Application Security

What is Application Security?

Application security aims to protect software application code and data against cyber threats. You can and should apply application security during all phases of development, including design, development, and deployment.

Here are several ways to promote application security throughout the software development lifecycle (SDLC):

  • Introduce security standards and tools during design and application development phases. For example, include vulnerability scanning during early development.
  • Implement security procedures and systems to protect applications in production environments. For example, perform continuous security testing.
  • Implement strong authentication for applications that contain sensitive data or are mission critical.
  • Use security systems such as firewalls, web application firewalls (WAF), and intrusion prevention systems (IPS).

What Types of Applications Does a Modern Organization Need to Secure?

Web Application Security

A web application is software that runs on a web server and is accessible via the Internet. The client runs in a web browser. By nature, applications must accept connections from clients over insecure networks. This exposes them to a range of vulnerabilities. Many web applications are business critical and contain sensitive customer data, making them a valuable target for attackers and a high priority for any cyber security program. The evolution of the Internet has addressed some web application vulnerabilities – such as the introduction of HTTPS, which creates an encrypted communication channel that protects against man in the middle (MitM) attacks. However, many vulnerabilities remain. The most severe and common vulnerabilities are documented by the Open Web Application Security Project (OWASP), in the form of the OWASP Top 10.

Due to the growing problem of web application security, many security vendors have introduced solutions especially designed to secure web applications. Examples include the web application firewall (WAF), a security tool designed to detect and block application-layer attacks.

API Security

Application Programming Interfaces (API) are growing in importance. They are the basis of modern microservices applications, and an entire API economy has emerged, which allows organizations to share data and access software functionality created by others. This means API security is critical for modern organizations.

APIs that suffer from security vulnerabilities are the cause of major data breaches. They can expose sensitive data and result in disruption of critical business operations. Common security weaknesses of APIs are weak authentication, unwanted exposure of data, and failure to perform rate limiting, which enables API abuse.

Like web application security, the need for API security has led to the development of specialized tools that can identify vulnerabilities in APIs and secure APIs in production.

Cloud Native Application Security

Cloud native applications are applications built in a microservices architecture using technologies like virtual machines, containers, and serverless platforms. Cloud native security is a complex challenge, because cloud native applications have a large number of moving parts and components tend to be ephemeral—frequently torn down and replaced by others. This makes it difficult to gain visibility over a cloud native environment and ensure all components are secure.

In cloud native applications, infrastructure and environments are typically set up automatically based on declarative configuration—this is called infrastructure as code (IaC). Developers are responsible for building declarative configurations and application code, and both should be subject to security considerations. Shifting left is much more important in cloud native environments, because almost everything is determined at the development stage.

Cloud native applications can benefit from traditional testing tools, but these tools are not enough. Dedicated cloud native security tools are needed, able to instrument containers, container clusters, and serverless functions, report on security issues, and provide a fast feedback loop for developers.
Another important aspect of cloud native security is automated scanning of all artifacts, at all stages of the development lifecycle. Most importantly, organizations must scan container images at all stages of the development process.