Basically, application security is the security profile of application level software and communication. So what does that mean? and what does that look like? and really, who cares?
Well, let’s start from the first question and work our way backward. Applications are becoming much more important as initial attack vectors into systems. Over the past decade or so, operating system vendors and developers have become much more conscious of the security of the systems they deliver. They’re spending much more time reviewing the code they deliver and becoming more disciplined in refining what exactly they deliver. They’re also incorporating more and more advanced cyber-security techniques into delivered operating systems everyday. In fact, Microsoft Windows, once the butt of just about every cyber-security joke told, is arguably the most secure baseline operating system on the market today - certainly much more secure than it was five years ago. As operating systems and related systems become more secure, attackers need to begin to look at other areas to exploit. More and more of these attackers are looking, today, at applications.
So who cares? Well, attackers really care. They’re really interested in finding applications that are running with open network connections, with system privileges, and with security flaws. Really, they don’t care that much about the authority the applications run with - the more the better, but any foothold is better than nothing. And since attackers care, application vendors need to care, and because the vendors care, we developers need to pay attention too.
It doesn’t look like things are going to change anytime soon in this regard either. Today, companies are beginning to be held liable for information leakage. We’ve seen lawsuits brought against companies, we’ve seen C-Level executives fired, and we’ve seen profound differences with respect to how liability for cyber-security negligence is determined today when compared to event a few years ago. The stakes are higher, and people way above our pay grade are paying attention.
Application software isn’t clearly defined, really, but we can do a little better than that. Fortunately, operating systems and network communication models have this nifty application layer that runs on top of the software delivered by infrastructure and operating system vendors. The OSI model has it, Windows has it, Linux and Unixes have it, and TCP/IP has it. So from a network communication perspective, anything that runs in the application layer is fair game for an application security analysis. HTTP, for example, is an ubiquitous application level protocol. I mean, it’s everywhere. If you ever look at a typical packet capture, it is just riddled with HTTP traffic. And applications use HTTP for just about everything today. Need RPC? use REST/JSON. Need to send information for storage? POST or PUT that information to an HTTP endpoint. Need to grab some data? go GET it from a web server. It’s absolutely everywhere. And there’s other cross-platform application protocols too, like Apache Thrift or Avro, or Google’s Protocol Buffers. In fact, from the perspective of the TCP/IP stack, if you’re above the TCP layer, you’re in application space.
Likewise, any program that runs in userland is an application too. This isn’t limited to third-party programs either. Anything from any vendor that runs above the kernel is fair game for application security reviews. On linux or windows, this includes everything from in-house enterprise applications to word processors and utilities to unix commands like ls or ssh. On mobile devices, this includes apps in Swift or Objective-C on iOS and Java or C++ on Android. It doesn’t include drivers, kernel modules, network infrastructure firmware, or anything like that.
So, DZone will look at all things security in the application space. We’ll look at how to write secure code, and how those techniques make your code more secure. We’ll dive into specific types of exploits and show you exactly how attackers use them to compromise application software so you understand exactly how certain exploits work and what they can do. We’ll even go into how programs can be exploited as pivots to attack other systems or increase privileges, and how attackers use multi-stage exploits to progressively compromise systems so you know how modern adversaries will attack and leverage your code. If you follow this zone, you’ll have knowledge and riches beyond compare and be the envy of all your friends! Well, maybe not, but you’ll be able to write better software, and you’ll know exactly why it’s better, which is at least a good first step.