Application security is an important aspect of network protection that is often overlooked.
Most people have the basic security measures in place (antivirus, strong passwords, etc.), but many neglect to vet the applications that they use on their workstations, personal computers, and mobile devices. Similarly, many applications have a solid functional framework but lack a testing approach to identify problems that could leave a security gap in an otherwise safe network.
When users run a software program or open an application, they have a reasonable expectation that it will perform without causing problems. Simple bugs or glitches are one thing, but actively causing damage is another. If a legitimate and trusted application can be manipulated to execute malicious code or leak data, then it presents a huge risk for the entire network.
Ethical developers have a responsibility to ensure that their applications are reasonably secure. But what goes into application security testing?
Schools of thought
There are two main approaches to application security testing: white box and black box. This refers to whether the tester has access to information on the internal workings of the program or not, respectively. Both are effective for different reasons, and many specific techniques fall under both categories.
White box testing
White box testing typically involves manually reviewing the application’s source code and architecture design, as well as its structure and data flow, to ensure that it is operating correctly, effectively, and securely. This may occur between development phases or proactively during planning and design.
A software engineer will study the code and create test cases to generate a predetermined outcome.
If the output or response to the test case is incorrect or the data is flowing through the application incorrectly, they will have an idea of what is going wrong at what point in the code and then take another pass through it.
This type of testing requires an in-depth, intimate knowledge of the software and its functionality (and its source language), so it can be time-intensive. But white box tests are extremely effective for catching errors or failures at all points in the software development life cycle, provided that it is implemented methodically.
Black box testing
Black box testing is typically utilized later in the development life cycle because it is only effective once the application has achieved or is nearing completion.
Test cases are executed using the application interface and compared to the expected outputs to confirm whether providing results as intended.
This testing process doesn’t require any knowledge of coding or the program itself to be effective, but its scope can be limited as a result. Since you aren’t following the data through the inner workings, you only have the outputs to analyze. Things could be going horribly wrong inside the program, but since it responded with the expected output, things seem fine.
Comprehensive test cases for black box testing can be difficult to design since it is easy to miss patches of code that must meet specific conditions. And if an error occurs, you don’t know where things broke down since you don’t have an understanding of the program’s structure or where the operation is failing. The testing of edge cases also tends to fall short for the same reason – the parameters of the internal code are unknown.
However, this is also an effective way to ensure that the user experience is delivered as intended and verify the functionality of standard use of the program.
Application security practices
Good practices make for good applications.
Check the OWASP Top 10
The Open Web Application Security Project is a non-profit organization dedicated to improving software security. Every few years they will release a report entitled the “OWASP Top 10 – The Ten Most Critical Web Application Security Risks” (the current is Top 10 2017) to help developers, CIOs and tech teams make informed security decisions for their organizations.
This is a comprehensive look at the 10 highest-priority weaknesses that should be addressed in applications to ensure that they are safe to use on your network. Utilize this report to make sure that you have your bases covered when you are testing your applications.
Check the SANS Top 25
The SANS Institute is a for-profit educational organization that specializes in secure software training and certification. They also have a valuable list of resources for addressing the top 25 software errors that have a profound effect on application security, along with ways to prevent them.
New developments happen every day. Keep up with best practices, new techniques, and updates on the various types of cybercriminal attacks to maintain the best possible foundation for your application security.
Get additional input from your managed IT service provider for insight or support on any security issues requiring extra experience or expertise.