在当今科技至上的世界, businesses need to make sure their digital assets are adequately protected against attacks. In many cases, Internet-facing applications have become a primary target for attackers. 应用程序, 当没有适当硬化和测试, can provide access to sensitive data or even permit full compromise of the underlying operating system.

然而, 由于应用程序环境日益复杂, many businesses have trouble determining where to start when it comes to improving application security. 动态应用程序安全测试(DAST)是一种“有限的知识”,,这意味着不能访问源代码, testing method used by LBMC 网络安全 to evaluate the security of a specific application in its running state by searching for vulnerabilities that could be exploited by an attacker and then providing recommendations for mitigating the identified security issues as well as their “root cause.”

To help determine if an application security assessment of this nature is appropriate for your needs, here’s an overview of important areas to consider when it comes to application security assessments.

应用程序安全评估的好处

Here are a few important reasons to consider an application security assessment:

  1. 识别网站或应用程序中可利用的安全风险. 无论你的应用是由内部开发还是由第三方开发, it’s important to make sure it is not vulnerable to common application security issues.
  2. 改善你的整体安全状况. 除了识别潜在的风险, an application security assessment also provides actionable steps to resolve them. 而修复在测试期间发现的问题是很重要的, analysis of the “root cause” for identified issues can also result in improvement of insecure SDLC processes.
  3. 确保你的应用程序符合网络安全法. 除了确保你的应用程序得到充分的保护, it’s also important to consider the specific industry regulations that apply to your business. Whether you’re a retailer looking to develop an online shopping portal or a hospital looking to create an app for your patients, it’s important to make sure your app meets the latest regulatory requirements.

Important Questions to Consider Before Conducting an Application Security Assessment

While there are many different factors that go into determining the scope of what should be tested in an application security assessment, there are a few key questions to help determine the appropriate testing approach:

  1. 谁最有可能构成潜在威胁? It’s important to consider who is likely to attempt to abuse this application. 是互联网上的匿名用户吗? 你的客户? 内部用户?
  2. 你想保护什么样的数据? 确定您希望保护的数据类型, 数据的敏感性, 这些数据的位置将有助于优先考虑安全措施.
  3. 您的应用程序的攻击面是什么样的? 定义要暴露的信任边界和攻击面, 不受信任的用户和受信任的用户, 是很重要的.
  4. Where have you struggled with application-related security issues in the past? 这可能会为您指出潜在的关注领域. What application security incidents have taken place in the past if any?

Taking the time to answer these questions is an important step for maximizing the effectiveness of an application security assessment. Answering these questions makes it easier to prioritize efforts in identifying and remediating potential issues.

应用程序安全漏洞示例

Our team at LBMC 网络安全 has found that the most-effective assessments take a  testing approach that covers, 但不限于, common application security vulnerabilities such as those outlined in the Open Web Application Security Project’s (OWASP) “十大应用安全风险.以下是10个漏洞类别的简要概述:

  1. 注塑缺陷. 注入缺陷非常普遍,特别是在遗留代码中. The most widely recognized 注射 flaw is referred to as SQL Injection (SQLi).
  2. 破碎的身份验证. Because many of the authentication and session management functions are often improperly implemented, 它们经常在注销等方面存在缺陷, 密码管理, 超时, 记得我, 秘密的问题, 账户更新, 等.
  3. 敏感数据暴露. 最常见的缺陷之一就是不加密敏感数据. 当使用密码学时, 弱密钥生成和管理, 弱算法的使用是常见的, 特别弱的密码散列技术.
  4. XML外部实体(XXE). Older or poorly-configured XML processors evaluate external entity references within XML documents, 允许使用外部实体来公开内部文件, 内部文件共享, 内部端口扫描, 远程代码执行, 甚至是拒绝服务攻击.
  5. 中断访问控制. Because restrictions for authenticated users are not always properly enforced, attackers can exploit flaws to access unauthorized data or functionality.
  6. 安全错误配置. Security misconfiguration is the most commonly observed issue and can happen at any level of an application stack and are easy areas of access for hackers.
  7. 跨站点脚本(XSS). XSS flaws occur when an application includes user-supplied data in a page sent to the browser without properly validating or escaping that content.
  8. 不安全的反序列化. 不安全的反序列化可能导致远程代码执行, 但即使不是, 它可以用来执行重放, 注射, 以及特权升级攻击.
  9. 使用具有已知漏洞的组件. Virtually every application has these issues because most development teams don’t focus on ensuring their components/libraries are up to date.
  10. 足够的日志 & 监控. 再加上与事件响应的集成缺失或无效, insufficient logging and monitoring can allow attackers further entry into a system where more damage can be done.

你的应用程序易受攻击吗??

At LBMC 网络安全, we want to make sure you can answer this question. 如果您希望进行应用程序安全评估, learn more about how our team can help you identify potential security vulnerabilities and create an actionable plan for protecting the applications and systems that are essential to your business. 在这里明升体育app下载.

Content provided by Andrew Smith, Principal Security Consultant at LBMC.