Share
VIDEOS 1 TO 50
Application Security - Understanding, Exploiting and Defending against Top Web Vulnerabilities
Application Security - Understanding, Exploiting and Defending against Top Web Vulnerabilities
Published: 2014/03/16
Channel: CernerEng
Application Security 101: Full Workshop
Application Security 101: Full Workshop
Published: 2016/07/08
Channel: SecureSet
Application Security Conundrum
Application Security Conundrum
Published: 2016/04/01
Channel: Security Innovation
Web Application Security Fundamentals Webinar pt 1
Web Application Security Fundamentals Webinar pt 1
Published: 2009/06/22
Channel: PCISboonbox
Application Security: Everything we know is wrong - Eoin Keary
Application Security: Everything we know is wrong - Eoin Keary
Published: 2013/11/26
Channel: OWASP
What is Application Security Testing?
What is Application Security Testing?
Published: 2013/12/17
Channel: IBM Security
How to Defend Against Web Application Security Threats
How to Defend Against Web Application Security Threats
Published: 2015/08/06
Channel: solarwindsinc
Ten Secrets to Secure Mobile Applications - OWASP AppSecUSA 2014
Ten Secrets to Secure Mobile Applications - OWASP AppSecUSA 2014
Published: 2014/09/28
Channel: OWASP
Application Security for Software Engineers
Application Security for Software Engineers
Published: 2014/10/30
Channel: IEEE Young Professionals
Top 5 Android Security Apps
Top 5 Android Security Apps
Published: 2015/02/06
Channel: Digital Trends
CISSP CBK Overview - Application Security
CISSP CBK Overview - Application Security
Published: 2015/01/14
Channel: Become Cissp
How to Hack Website: SQL injection, Web Application Security
How to Hack Website: SQL injection, Web Application Security
Published: 2015/05/03
Channel: HackzMaroo
Identify & Remediate Application Security Vulnerabilities Effectively
Identify & Remediate Application Security Vulnerabilities Effectively
Published: 2015/08/04
Channel: IBM Security
9. Securing Web Applications
9. Securing Web Applications
Published: 2017/03/30
Channel: MIT OpenCourseWare
A Software Engineer’s Career Path into Application Security
A Software Engineer’s Career Path into Application Security
Published: 2014/12/17
Channel: Security Innovation
Web Application Security - NGWAF, RASP, WAF What The Hell
Web Application Security - NGWAF, RASP, WAF What The Hell's The Difference | Signal Sciences
Published: 2016/11/10
Channel: NGINX, Inc
Hack.me: a new way to learn web application security - Armando Romeo
Hack.me: a new way to learn web application security - Armando Romeo
Published: 2013/11/28
Channel: OWASP
Mobile Application Security - CompTIA Security+ SY0-401: 4.2
Mobile Application Security - CompTIA Security+ SY0-401: 4.2
Published: 2014/09/14
Channel: Professor Messer
Application Security in the Cloud: Best Practices
Application Security in the Cloud: Best Practices
Published: 2012/06/20
Channel: RightScale
Reduce your application security risk with IBM
Reduce your application security risk with IBM's cognitive capabilities
Published: 2017/03/20
Channel: IBM Security
iOS Security: The Neverending Story of Application-Security
iOS Security: The Neverending Story of Application-Security
Published: 2014/05/08
Channel: RSA Conference
Application Security Solutions
Application Security Solutions
Published: 2014/03/04
Channel: F5 Networks, Inc.
An introduction to Android application security testing (by Nikolay Elenkov)
An introduction to Android application security testing (by Nikolay Elenkov)
Published: 2017/03/26
Channel: u'smile Mobile Security Research
Web Application Security and You: Intro to OWASP and Penetration Testing w/ Micah Hausler
Web Application Security and You: Intro to OWASP and Penetration Testing w/ Micah Hausler
Published: 2015/07/23
Channel: Chadev
t101 Application Security in an Agile SDLC Dennis Hurst
t101 Application Security in an Agile SDLC Dennis Hurst
Published: 2015/10/15
Channel: Adrian Crenshaw
Top 10 Interview Questions: Web Application Security Testing
Top 10 Interview Questions: Web Application Security Testing
Published: 2017/04/26
Channel: All About Testing
Defending Behind The Device: Mobile Application Security
Defending Behind The Device: Mobile Application Security
Published: 2012/12/09
Channel: CS50
Introduction to Web Application Security (Cross Site Scripting - XSS)
Introduction to Web Application Security (Cross Site Scripting - XSS)
Published: 2013/01/25
Channel: Hugh Pearse
Web Application Security
Web Application Security
Published: 2010/02/15
Channel: acunetix
Getting Single Page Application Security Right by Philippe De Ryck
Getting Single Page Application Security Right by Philippe De Ryck
Published: 2015/11/11
Channel: Devoxx
Effective Application Security Testing for DevOps
Effective Application Security Testing for DevOps
Published: 2017/02/16
Channel: RSA Conference
Manage Application Vulnerabilities Effectively with IBM Application Security Risk Management
Manage Application Vulnerabilities Effectively with IBM Application Security Risk Management
Published: 2015/09/24
Channel: IBM Security
Web Application Security Risks: A Look at OWASP Top Ten 2017 - Christian Wenz
Web Application Security Risks: A Look at OWASP Top Ten 2017 - Christian Wenz
Published: 2017/07/10
Channel: NDC Conferences
How to use the IBM Application Security on  Cloud service
How to use the IBM Application Security on Cloud service
Published: 2016/05/12
Channel: developerWorks TV
Web Application Security Demo
Web Application Security Demo
Published: 2010/10/07
Channel: Imperva
Web Application Security: Browsers Fight Back! - Christian Wenz
Web Application Security: Browsers Fight Back! - Christian Wenz
Published: 2017/03/22
Channel: NDC Conferences
HPE Fortify Application Security - Demo and Presentation
HPE Fortify Application Security - Demo and Presentation
Published: 2017/01/18
Channel: ResultsPositive
Burp Suite for Web Application Security | #8 | Introduction to Password Security |
Burp Suite for Web Application Security | #8 | Introduction to Password Security |
Published: 2016/04/25
Channel: Manish Agrawal
Comprehensive IBM Application Security on Cloud Demo: May 2017 Edition
Comprehensive IBM Application Security on Cloud Demo: May 2017 Edition
Published: 2017/05/12
Channel: IBM Security
Configure and Run an Application Security Scan with IBM Security AppScan Standard
Configure and Run an Application Security Scan with IBM Security AppScan Standard
Published: 2016/03/07
Channel: IBM Security
Burp Suite for Web Application Security by Bucky #3 | HTTPS HD
Burp Suite for Web Application Security by Bucky #3 | HTTPS HD
Published: 2016/03/30
Channel: Manish Agrawal
Burp Suite for Web Application Security #4 | Mapping Manually and Scope HD
Burp Suite for Web Application Security #4 | Mapping Manually and Scope HD
Published: 2016/04/02
Channel: Manish Agrawal
Burp Suite for Web Application Security by Bucky #1 | Introduction HD
Burp Suite for Web Application Security by Bucky #1 | Introduction HD
Published: 2016/03/30
Channel: Manish Agrawal
Managing Application Security Risk Effectively with IBM
Managing Application Security Risk Effectively with IBM
Published: 2015/04/23
Channel: IBM Security
Application Security Product Demo (4 min)
Application Security Product Demo (4 min)
Published: 2016/02/16
Channel: Sumo Logic, Inc.
Application Security for Healthcare
Application Security for Healthcare
Published: 2016/07/22
Channel: WhiteHat Security
Mobile Application Security Testing - Part 1 - ClubHack 2009
Mobile Application Security Testing - Part 1 - ClubHack 2009
Published: 2012/01/06
Channel: ClubHackTv
Burp Suite for Web Application Security | #9 | Intruder HD |
Burp Suite for Web Application Security | #9 | Intruder HD |
Published: 2016/04/25
Channel: Manish Agrawal
Security in a Java Web Application - Tutorial 01 (GlassFish + Basic Authentication)
Security in a Java Web Application - Tutorial 01 (GlassFish + Basic Authentication)
Published: 2013/04/16
Channel: zaneacademy
Apply an Application Security Policy to an API
Apply an Application Security Policy to an API
Published: 2016/04/21
Channel: Akana
NEXT
GO TO RESULTS [51 .. 100]

WIKIPEDIA ARTICLE

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Application security encompasses measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.

Different techniques are used to surface such security vulnerabilities at different stages of an applications lifecycle such design, development, deployment, upgrade, or maintenance.

An always evolving but largely consistent set of common security flaws are seen across different applications, see common flaws

Terms[edit]

  • Asset. A resource of value such as the data in a database, money in an account, file on the filesystem or any system resource.
  • Vulnerability. A weakness or gap in security program that can be exploited by threats to gain unauthorized access to an asset.
  • Attack (or exploit). An action taken to harm an asset.
  • Threat. Anything that can exploit a vulnerability and obtain, damage, or destroy an asset.

Techniques[edit]

Different techniques will find different subsets of the security vulnerabilities lurking in an application and are most effective at different times in the software lifecycle. They each represent different tradeoffs of time, effort, cost and vulnerabilities found.

  • Whitebox security review, or code review. This is a security engineer deeply understanding the application through manually reviewing the source code and noticing security flaws. Through comprehension of the application vulnerabilities unique to the application can be found.
  • Blackbox security audit. This is only through use of an application testing it for security vulnerabilities, no source code required.
  • Design review. Before code is written working through a Threat_model of the application. Sometimes alongside a spec or design document.
  • Tooling. There exist many automated tools that test for security flaws, often with a higher false positive rate than having a human involved.

Utilizing these techniques appropriately throughout the software development life cycle (SDLC) to maximize security is the role of an application security team.

Application threats / attacks[edit]

According to the patterns & practices Improving Web Application Security book, the following are classes of common application security threats / attacks:

Category Threats / Attacks
Input Validation Buffer overflow; cross-site scripting; SQL injection; canonicalization
Software Tampering Attacker modifies an existing application's runtime behavior to perform unauthorized actions; exploited via binary patching, code substitution, or code extension
Authentication Network eavesdropping ; Brute force attack; dictionary attacks; cookie replay; credential theft
Authorization Elevation of privilege; disclosure of confidential data; data tampering; luring attacks
Configuration management Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts
Sensitive information Access sensitive code or data in storage; network eavesdropping; code/data tampering
Session management Session hijacking; session replay; man in the middle
Cryptography Poor key generation or key management; weak or custom encryption
Parameter manipulation Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation
Exception management Information disclosure; denial of service
Auditing and logging User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks

Mobile application security[edit]

The proportion of mobile devices providing open platform functionality is expected to continue to increase in future. The openness of these platforms offers significant opportunities to all parts of the mobile eco-system by delivering the ability for flexible program and service delivery= options that may be installed, removed or refreshed multiple times in line with the user’s needs and requirements. However, with openness comes responsibility and unrestricted access to mobile resources and APIs by applications of unknown or untrusted origin could result in damage to the user, the device, the network or all of these, if not managed by suitable security architectures and network precautions. Application security is provided in some form on most open OS mobile devices (Symbian OS,[1] Microsoft,[citation needed] BREW, etc.). Industry groups have also created recommendations including the GSM Association and Open Mobile Terminal Platform (OMTP).[2]

There are several strategies to enhance mobile application security including

  • Application white listing
  • Ensuring transport layer security
  • Strong authentication and authorization
  • Encryption of data when written to memory
  • Sandboxing of applications
  • Granting application access on a per-API level
  • Processes tied to a user ID
  • Predefined interactions between the mobile application and the OS
  • Requiring user input for privileged/elevated access
  • Proper session handling

Security testing for applications[edit]

Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle.

Vulnerability scanners, and more specifically web application scanners, otherwise known as penetration testing tools (i.e. ethical hacking tools) have been historically used by security organizations within corporations and security consultants to automate the security testing of http request/responses; however, this is not a substitute for the need for actual source code review. Physical code reviews of an application's source code can be accomplished manually or in an automated fashion. Given the common size of individual programs (often 500,000 lines of code or more), the human brain can not execute a comprehensive data flow analysis needed in order to completely check all circuitous paths of an application program to find vulnerability points. The human brain is suited more for filtering, interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to trace every possible path through a compiled code base to find the root cause level vulnerabilities.

The two types of automated tools associated with application vulnerability detection (application vulnerability scanners) are Penetration Testing Tools (often categorized as Black Box Testing Tools) and static code analysis tools (often categorized as White Box Testing Tools).

According to Gartner Research,[3] "...next-generation modern Web and mobile applications requires a combination of SAST and DAST techniques, and new interactive application security testing (IAST) approaches have emerged that combine static and dynamic techniques to improve testing...". Because IAST combines SAST and DAST techniques, the results are highly actionable, can be linked to the specific line of code, and can be recorded for replay later for developers.

Banking and large E-Commerce corporations have been the very early adopter customer profile for these types of tools. It is commonly held within these firms that both Black Box testing and White Box testing tools are needed in the pursuit of application security. Typically sited, Black Box testing (meaning Penetration Testing tools) are ethical hacking tools used to attack the application surface to expose vulnerabilities suspended within the source code hierarchy. Penetration testing tools are executed on the already deployed application. White Box testing (meaning Source Code Analysis tools) are used by either the application security groups or application development groups. Typically introduced into a company through the application security organization, the White Box tools complement the Black Box testing tools in that they give specific visibility into the specific root vulnerabilities within the source code in advance of the source code being deployed. Vulnerabilities identified with White Box testing and Black Box testing are typically in accordance with the OWASP taxonomy for software coding errors. White Box testing vendors have recently introduced dynamic versions of their source code analysis methods; which operates on deployed applications. Given that the White Box testing tools have dynamic versions similar to the Black Box testing tools, both tools can be correlated in the same software error detection paradigm ensuring full application protection to the client company.

The advances in professional Malware targeted at the Internet customers of online organizations has seen a change in Web application design requirements since 2007. It is generally assumed that a sizable percentage of Internet users will be compromised through malware and that any data coming from their infected host may be tainted. Therefore, application security has begun to manifest more advanced anti-fraud and heuristic detection systems in the back-office, rather than within the client-side or Web server code.[4]

Security standards and regulations[edit]

See also[edit]

References[edit]

External links[edit]

Disclaimer

None of the audio/visual content is hosted on this site. All media is embedded from other sites such as GoogleVideo, Wikipedia, YouTube etc. Therefore, this site has no control over the copyright issues of the streaming media.

All issues concerning copyright violations should be aimed at the sites hosting the material. This site does not host any of the streaming media and the owner has not uploaded any of the material to the video hosting servers. Anyone can find the same content on Google Video or YouTube by themselves.

The owner of this site cannot know which documentaries are in public domain, which has been uploaded to e.g. YouTube by the owner and which has been uploaded without permission. The copyright owner must contact the source if he wants his material off the Internet completely.

Powered by YouTube
Wikipedia content is licensed under the GFDL and (CC) license