Let's address the question "What is application security, and how can teams and companies identify what to protect?", bridging frontend domains and cybersecurity concepts, serving as a practical continuation of security awareness in web applications.
The main purpose is not to precisely or exhaustively define any term but rather to bridge both knowledge shores to build a solid and iterative foundation enabling conceptual tools for a deeper immersion for those who desire it.
I'll split the content into two parts, presenting here "What is application security", and "How can teams and companies identify what to protect" in the following part.
What is Application Security
Application security is about taking steps to ensure that the software we're building and deploying is protected from dangers.
It involves taking actions and procedures throughout the application life cycle to ensure and prevent malicious actors from accessing data.
In simple terms, It is like having smoke detectors to alert us of vulnerabilities or issues found within our code, helping to identify and implement measures to ensure the security of the application.
Likelihood of Vulnerability in Key Areas of Web Applications Development Prone to Exploitation
Vulnerabilities in code can exist for different reasons:
- Legacy code or lack of maintenance.
- Evolution of code can introduce new vulnerabilities due to various factors such as changes in functionality, integration of third-party components, or unintentional oversight security considerations during development.
- Supply chain vulnerabilities and risks associated with dependencies in the NPM ecosystem.
- Insecure patterns in components.
- Lack of API governance relying on the network's security.
- Not considering an "attacker perspective" disrupting the subsequent "defender analysis".
- etc.
Scanning the codebase
Scanning tools help to secure the application landscape by analyzing and detecting threats from a crossed and multilateral perspective: reinforcing best security practices, analyzing dependencies for vulnerabilities or malicious code (supply chain attacks example), and highlighting security flaws, among others.
- Static scanners analyze files (the codebase) to highlight mostly insecure implementations or patterns.
- Early occurrence in the Software Development Life Cycle. Kind of A priori deployment (analysis of the application before running).
Static Application Security Testing Tools Overview
In a rush, I analyzed ten SAST tools based on two keys: readiness (how quickly they could be downloaded, installed & used) and usability (how easily the selected tool could be used). The analysis was not exhaustive and the tools were:
- Checkmarx - https://checkmarx.com
- Contrast Scan - https://contrastsecurity.com/contrast-scan
- Coverity Scan - https://synopsys.com/software-integrity/security-testing/static-analysis-sast.html
- Fortify Static Code Analyzer - https://microfocus.com/en-us/cyberres/application-security/static-code-analyzer
- HCL AppScan - https://hcltechsw.com/appscan/offerings/source
- Kiuwan Code Security - https://kiuwan.com
- Reshift (NodeJs) - https://reshiftsecurity.com
- SonarQube - https://sonarqube.org/features/security/
- Semgrep - https://semgrep.dev
- Snyk - https://snyk.io/product/snyk-code/
All of them have in common that they are free and support Javascript, in the end, Snyk and Semgrep were both those with the higher readiness and usability: I started using them with a few clicks, easy to use CLI, both had a clean and useful dependency analysis results and code analysis.
In contrast, most of the other tools required users to "book for a demo", delaying access to the tool and relegating the experience from immediate to later, or were not sufficiently simple to use when considering the learning curve over time, or forced third-party authentication, which I declined to proceed considering sharing my profile as a way of opening an unintended risk vector for my company.
In no way is my opinion based on their quality, effectiveness, or efficiency, and it is not my intention to not recommend any of them, as I have not tried them.
The code to test should be according to the task of highlighting security flaws, so the target software was the well-known "Very Insecure Web Application" called Juice Shop.
Benefits
- Requiring no app execution, the scan is faster as testing suites.
- Applies all the rules to the whole codebase.
- Indicates problematic code locations and explains the issue found making flaws simpler to understand and remediate.
Limitations
- False positives and false negatives.
- Language specificity
Examples
- Semgrep
- Snyk
Top comments (0)