Application Security Approaches - Design Review
Before code is written the application’s architecture and design can be reviewed for security problems. A common technique in this phase is the creation of a threat model.
Application Security Approaches - White-Box Testing/Code Review
Critical examination of internal structure, architecture, design, etc.
Application Security Approaches - Black-Box Testing
Tests functionality rather than internal structure
Application Security Approaches - Automated Tooling
Many security tools can be automated through inclusion into the development or testing environment. Examples of those are automated DAST/SAST tools that are integrated into code editor or CI/CD platforms
DAST/SAST
(Static Application Security Testing) and DAST (Dynamic Application Security Testing) are complementary security methodologies
Application Security Approaches - Coordinated Vulnerability Platforms
These are hacker-powered application security solutions offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs
CI/CD Platforms
Continuous Integration/Continuous Deployment
These platforms automate software testing, integration, and delivery, accelerating development pipelines and enhancing code quality. This is GitLab, Azure DevOps, etc.
Common/Critical Security Threats - Broken Access Control
Generally includes identification, authorization, authentication, access approval, and audit (usernames, passwords, MFA, etc.)
This is “broken” when applications fail to properly restrict user actions, allowing unauthorized access to data, modification of resources, privilege escalation, etc.
Common/Critical Security Threats - Cryptographic Failures
When sensitive data is not properly protected by encryption, algorithms, or key management.
Common/Critical Security Threats - (Code) Injections
A computer security exploit where a program fails to correctly process external data, causing it to interpret the data executable command. Attackers inject code into a program while its running.
This is caused by vulnerabilities when an app sends untrusted data to an interpreter, like an SQL database or XML parser.
“Who’s on First?” but in coding
Common/Critical Security Threats - Insecure Design
Not a coding error but a failure to embed security into design, requiring remediation through better planning, threat modeling, and secure design patterns, rather than just patching.
Common/Critical Security Threats - Security Misconfiguration
Back-end/Admin issues that incorrectly set up systems to allow unauthorized data access, system, breaches, etc.
Common/Critical Security Threats - Vulnerable and Outdated Components
Use of third-party code that is outdated or requires patches. Like if the OS is no longer supported
