Web Application Security

Report

INTRODUCTION
WHAT IS TESTING METHODOGIES OF WEB APPLICATION?
Web application security is crucial for protecting sensitive data and ensuring
the integrity and availability of web services.

Key Web Application Security Methodologies

1. Penetration Testing:
 Description: Simulates cyber-attacks to identify vulnerabilities.
 Process: Includes reconnaissance, scanning, exploitation, and reporting.
 Tools: Metasploit, Burp Suite, OWASP ZAP.
2. Automated Scanning:
 Description: Uses automated tools to scan for known vulnerabilities.
 Process: Regularly scheduled scans to detect issues like SQL injection,
XSS, and out-dated software.
 Tools: Nessus, Acunetix, Qualys.
3. Code Review:
 Description: Manual examination of source code to find security flaws.
 Process: Involves static code analysis and peer reviews.
 Tools: SonarQube, Checkmarx, Fortify.
4. Security Audits:
 Description: Comprehensive review of an application’s security posture.
 Process: Includes policy review, architecture analysis, and compliance
checks.
 Standards: ISO 27001, NIST.
5. Threat Modelling:
 Description: Identifies potential threats and vulnerabilities.
 Process: Involves creating data flow diagrams and identifying threat
vectors.
 Frameworks: STRIDE, DREAD.
6. Secure Development Lifecycle (SDLC):
 Description: Integrates security practices into each phase of the
development lifecycle.
 Phases: Requirements, design, implementation, testing, deployment,
and maintenance.
 Models: Microsoft SDL, OWASP SAMM.
WHAT IS DEVSECOPS?

DevSecOps, short for Development, Security, and Operations, is an approach

that integrates security practices into every phase of the software
development lifecycle. This methodology aims to ensure that security is a
shared responsibility among all participants in the development process, rather
than being an afterthought.

Key Concepts of DevSecOps

1. Integration of Security:
 Security is embedded into the DevOps pipeline, ensuring that security
checks and balances are applied continuously throughout the
development process.
 This approach helps in identifying and mitigating security vulnerabilities
early in the development cycle, reducing the risk of security breaches.
2. Automation:
 Automation plays a crucial role in DevSecOps by enabling continuous
integration and continuous delivery (CI/CD) pipelines to include
automated security testing.
 Tools like static application security testing (SAST), dynamic application
security testing (DAST), and software composition analysis (SCA) are
integrated into the CI/CD pipeline to automate security checks.
3. Collaboration:
 DevSecOps fosters a culture of collaboration between development,
security, and operations teams.
 This collaboration ensures that security considerations are integrated
into the development process from the outset, rather than being added
at the end.
Benefits of DevSecOps
1. Early Detection of Vulnerabilities:
 By integrating security into the development process, vulnerabilities can
be detected and addressed early, reducing the cost and effort required
to fix them later.
2. Faster Time to Market:
 Automation of security testing and continuous monitoring allows for
faster release cycles without compromising security.
 This leads to quicker delivery of secure software to the market.
3. Improved Compliance:
 DevSecOps helps in maintaining compliance with regulatory
requirements by ensuring that security controls are consistently applied
throughout the development lifecycle.
4. Enhanced Security Posture:
 Continuous monitoring and automated security testing improve the
overall security posture of the application, making it more resilient to
attacks.
Key Practices in DevSecOps
1. Shift-Left Security:
 Security is integrated early in the development process, often referred
to as “shifting left.”
 This involves incorporating security practices in the initial stages of
development, such as during code reviews and unit testing.
2. Continuous Security Testing:
 Security tests are run continuously as part of the CI/CD pipeline.
 This includes automated tests for vulnerabilities, configuration issues,
and compliance checks.
3. Infrastructure as Code (IaC):
 IaC involves managing and provisioning computing infrastructure
through machine-readable definition files.
 Security policies and configurations are codified and version-controlled,
ensuring consistency and reducing the risk of misconfigurations.
4. Security as Code:
 Security policies and controls are treated as code and integrated into the
development process.
 This allows for automated enforcement of security policies and quick
adaptation to new threats.
Tools and Technologies
1. CI/CD Tools:
 Jenkins, GitLab CI, CircleCI, and Azure DevOps are popular tools for
implementing CI/CD pipelines with integrated security testing.
2. Security Testing Tools:
 SAST: Tools like SonarQube, Checkmarx, and Fortify scan source code
for vulnerabilities.
 DAST: Tools like OWASP ZAP and Burp Suite test running applications
for security issues.
 SCA: Tools like Snyk and Black Duck analyse open-source components
for known vulnerabilities.
3. Configuration Management Tools:
 Ansible, Puppet, and Chef Help in managing and automating
infrastructure configurations, ensuring they comply with security
policies.
4. Monitoring and Logging Tools:
 Tools like Splunk, ELK Stack (Elasticsearch, Logstash, Kibana), and
Prometheus provide continuous monitoring and logging to detect
and respond to security incidents.
Challenges in Implementing DevSecOps
1. Cultural Shift:
 Moving to a DevSecOps model requires a cultural shift within the
organization, where security is seen as a shared responsibility.
 This can be challenging in organizations with siloed teams and
traditional development practices.
2. Tool Integration:
 Integrating various security tools into the CI/CD pipeline can be
complex and requires careful planning and execution.
3. Skill Gaps:
 Developers and operations teams may need additional training to
understand and implement security practices effectively.
SAST AND DAST TOOLS AND THEIR DIFFERENCES.

Static Application Security Testing Tools

1. Checkmarx:
 A popular SAST tool that analyses source code for vulnerabilities,
including code flaws and insecure practices.
 Advanced features:
Checkmarx combines advanced capabilities with an excellent web-
based user interface for SAST programs.
 Broad language support:
It works with a wide range of programming languages.
 Highly accurate scans:
Checkmarx provides precise vulnerability detection.
 Remediation guidance:
Offers actionable recommendations for fixing identified issues.

2. Fortify (by CyberRes):

 Fortify is another popular SAST solution that scans code for security
issues.
 It provides detailed reports and guidance for developers and security
teams.
 Fortify supports various languages and helps improve code security.

3. Perforce Klocwork:
 Klocwork performs static analysis on codebases to find defects,
security vulnerabilities, and quality issues.
 It offers comprehensive scanning capabilities and customizable rule
sets.
Dynamic Application Security Testing Tools:

1. OWASP ZAP (Zed Attack Proxy):

 A widely used open-source DAST tool that tests running applications for
vulnerabilities by simulating attacks.
2. Netsparker:
 Netsparker scans web applications dynamically to find security flaws and
misconfigurations.
3. Intruder :
 Offers external and internal scanning, continuous testing, and web
application security testing.
4. SOOS :
 Cloud-based application testing system for continuous testing in CI/CD
pipelines.
 Also serves as a domain scanner for operations technicians.
5. Invicti:
 Allows IT departments to monitor vulnerabilities.
 Ideal for businesses needing compliance with HIPAA or PCI DSS.
6. Acunetix:
 Provides automated DAST with a dashboard.
 Suitable for medium to large enterprises.
7. Appknox:
 Cloud-based vulnerability and penetration testing service designed for
mobile environments.
8. Veracode Dynamic Analysis:
 Integrates well into the DevOps cycle.
 Cloud-based service with strong person-to-person involvement with
service engineers.
9. Detectify EASM Platform:
 Supported by ethical hackers.
 Allows small business owners to run their own DAST exercises from the
cloud.
10.Rapid7 InsightAppSec:
 Cloud-based DAST solution provided by a highly experienced cyber
security consultancy.
SAST DAST
White-box testing: Black-box testing:
 SAST tools have access to the  DAST tools operate without
application’s source code. access to the source code.
 They analyse the code itself to  They test the running
identify flaws, weaknesses, and application from the outside,
vulnerabilities. simulating attacks as an
actual attacker would.
Early detection: Real-world assessment:
 SAST can find issues in the  DAST provides a realistic
early stages of development, assessment by examining the
allowing developers to application while it’s running.
remediate them without
breaking the build or risking
production.
Language-dependent: Language-agnostic:
 SAST is specific to the  DAST works regardless of the
programming language used in programming language.
the application.
Examples of vulnerabilities detected Examples of vulnerabilities
by SAST: detected by DAST:
 Code flaws  Exposed interface
 Insecure coding practices  Configuration issues
 Critical vulnerabilities listed in  Vulnerabilities that an
the OWASP Top 10. external attacker could
exploit.
Doesn’t require a running Requires a running application:
application:
 SAST analyses the source code  DAST analyses the
and related dependencies application by executing it.
without executing the
application.
 SAST analyses the entire  DAST assesses the
codebase application’s exposed
surfaces during runtime.
 SAST can find vulnerabilities  DAST can identify issues
undetectable by DAST (e.g., related to server
hard-coded secrets) configuration and third-party
components
DIFFERENCES BETWEEN SAST AND DAST

HOW TO SECURE WEB APPLICATIONS EFFICIENTLY.

1. Input Validation:
 Validate user input to ensure only properly formatted data enters the
application.
 Check input against predefined rules to prevent vulnerabilities like SQL
injection and cross-site scripting (XSS).
2. Parameterized Queries:
 Use parameterized queries in database interactions to prevent SQL
injection attacks.
 Avoid directly embedding user input into SQL queries.
3. Encryption:
 Encrypt sensitive data in transit (using HTTPS) and at rest in databases.
 Implement strong encryption algorithms and key management practices.
4. Least Privilege:
 Apply the principle of least privilege to user roles and permissions.
 Limit access to only necessary functionality and data.
5. Use HTTPS:
 Always use HTTPS to encrypt communication between clients and
servers.
 Obtain SSL/TLS certificates to secure data transmission.
6. Session Management:
 Implement secure session management techniques.
 Use unique session tokens, set proper expiration times, and handle
session data securely.
7. Regular Security Audits:
 Conduct regular security audits and vulnerability assessments.
 Identify and address security weaknesses proactively.
Use a Web Application Firewall (WAF):
 Deploy a WAF to filter and monitor incoming traffic.
 It helps block malicious requests and provides an additional layer of
security.
PRACTICAL
REFERENCES

 https://www.synopsys.com/blogs/software-security/sast-vs-dast-difference.html
 https://www.synack.com/knowledge-base/understanding-the-difference-between-
dast-vs-sast-for-application-security-testing/
 https://www.g2.com/articles/sast-vs-dast
 https://about.gitlab.com/topics/devsecops/sast-vs-dast/
 https://www.csoonline.com/article/568049/top-sast-and-dast-tools.html
 https://www.imperva.com/learn/application-security/sast-iast-dast/
 https://www.g2.com/articles/sast-vs-dast
 https://www.invicti.com/blog/web-security/sast-vs-dast-compare-web-application-
security-testing-tools/
 https://checkmarx.com/learn/sast/5-key-features-and-capabilities-for-sast-tools/
 https://www.sonarsource.com/learn/sast/
 https://www.csoonline.com/article/568049/top-sast-and-dast-tools.html
 https://www.comparitech.com/net-admin/dast-tools/
 https://www.softwaretestinghelp.com/dynamic-application-security-testing-dast-
software/
 https://www.openappsec.io/post/web-application-security-best-practices
 https://www.lrswebsolutions.com/Blog/Posts/32/Website-Security/11-Best-
Practices-for-Developing-Secure-Web-Applications/blog-post/
THANK YOU

Done by
Prajakta Shende
Cyber security Intern
Cyber Sapiens