Detecting application vulnerabilities and remediation guidelines

Co-authors : Shibu N, S Sankara Subramanian, Shilpa Mohandas

Any system defect that a hacker can use to compromise an application is known as an application vulnerability. Attacks on applications pose a serious risk to companies of all kinds. These attacks may lead to data breaches, a loss of customer trust, and repetitional harm to a business.

Detecting vulnerabilities

Techniques used in vulnerability detection include static analysis, dynamic analysis, penetration testing, and code review. This process helps developers to identify and address security flaws in their applications by ensuring a secure and reliable user experience across various platforms. Web Application Vulnerability Scanners are a set of such automated tools that scan applications normally from the outside to look for security vulnerabilities, such as accidental access specifiers, Cross-site scripting, SQL Injection, Command Injection, Path Traversal, and insecure server configuration. The scans are classified into the following types:

Static Application Security Testing (SAST) is a frequently used Application Security tool, which scans an application’s source, binary, or byte code. A white-box testing tool identifies the root cause of vulnerabilities and helps remediate the underlying security flaws. SAST scans reduces security risks in applications by providing immediate feedback to developers on issues introduced into code during the development. It helps educate developers about security while they work by providing them with real-time access to recommendations and line-of-code navigation, which allows for faster vulnerability discovery and collaborative auditing.

Dynamic Application Security Testing (DAST) is the process of analyzing a web application through the front-end to find vulnerabilities through simulated attacks. This type of approach evaluates the application from the “outside in” by attacking an application like a malicious user would. After a DAST scanner performs these attacks, it looks for results that are not part of the expected result set and identifies security vulnerabilities.

Interactive application security testing (IAST) is a testing methodology that combines the functions of both SAST and DAST. It uses a monitoring mechanism (sensor or agent) in the application’s backend to gather information during runtime. These tools alert administrators over various channels whenever any unexpected events are detected.

Runtime application self-protection (RASP) tests and protects applications against common vulnerabilities during execution or runtime. DevOps can use RASP to monitor applications in production and take corrective steps when it detects abnormal activity, such as a cyberattack or other malicious action.

Hybrid application security testing (HAST) combines SAST and DAST methodologies to discover and fix application security vulnerabilities. Although this approach requires more time and budget, it is optimal for designing secure applications.

Issues with the tools used for vulnerability scans

• Incomplete coverage: Traditional scanners may not detect all vulnerabilities, especially those that are more complex or require manual testing. It is important to choose a tool that provides adequate coverage for the organisation’s deployed applications and the types of vulnerabilities that are most relevant to their business.
• Time-consuming scans: Some of the scanners take a long time to complete, which can be a significant burden on resources leading to delays in addressing vulnerabilities.
• False positives: The scan result may generate many false positives, which can be time-consuming to review, identify and ignore them. The accuracy of a scanning tool is another important factor to consider before making a decision to subscribe to it. So, it is important to choose a tool that has inbuilt ability to filter false positives and provides accurate results.

Where to look for trending vulnerabilities

OWASP : The Open Web Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security. The OWASP Top 10 provides rankings and remediation guidance for — the top 10 most critical web application security risks called the OWASP Top 10 Vulnerabilities. These are organised based on their significance, the security risk they pose, and possible countermeasures. More details of the trending vulnerabilities identified as potential threats by OWASP can be found here. The purpose of the report is to offer developers and web application security professionals insight into the most prevalent security risks thereby minimising the presence of known risks in their applications.

CVE: Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed information security vulnerabilities and exposures. The Common Vulnerability Scoring System (CVSS) is a set of open standards for assigning a number to a vulnerability to assess its severity. A CVSS score ranges from 0.0 to 10.0. The higher the number the higher degree of security severity. The CVE database allows organisations to set a baseline for evaluating the coverage of their security tools. CVE’s common identifiers allow organisations to see what each tool covers and how appropriate they are for your organisation. More details of CVE can be found here.

Details of popular tools and the stages at which they are used

Secure coding practices to deal with vulnerabilities

• Keep code simple and modular. Include things that are required in minimum lines, the less the code, less are the chances for errors to get in.
• Choose proven and trending libraries as dependencies as they go through more reviews and checks often.
• Make use of the features that the programming language provides to restrict accidental exposure of data through access specifiers and modifiers.
• Handle exceptions wisely, knowing the resources involved and propagating exceptions as required. Ensure no accidental exposure of resource or code reaches the end user.
• Package applications wisely in such a way that it is difficult to relate modules even through accidental disclosure.
• Use serialisation wisely and as needed as it exposes the underlying data structure.
• Ensure that secure information is never logged and if required they must be masked or hashed.
• Have sufficient server side validations to prevent injection based attacks, and ensure usage of parameterised SQL query construction.
• Use stored procedures where ever possible, and expose minimum data required for the client programs.
• Implement server and network security measures, such as firewalls and intrusion detection systems, to protect web applications from attacks like DDoS and SQL injection.
• Keep web applications and supporting software up to date with the latest security patches and updates to address known vulnerabilities.
• Use secure communication protocols, such as HTTPS, to ensure that data transmitted between web applications and users is encrypted and protected from interception.
• Have a well defined access process and validate roles before allowing access to data. Provide access to modules to the minimum level as much as possible.
• Escape user supplied input when dealing with XML’s and SQL parameters, enforce strict data type and format checks.
• Filter your inputs with a whitelist of allowed characters, and use a proven library to HTML encode your output for HTML contexts to secure applications against XSS (Cross site script) vulnerabilities.
• Regularly check the code for vulnerabilities, and take in latest security updates in the dependencies.
• Design a good logging strategy to track user activity in the application.
• Integrate the build pipeline with code scanners to detect and fix vulnerabilities earlier.
• Continuously update yourself about the common and current vulnerabilities.
• Have a good code release process involving peer or external reviews, usage of formatting and code analysis tools like checkstyle, PMD, checkmarx which can be easily be plugged in to the IDE.

Conclusion

Application security is vital to protect businesses from potential vulnerabilities. The application security tools work alongside the security professionals and application security controls to deliver security throughout the application lifecycle. Having the security tools available and in place is critical in dealing with the security threats surrounding the software development. With multiple types of tools and methods available for testing, achieving application security is within the reach.