing security best practices. They help application owners work through when and how to fix findings.
They also review logs after a penetration test or bug has been identified to see if they can identify the tester’s actions. If not, the application security engineer improves the information collected and correlated in the logs and associated dashboards to ensure analysts can quickly identify and respond to threats. For more information on further considerations to ensure sufficient logging, see the Common Weakness Enumeration (CWE) resource for insufficient logging.
Sum It Up
You’ve been introduced to strategies application security engineers use to monitor applications for signs of malicious activity, by ensuring logs are in place and calibrated and integrated with incident response activities. This brings to a close the trail on application security engineering. You’ve learned what this role entails, skills you may want to pursue, and the crucial role engineers play in an organization’s application development lifecycle.
Interested in exploring more cybersecurity-related information? Check out the Cybersecurity Learning Hub on Trailhead.