De-mystifying Security Series: Application Security - Know The Essentials
Application security is a hot topic for developers, CTOs and CIOs. Cross-site scripting, SQL injection attacks and other techniques all have the potential to compromise your application, data, network – and even the future of your business.
Here’s some key phrases you need to know as you look to improve application security.
SDLC – Software Development Life Cycle
The software development life cycle (SDLC) encompasses the entire application process, from initial concept, to coding, to go-live, to updates and maintenance. The way in which businesses approach the SDLC will have a significant bearing on the security of the finished product.
Security is now a cornerstone consideration of the development process, leading to the creation of the S-SDLC methodology – secure software development lifecycle. Championed by the OWASP foundation, S-SDLC ensures that security is included by design and tested at every opportunity to harden the application at every opportunity.
Application assessments provide a structured routine to test existing software for vulnerabilities using the same techniques employed by cybercriminals and hackers.
Penetration testing is used to probe applications for vulnerabilities that could be exploited to steal data, compromise the company network, or disrupt operations. Techniques like cross-site scripting (XSS) and SQL injection (SQLi) attacks will reveal areas of concern that need to be addressed.
Secure code assessments review the underlying code, confirming that secure development best practice has been applied. These checks also assess the risk presented by third-party APIs, libraries and associated software to ensure they are patched, up-to-date and secure.
WAF - Web Application Firewall
A web application firewall (WAF) carefully controls HTTP traffic access to an application. The WAF monitors traffic, blocking suspicious activity and known attack types. Typically a WAF is configured to only accept traffic and content from known sources, or which conforms to pre-configured access policies. The WAF also prevents requests from accessing other web server resources by default.
Recently the industry has begun moving towards Next Generation Web Application Firewalls (NG WAF) to better protect the modern hybrid operating environment that encompasses cloud and on-site resources. Often deployed as an agent on each property, the NG WAF is still primarily concerned with controlling HTTP traffic to and from specific applications.