Application Security 101 & Thoughts
So where does one start in application security? I recommend starting with the OWASP top 10 list. There you will find 10 categories of vulnerabilities that most web applications suffer from.
There's quite a lot of that happened this week so it was kind of tough for me to to pick a topic to discuss. One topic that I think is important for everyone to understand is application security.
Your application, especially a web application, is the front door into your environment. One vulnerability in your web application can allow an attacker into your network and and even execute arbitrary code (RCE) that essentially gives them incredible access to your network, like in the equifax hack. That's why a zero trust network is also important but I've spoken about that before as well though. Of course, patching your servers is essential!
So where does one start in application security? I recommend starting with the OWASP top 10 list. There you will find 10 categories of vulnerabilities that most web applications suffer from. Address these and you'll be in a good position.
But how do you go about addressing application security vulnerabilities? Say you did a pen test and they discovered a page on your website was vulnerable to xss? Well you can fix that particular vulnerability, but if you don't address the underlying reason of why that vulnerability existed. Thus allowing for history to repeat itself. This is all part of the Secure Software Development Lifecycle (SSDLC).
Another portion of this is also remediating known vulnerabilities. What happens if you have a software vulnerability scanner in your pipeline, but vulnerabilities are being ignored and not remediated? This happens a lot. Establishing with your engineering team a defined criteria of time to remediate vulnerabilities as well as defining the criteria of vulnerabilities is essential.
There is so much to application security, there are whole books written on the subject. For now, I just want to raise awareness on the topic.
ps. If you're curious what other topics I considered for today, they were:
AWS Account Structures
User Authentication Best Practices
If you liked this email, forward it to a friend! I'd appreciate it.