Java Reference
In-Depth Information
Application architects and developers are an integral part of the application development sys-
tem. heir efort ultimately translates into the Web application. hey need to be aware of security
issues afecting Web applications, so that they go one step beyond their regular area of functional
requirements and build security into the Web application from its inception. It is widely acknowl-
edged across the industry that developers are largely ignorant (or unaware) of protection strategies
for Web applications and secure coding practices to prevent against Web application attacks. his
oversight by the architects and developers is not identiied and corrected during code review or
during the testing phase. Lack of awareness also causes the code review process or the testing pro-
cess to not take cognizance of vulnerabilities that might have crept into the application because
of improper coding practices. According to a Gartner survey,
*
almost 75% of all security vulner-
abilities in Web applications are the result of software laws. Risk management goes a long way
toward nourishing a culture of security, through security awareness.
5.1.2.6 Facilitates Security Testing
Web applications are tested for their performance and data handling capabilities, but security test-
ing is often ignored for a Web application. With the current spate of Web application attacks, it is
imperative that any organization that wants to secure its Web applications and consequently its data
test their Web applications for security. Security testing for a Web application involves performing
tests to validate the security of the underlying infrastructure components like the Web/applica-
tion server and database platforms for common vulnerabilities like bufer overlow conditions or
code execution vulnerabilities. Apart from testing these infrastructure components, testing also has
to be performed for the Web application hosted on the Web/application server and the database
server. An efective Web application security test is performed using a combination of automatic
and manual methods, where the application is tested for several common Web application vulner-
abilities, ranging from
cross-site scripting
,
broken authentication
, and
insecure cryptographic storage
to
SQL injection
. Risk management is naturally aligned toward facilitating comprehensive testing to
ensure that all the risks identiied during the design and development are actually ixed and any
residual risk is identiied and brought to light. Risk assessment is the irst step in the risk manage-
ment process, it is important to understand that one of the key elements of a risk assessment is
to understand, proile, and model threats and their vectors. hreat proiling and modeling not
only provide immense clarity on the various threats and possible attacks on the Web application
to the management, developers, and architects regarding the protection strategies that need to be
deployed to protect against the threats and vectors identiied but also greatly beneit the testing per-
sonnel to perform comprehensive testing for Web application security. hreat models and proiles
can be used by the testing personnel to design and deploy attack vectors and payload, which can be
used to test the application for Web application vulnerabilities. hreat modeling and proiling also
facilitates the testing team in the creation of
abuse cases.
Abuse cases essentially are
use cases
for Web
application attacks. hey are designed to simulate an attack on the application.
5.1.3 Overview of the Risk Assessment Phase
Risk assessment is the irst process in the risk management cycle. Risk assessment is the process
where risks are identiied, assessed, and evaluated based on the threats, the vulnerabilities, and
*
he details on the Gartner study can be found here: https://www.cenzic.com/resources/reg-required/videos/
Gartner-on-Web-Application-Security/.
Search WWH ::
Custom Search