Application Security: A Primer

It is important to note that not all vulnerabilities can be found during the development and therefore fixing the code after the finalization of the project is an important step.

It’s only natural to assume that the faster one finds vulnerabilities the better followed would be the CIA triad, which in term will ensure an enjoyable and safe environment for customers and employees alike. 

What should we be aware of?

The most basic but also key tool to implement is the encryption of data. It’s important to note that it should be protected all the time: before, during, and after transit. Encryption helps cover the data so that even if the breach happens information is unusable to the third party since they do not have access to the private key used to decrypt the data. Without decryption, the data will just be gibberish for foreign eyes. 

Unless the hacker has a good understanding of where the keys are stored, they will try to inject scripts into the application itself. It’s quite logical really. Since the data is encrypted at any given time there’s only 1 weak spot and that’s when application decrypts the data once it’s received and ready to be viewed by the user. Injecting a script into the application will manipulate the system so that the hacker gets the data once it’s already decrypted. The program does its job, but instead or at the same time as the user the hacker sees the data as well. The only solution to this problem is relentless testing during the development and continuous patching of the application after.

Confidentiality is one of the most important factors of security. It roughly equates to privacy. This is a set of rules that prevents unauthorized personnel from accessing data. It is worth noting that this system should not complicate accessibility for the parties that have to view and work on the presented information. It is achieved via encryption, setting up routing numbers as well as account numbers and such. Two-factor authentications, user IDs, and passwords are also a part of confidentiality.

Data Integrity means making sure data is structurally the same at any point and time after being sent and before being received. Good examples of safeguards are user access controls, file permissions, and so on. Verification can happen using checksums, cryptographic checksums, integrity verification, and backups.

A hacker can modify the amount of money deducted from our cards at the store. This may not be a considerable amount, certainly not something most of the users would notice like 1 cent. However, taking into consideration the number of times the bank cards are used to buy something at the store, the hacker overall will get a considerable amount of money very quickly. This means that the integrity of the information is compromised. The seller will input $1, the screen will show $1, but the amount of money deducted will be $1.01 where the extra cent goes to a hacker.

Availability is one of the most important aspects of security. The service that the application provides is useless if it becomes unavailable for the users. This poses several questions for the developers, which need to be addressed both during and after the development process with patches and updates. Can the application handle unexpected input? Can it protect itself from DDOS attacks? Will the algorithms still be optimized for larger data input? Will the servers be able to handle the extra load? Does the application scale when the input increases in frequency? Proper design and building process of the application prevents such problems from occurring in the future.

The Open Web Application Security Project (OWASP) is a foundation that works on improving the security of software. It’s a nonprofit organization with thousands of contributors from all around the world. Much like Linux this is a crowd-funded project, which gives a huge platform for educating yourself. It is important to note that just application security is not enough to protect the whole system. It is one of the parts of a big scheme which involves things like network security. It is crucial to work on all of these at the same time as it does not matter what kind of network security you have unless the application is also controlled or vice versa.