Evolution of Application Security

"Writing a secure web application starts at the architecture phase. A vulnerability discovered in this phase can cost as much as 60 times less than a vulnerability found in production code."

- Andrew Hoffman, Web Application Security: Exploitation and Countermeasures for Modern Web Applications.

Cybersecurity is the process of securing networks from threats, attacks, and criminal usage. Application security is an important element of cybersecurity, providing data security within the application and preventing attacks by unauthorized users. In the development phase, the important aspect of application security is to pursue the Secure Application Development Guidelines (SDLC).

SDLC is a set of steps in developing a software application, where application security plays an important part. In the design phase of software, threat modeling is used to clear the upcoming threats, and in the development phase, IDE plugins are used to give a quality check of development codes. Dynamic and Static Security Application Testing (DAST and SAST) was performed in the early process of Quality Analysis testing.

Often application security is pushed to the end to test software application. If pushed to the end, fixing errors can be expensive. It is thus a wise and better choice to apply application security in each step of a project development cycle.

Importance of application security

As the world interacts with the internet and networks 24/7, securing data and applications becomes key. Application security secures attacks happening in the application as well as in the network. Since hackers are going for apps more than in the past, application security is something that needs to be excised at all levels.

Types of application security

Different types or strategies of application security are available to secure applications from hackers. Coding applications can also help secure applications by cutting down on vulnerabilities. A few types are listed below;

• Authentication: Usually software developers build software and also ensure that the application can be accessed by authorized users. Here the login credentials pose as the authentication tool to access the application. Multi factor authentication is also a more secure strategy where more than one authentication factor is rewired to access applications.
• Authorization: The system validates the user after the individual enters their credentials. The system has to authorize the user to enter inside the app with available user credentials. This is generally a step that follows authentication.

• Encryption: After the authorization, data can be protected with the help of encryption that converts information into a format that is unreadable or undecipherable. The sensitive data are encrypted and can be safeguarded from prying eyes and systems.

• Logging: Logging inside the application can help to find who logged inside the app. Time-stamped records of who has logged in to the application are recorded that help the cybersecurity forces to mitigate these attacks.

• Application security testing: This is a sort of checkpoint that ensures that all of these security controls work properly.

Evolution of application security

In today's dynamic world ridden with evolving cyberattacks, application security is a staple. Earlier in the 1970s and 80s, physical security, theft, and accessing computer documents were counted as valid risks, but not the code security and application security, which are factors that cannot be ticked off nowadays.

Bob Thomas, a researcher in 1971, wrote a computer program called 'The Creeper' that would jump to network modes and leave a message "I AM THE CREATOR: GET ME IF YOU CAN" on each machine. The creeper gradually spread to ARPANET and later was erased and named the 'Reaper' by Ray Tomilson.

Long back there was a large outbreak of malware, but the first major malware was 'Morris Worm' in 1988. The creator, Robert Morris, tried to determine the size of the internet by writing a program, exploiting a known Unix bug, and copying itself. And then due to human error, the Morris Worm spread through the internet and ran out of control causing havoc across the world.

Following such episodes, the anti-virus era began as a new industry. Later world wide web was in the industry which is a large collection of hypertext pages. In 1995, Netscape released JavaScript which led to the release of more reactive websites. But it did not last as hackers eventually discovered an exploit through JavaScript, Cross-Site Scripting (XSS).

In 1998, SQL injection (SQLi) was introduced into websites to make websites more reactive and attractive. In the early 2000s, more security tools were released, the major breakthrough caused by OWASP, (Open Web Application Security Project) was founded, that introduced standards for application security. The Payment Card Industry (PCI) Standards Council released the first Data Security Standard (PCI-DSS) to secure credit card data in 2004.

Application security has been in the mainstream since 2005. There are two general realms for this, one that runs directly on the operating system and the other that runs on the internet which is Web Application Security. Both the realms require similar techniques like code review, static analysis, design review, threat modeling, and fuzz testing. Application security these days is a vital part of any project development. The security process is done in each phase of any project development.

Know more about this and more

The Cybersecurity Centre of Excellence (CCoE) is a global hub based in Hyderabad to catalyse innovation, entrepreneurship and capability building in cybersecurity and privacy. It is a joint initiative of the Government of Telangana and DSCI set up to fulfil DSCI's commitment towards creating a safe, secure and a trusted cyberspace. Our objective is to build best practices, standards and execute initiatives in cybersecurity and privacy domain. We nurture a culture of innovation by, incubating start-ups, conducting trainings/workshops/events, showcasing products in experience zone, hosting delegations and collaborating in local, national and international initiatives.

Visit our website: https://ccoe.dsci.in.

Download our intuitive resources: https://ccoe.dsci.in/resources/