External Application Security Vulnerabilities

• Injection Flaws

Injection flaws occur when untrusted input is improperly filtered before being passed anywhere from the SQL server, the browser, the LDAP server, etc. Without proper filtration, an attacker can inject commands to these entities, which will cause a loss of data and allow the attacker to hijack your clients’ browsers.

Luckily, filtering the input can prevent this application security issue. Your best bet for filtration is to use your framework’s filtering functions, which are thoroughly scrutinized and proven to work.

While there are several kinds of injection vulnerabilities, the most common are:

a. SQL Injections Flaws. When an SQL query is inserted into the application, an attacker is able to access and modify sensitive data, in addition to other malicious activities. Unfortunately, this kind of injection flaw can occur when user-supplied input is put into a dynamic database.

b. RCE Injection Flaws. Remote command execution (RCE) is when an attacker enters their own code. Recommended methods for preventing RCE include:

 i. Using APIs instead of command lines whenever possible
 ii. Avoiding shell commands
 iii. Thoroughly reviewing all of your code
 iv. Restricting server permissions to only what is strictly necessary

• Cross-site scripting (XSS)

It allows attackers to execute scripts on behalf of a vulnerable website into a visitor’s browser. Users may be redirected to malicious sites, have their cookies stolen, or any number of other malicious activities. It is important to employ application security testing in order to identify and protect yourself from XSS.

• Inherited Vulnerabilities

In order to quickly create and prototype their applications, developers often leverage frameworks based on well-established languages such as JavaScript. They assume that something so popular must be secure because so many other developers are using it. But by pulling in components from unknown internet sources, you can open your application up to threats.

To protect your application, mirror the package you want to use in your development environment rather than deploying directly from the internet. In addition, scan your code base to locate vulnerable packages by using application vulnerability tools - specifically SCA (Software Composition Analysis) tools.

Internal Application Security Issues

• Not using a variety of security testing tools

Your application will remain vulnerable if you are relying on just one or two application security testing tools. For full coverage, you need to use a wide variety of tools, combining both threat modeling and manual testing. You should include SCA tools, DAST (Dynamic Application Security Testing) tools, SAST (Static Application Security Testing) tools, and IAST (Interactive Application Security Testing) tools. You can then use an application vulnerability manager to correlate and present the results of all of these testing tools in one standard format.

• Not tracking progress

Don’t stop at identifying threats and vulnerabilities to your applications. Once you’ve found them, you need to take action to handle them. Distribute the various application security issues among your various developers to make sure someone is on top of and prepared to take care of any challenge or vulnerability that may come up. Choose a tool that will allow you to easily track progress and provide you with all the information you will need.

• Not developing a formal application security plan

It is essential that you develop and stick to a formal plan for application security. Document the tools and organizational standards you are using. Revisit your plan regularly to make sure it continues to meet the needs of your business. Measure and record the results so that you can gauge the performance of your organization and tweak policies when necessary.

Making sure your application is safe and secure is well worth the time and effort. Don’t skip over the crucial step of finding and avoiding the above-mentioned application security vulnerabilities. It is a necessary investment that will prove itself fundamental to your company’s success as well as its reputation.