Web Application Security

Web Application Security is the process of protecting websites and online services against different security threats that exploits vulnerabilities in an application code. The global nature of the Internet exposes web properties to attack from different locations and various levels of scale and complexity. Web application security deals specifically with the security surrounding websites, web services such as APIs. Organizations failing to secure their web applications run the risk of being attacked and this can result in information theft, damaged client relationships, revoked licenses and legal proceedings.

One thing all web applications have in common is that they handle data. Groups exist who want to steal data whether it’s for surveillance purposes, to commit fraud, or to simply sell on. Attacks against web apps range from targeted database manipulation to large-scale network disruption. It is important to understand that web security testing is not only about testing the security features that may be implemented in the application, but also to test other features are implemented in a secure way.

Major Web Application Attacks:

1. SQL Injection

2. XSS (Cross Site Scripting)

3. Remote command Execution

4. Path Traversal

5. DoS (Denial of Service) and DDoS (Distributed Denial of Service)

6. Memory corruption

7. Data Breach

Below are some of the different types of security testing:

DAST (Dynamic Application Security Testing): DAST works from the outside-in on a running app. It's a lot like having a team of experts try and break into your bank vault for you. This is what's known as a "black box" security testing technique - because the code running behind the web app is not visible to the test.

SAST (Static Application Security Testing): It works from the inside-out on static code. A good analogy would perhaps be having an expert view the blueprints for your bank vault to look for flaws. This is what's known as a "white box" security testing technique - because the test can see the web app's code in its entirety.

IAST (Interactive Application Security Testing): IAST modifies a running application in order to find vulnerabilities. It's a lot like placing sensors inside your bank vault to see what effect your (DAST) attacks are having. This is known as a "gray box" security testing technique - effectively being a mixture of black box and white box methodologies. It can see vulnerabilities that DAST alone would be "blind" to.

Penetration Testing: This manual application security test is best for critical applications, especially those undergoing major changes. The assessment involves business logic and adversary-based testing to discover advanced attack scenarios.

A mature web security program should incorporate a balanced mix of tools and processes for maximum coverage. Any gaps could result in security and putting data at risk.