DevSecOps Terminology Glossary

Rate limiting is a technique used by APIs to limit the amount or size of client requests. It’s used to prevent ATO, bruteforce attacks, DoS and DDos attacks. When a client reaches the designated limits, requests from that client are temporarily rejected. Lack of proper rate limiting is a risk on the OWASP API Top 10.

Ajax stands for Asynchronous JavaScript and XML. It’s a programming technique that uses asynchronous requests to update data on a page without reloading the browser. This technique allows web applications to load pages and data quickly in pieces, without forcing the user to wait for the page to render.

API sprawl is a common issue when building applications using microservices. Ease of deployment (i.e. using cloud services) and developer autonomy may lead to new API endpoints popping up without anyone’s knowledge. Old API versions or deprecated APIs could still be available publicly when the development team thinks they’ve been shut down. API discovery is the act or service of systematically searching through to find all APIs currently in use or publicly available. Discovery is essential to API security since you can’t protect an API if you don’t know it exists or is in use.

APIs allow distributed applications, services, and network components to communicate. An API endpoint is where that action occurs, one end of a communication channel. Endpoints are where APIs can hook up with resources they need to perform their function. Because of their central and critical role in distributed networks, API endpoints are tempting targets for malicious actors, and exposed endpoints have led to some of the largest breaches. Protecting an endpoint begins on the left, with best practices including using the Https protocol and string authentication. Once deployed, endpoints can be monitored using special tools. In addition, modern API security programs take a holistic approach to API security, monitoring all parts of the system including endpoints.

Sitting at a central spot between the client and web-based APIs, API gateways are the entry point for client requests to an API. They facilitate requests, aggregate responses, and handle authentication and rate limiting enforcement. API gateways can be a secure access point against intruders attempting to exploit API vulnerabilities. However, cybercriminals have proven adept at eluding out-of-the-box gateway security, and often use a company’s API gateway to hunt for irregularities in the way business logic has been written in the API code.

Modern web APIs are becoming more prevelant as web applications embrace flexibility and scalability. Web APIs introduce a new set of security vulnerabilities that security teams must account for to keep their APIs, data, and users safe.

See WAF/Web Application Firewall

Application security is the discipline of applying sound security principles to protect the confidentiality, integrity, and availability of software applications and their data. There are several types of software applications, such as web, mobile, native clients (i.e Windows Store apps), and command line. Each type of application has a different threat model and must apply different principles and tactics to secure it.

Artificial intelligence is intelligence displayed by machines. There are several branches of AI, each with a focus on allowing machines to make decisions and learn without human intervention. Machine learning is a common application of AI. Others include computer vision and natural language processing. Autonomous self-driving vehicles are an example of the practical application of AI technologies.

ATO, or Account Takeover, is the act of compromising a victim’s account in order to impersonate them to a web application and steal or modify data. There are several flaws that can lead to ATO, such as poor authentication and authorization implementation, broken object level authorization, broken function level authorization, and poor password/secrect management practices. ATO is a highly dangerous attack and should be a priority for development teams to prevent.

A bad actor or threat actor tries to infiltrate a web application with the goal of stealing data, modifying data, or other malicious act for personal gain. This term is used in threat modeling to help discover those who may have reason to launch attacks against an application and what techniques they might use.

A red team uses various tools and techniques to find and exploit vulnerabilities within a company’s software, hardware, and employees. The blue team is the opposite. They stand as the defense against red team activities. Blue teams design defensive mechanisms to prevent attack and exploitation. A red team’s output can be fed into the blue team to develop defense strategies to prevent real attackers from compromising the company’s systems and data.

A “bot” is a compromised machine used to attack another application or system. Many types of DDoS attacks are performed by armies of bots made up of compromised IoT and other connected devices. Poor security used on these devices make it easy to compromise them and then use them to overload a website or API with traffic.

Left on their own, bots can migrate through a network and cause slowdowns, breakdowns, and other unintended consequences. More ominous are black-hat bots introduced by bad actors to scrape data, break into user accounts, and otherwise disrupt systems. Bot management software authorizes the good bots and blocks the bad ones. Management tools can analyze bot behavior, rate-limit bot overuse, and identify a particular bot’s reputation. The infamous CAPTCHA challenge is a bot management tool to detect malicious bots.

Bots are software robots that operate on networks, most often to execute repetitive tasks such as with robotic process automation. They come in many shapes and sizes, including chat bots (for customer service), spider bots, spam bots, and scraper bots. Bots can be good or evil; it depends on how their noverlords program them.

Authentication is identifying who is accessing an application. Authorization is enforcing what they’re allowed to do while logged in. It’s a critical distinction as broken access control allows attackers to gain access to data or functions they shouldn’t. They can view and/or modify other users’ accounts or steal data. What to look for in your code: * Modifying the URL or HTML page to bypass access control checks * Allowing the request’s ID to be changed to the account number of another user’s account. * Elevation of privilege. Can a user act as an admin by modifying the request? * APIs with missing access controls for POST, PUT, and DELETE HTTP verbs.

A flaw allowing an attacker to assume other users’ identities temporarily or permanently by compromising passwords, keys, or session tokens. What to look for in your code: * Storing passwords in plaintext, encrypted, or poorly hashed * Poor session management * Permits brute force or other automated attacks * Weak or ineffectual credential recovery processes * Missing or ineffective multi-factor authentication.

The number of API endpoints and complex authorization hierarchies and mechanisms can lead to authorization flaws. Attackers can exploit these flaws to gain access to other users’ resources and/or administrative functions. What to look for in your code: * Can a regular user access administrative endpoints? * Can a user perform sensitive actions (e.g., creation, modification, or erasure) that they should not have access to by simply changing the HTTP method (e.g., from GET to DELETE)? * Can a user from group X access a function that should be exposed only to users from group Y, by simply guessing the endpoint URL and parameters (e.g., /api/v1/users/export_all)?

APIs often use object identifiers to access resources. This opens the application to attack by changing the object identifiers within the URLs or request bodies to gain unauthorized access to resources. For example, a medical application is vulnerable to BOLA if a patient can change the identifier in the URL and view another patient’s data. Authorization checks must be done on every request to verify that the user requesting the resource has access to that resource. What to look for in your code: * Insufficient authorization checks for requests that include object identifiers

See Broken Authentication

Bug bounty programs encourage security professionals to find vulnerabilities in your application in exchange for a reward. Rewards range from company-branded swag to cash awards of thousands of dollars. Bug bounties use the real-world knowledge of security professionals to find vulnerabilities that security products miss. Another benefit is that the company pays for results. There are no large contracts that lead to no results. Companies pay only when a vulnerability is verified.

In a business logic attack, the bad actor uses the legitimate processing flow of a Web application to gain access, often through a browser. Business logic attacks can result in loss of valuable data, revenue, and additional damage to the network through denial of service and brute forcing passwords. Because they are outside the norm of more common authentication exploits, many security solutions have difficulty detecting business logic attacks. The best solutions are those that can understand the application’s underlying business logic so an outlier presence can be detected and blocked. Business logic vulnerabilities should also be addressed before an attack, by developing and testing security solutions early in the Software Development Lifecycle Process.

Continuous Integration/Continuous Delivery refers to a mode of operation and a suite of tools used to regularly build and deploy applications to staging and production environments. Continuous integration is the practice of building code and running tests every time a developer checks in code changes. This ensures any new bugs are found and resolved quickly and no existing functionality is broken by new code. Continuous Delivery is the practice of always being in a “ready to deploy to production” state. Typically the code is deployed and tested in a staging area. Then a product owner (or other designated party) approves a deployment to production and automated processes take over to deploy the application. Another “CD” you may encounter is Continuous Deployment, where changes are automatically deployed to production every time a developer checks in code.

Much of ecommerce is driven by users clicking on websites. Click fraud is the potentially illegal practice of repeatedly clicking on web ads or content to artificially drive up traffic counts. Click fraud can be generated by humans or bots.

Web users are experienced at clicking links to perform functions: Like, Submit, View Special Offer. But what if those links are not what they claim to be, like a brake pedal that is actually the accelerator? Clickjacking is the practice by hackers to disguise malicious links as something benign. A user might hit a “Like” button but that Like is redirected to someone else’s page. More serious is a link that tricks a user into downloading malware or otherwise allows the attacker to take over the computer. Clickjacking can take various forms, but a popular attack involves layering a phony page on top of a legitimate web page to trick the user into taking unknown (and ill-advised) actions.

Many security schemes have a weakness positioned as a strength: They are designed to keep out the bad guys. Unfortunately, client-side attacks can defeat this approach by surreptitiously convincing an authorized user to download payloads into their browser, business application, or online gaming, then upload them to the network. The attacks include cross-site scripting, content spoofing, and clickjacking.

Cloud-native technologies, such as containers, service meshes, microservices, immutable infrastructure, and declarative APIs, empower developers to build and run scalable applications on public, private, and hybrid clouds.Cloud-native architecture focuses on creating loosely coupled services with high resiliency. Developers can make changes frequently without negatively impacting the entire system.

Links

• Blog: The Evolution to Cloud-Native Applications and APIs
• Wikipedia

Cloud-native security is the discipline of securing cloud-native applications. Cloud-native technologies have many benefits, but they also introduce new  avenues of attack. Application security has to change to properly protect cloud-native applications from sophisticated attacks.

Links

• Blog: The Evolution to Cloud-Native Applications and APIs
• Blog: Web Application Security Is Not API Security
• Blog: 4 Steps To Secure Requests Between Microservices
• Wikipedia

The vendor-agnostic support organization for many open source projects is part of the Linux Foundation. It serves as an event organizer and makes recommendations to developers, end users, and vendors around cloud-native issues and technologies including Kubernetes, Prometheus, and Envoy.

The mission of the CSA is to develop standards, certifications, and best practices around security in cloud computing. The nonprofit organization is led by a coalition of practitioners, corporations, associations and other stakeholders.

See Injection

CVE is a list of publicly disclosed computer security flaws. The list is part of the U.S. government’s National Vulnerability Database and is used to identify unique vulnerabilities and to associate specific versions of code bases to those vulnerabilities.

Similar to the CVE, Common Weakness Enumeration is a searchable “community-developed list of common software and hardware weakness types that have security ramifications.” The list is endorsed by the CWE Community.

A content delivery network is an overlay network that moves content closer to the user to improve performance. For a site owner, CDNs are a relatively low-cost alternative to building regional sites to host content. Although CDN providers invest heavily in security, the CloudBleed bug, which leaked encrypted passwords and other potentially sensitive information to thousands of websites, raised concerns about potential security issues associated with distributing content and SSL key security.

Digital couponing is big business, so naturally criminals have found ways to take advantage. Coupon scraping is the practice by someone of scaping coupons from a website, changing the affiliate links to their own, and republishing the coupon codes on their own site and collecting an affiliate commission in the process. Another version is to redirect those coupon hunters to another site for the same product, in exchange for a commission.

Credential abuse is the effort by a hacker to access a system using pilfered or created credentials of authorized users. An offshoot is credential stuffing, whereby attackers use a brute force attack to send a list of compromised user credentials (user names, passwords) try to break into a system.

A type of brute force attack, credential stuffing is an attempt to gain access to a system by using stolen log-ins and passwords. The attacker uses an automated web injection to enter a large number of credentials that may have been stolen or left vulnerable in hopes of matching an existing account. Credential stuffing is one of the most popular breaches and can yield credit card and other personally identifiable information.

XSS the is act of running arbitrary scripts in a victim’s browser in order to deface websites, compromise sessions, or redirect users to malicious websites (usually to steal data for use in identity theft or account takeover). The vulnerability lies in using untrusted data to render HTML pages without validating, sanitizing, and escaping the values.What to look for in your code:* Including unvalidated and unescaped user input in HTML output.* Storing unvalidated and unescaped user input for later use in HTML output (i.e. a forum post or comment)* SPA frameworks that dynamically update the HTML of a page based on unvalidated and unescaped input.

Mining cryptocurrencies such as Bitcoin is a data-intensive, energy-draining, and expensive undertaking. So cybercriminals have learned ways to spread the work, as it were, by farming out the solving of complex mathematical problems to unsuspecting computers used in smartphones, desktops, and servers. One method is to trick the user into downloading malware that works in the background to verify the cybercurrency transactions. Even the smartest companies are vulnerable. In 2018, Google was infected by cryptominers who used malware to jack into the processing power of YouTube’s ad network.

Dynamic Application Security Testing tools mimic a penetration tester. They perform attacks against a running application to find vulnerabilities attackers can exploit. They typically spider an application to find different paths to resources and then send payloads to try to exploit various common vulnerabilities. They report on the results, whether the attacks were successful or the application successfully resisted. DAST tools lack understanding of business logic and thus have trouble finding authentication and authorization vulnerabilities.

Links

• Blog: Does Dynamic Application Security Testing (DAST) Deliver?
• Wikipedia

A data breach is an incident where a criminal steals confidential, sensitive, or protected information with the intent of using or selling the acquired data. Breaches are caused in a variety of ways. Attackers may exploit an organization’s technology weaknesses or human weaknesses, such as duping a user into revealing their password. But breaches may also be caused internally by poorly written code or by APIs that inadvertently expose protected information.

Data leakage is the unauthorized transfer or exposure of data to an external entity. Data leakage can happen via the Internet, email, or hardware devices such as USB drives, hard drives, or laptops. Data Loss Prevention technologies were created to prevent data leakage and help companies keep data within their borders.

Distributed Denial of Service (DDoS) attacks are denial of service attacks performed by many distributed nodes across the Internet. A denial of service occurs when an attacker brings down a website so that legitimate users cannot access it. DDoS is often performed by armies of bots pointed at one website. DDoS attacks are often used for political statements or to embarass and hurt the revenue of a company.

Defense-in-depth is a security strategy that layers various components throughout the network, presenting a more complex defense for attackers to navigate. If one defense fails, another protection layer steps up to defend. DiD has three layers of security: physical, technical, and administrative. This strategy is often compared to a medieval castle, which presents attackers with a moat, ramparts, draw bridge, towers, and battlements

DevOps is a movement and philosophy with the goal of delivering software application faster and with more reliability than traditional modes of operation. DevOps brings together the development and operations disciplines to achieve maximum flexibility, scalability, and reliability of software applications. Automation, collaboration, and fast feedback cycles are the core tenets of DevOps.

Like cookies, device fingerprinting can be used to identify and track online users. The technology attempts to identify a unique device by capturing attributes such as the underlying operating system, the device’s IP address, and the type and version of the browser. Online advertising companies hit on device fingerprinting as an alternative to placing cookies on devices. The practice has drawn the ire of browser makers, however, who see the technology as a threat to user privacy.

DevSecOps adds the security discipline to DevOps. Security teams work in collaboration with development and operations to ensure that environments and applications stay secure. For instance, DevOps focuses on repeatable processes for creating application environments on demand and deploying code to them. DevSecOps includes security so each new environment created is locked down by default and safe for deployment without any manual configuration required.

APIs tend to return all data fields held within an object, expecting the client to filter and show the data it needs. This data exposure can aid in attacking the application or lead to data breaches. For example, returning the address with a user object with every request or exposing an “admin” field an attacker may try to manipulate using other means.What to look for in your code:* API methods that return raw objects from the ORM with all fields included.

Fuzz testing, or fuzzing, is a quality assurance method for detecting coding errors or vulnerabilities before being put into production. The idea is to search for implementation bugs by injecting the system with malformed or random inputs and assessing the system’s response. It’s kind of like running water through a pipe at high velocity to see where it leaks.

A far-reaching regulation protecting personal data online that was adopted by the European Union in 2018. Companies that violate the rules face fines of up to $24.1 million or 4% of annual global turnover, whichever is higher. (Google was hit with a $56.6 million fine in 2020.) The GDPR framework for organizations to follow when collecting personal data lists seven key principles:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability”

Fraudsters attempt to convince targets to pay them using a gift card, such as Apple’s iTunes or Google Play. They request you provide them with the gift card number and PIN — at which point they have control of whatever balance is on the card. The defense against these crimes is simple: Never trust any person or organization requesting payment through a gift card.

GraphQL is an open source query language for APIs, and a runtime for fulfilling those queries with existing data. Sitting between the client and data sources, GraphQL receives client requests and retrieves the data based on the client’s requirements. In this way GraphQL makes APIs more responsive, developer-friendly, and flexible. Internally developed by Facebook, the GraphQL project is now coordinated by GraphQL Foundation and hosted by the Linux Foundation.

Interactive Application Security Testing tools are a relatively new addition to the web application security landscape. IAST tools aim to combine the benefits of SAST and DAST to create a more complete picture of application vulnerabilities. IAST tools are embedded within the application and have visibility into the code. While the application runs automated functional tests within a staging environment, IAST will search code execution paths for possible vulnerabilties. Some may even try to perform attacks on parts of the code that may be vulnerable to validate errors and reduce false positives. A downside of IAST is the heavy dependency on a large suite of automated functional tests, which may make it difficult to use in legacy applications.

API proliferation can cause poor documentation and old API endpoints to be exposed, which lead to vulnerabilities in endpoints you didn’t know were exposed publicly. Warning signs:* Outdated API inventory* API endpoints with unclear purposes* No retirement plan for old API versions.

An incident is an accidental or deliberate event on a computer network or system that results in the loss of private, financial, or other sensitive data. In addition, an incident refers to activities that prevent a system from being used (See DDoS attack). Any malicious attack on a computer system is considered an incident, even if unsuccessful.

An attack on a system, if detected, will trigger an incident response. Larger organizations often have well scripted responses that attempt to shut down the attack or isolate its effects, coordinate efforts with partners who might also be affected, craft a response to stakeholders and customers, and work with law enforcement. Smaller firms may have similar roles and responses during an attack but also rely on the prevention, detection, and response capabilities built into their security software. The primary goals of any incident response are to limit damage and shrink recovery time.

Injection occurs when untrusted data is sent to an interpreter as a command or query. Interpreters execute code as it comes in, instead of compiling it into an executable. This distinction means that interpreters can be easily tricked into using data as a command. Attackers use these flaws to steal data. Common injections include SQL, NoSQL, LDAP, OS, and ORM. What to look for in your code:
* User-supplied data isn’t validated, filtered or sanitized
* Untrusted data is sent directly to the interpreter (i.e. concatenated to an SQL query)
* Untrusted data is sent directly into an ORM search function.

Serialization changes the format of an object in code to make sending it to a server more efficient. The server then deserializes the object upon receipt so it can process the request. Insecure deserialization of objects allows attackers to make calls to system resources upon deserialization. This vulnerability leads to remote code execution along with replay attacks, injection attacks, and privilege escalation attacks.What to look for in your code:* Accepting serialized objects from untrusted sources* Using serialization mediums that permit more than primitive data types.

IDOR vulnerabilities are access control issues made possible when an application exposes a reference to an internal implementation object. This allows cybercriminals to launch an enumeration attack to discover access to the associated objects.

An attack typically goes unnoticed for over 200 days. Insufficient logging and monitoring allows attackers to persist longer, leading to devestating data exfiltration and destruction.What to look for in your code:* Poor integration between logging and incident response teams* Not logging login attempts, login failures, and high-value transactions* No monitoring of log files* Log messages are unclear or two broad in language to be useful.

We often think of security threats as coming from outside the organization, but attacks from employees, former employees, partners, and even family members with insider access to the network are just as dangerous — responsible for 30% of data breaches, according to security research firm DBIR. The rise of work-from-home employees has only expanded the threat surface that security teams must defend. Internal threat intelligence is understanding which employees are authorized to access what services, then using automation, AI, and machine learning to search for user anomalies that could lead to breaches.

When an online shopper places an item into their shopping cart, the product is often removed, temporarily, from the merchant’s inventory, meaning it is not available to other shoppers. Typically, the cart will return the item to available inventory after 15 minutes or so of inactivity by the shopper. Inventory hoarding is the practice by an attacker of using a bot to repeatedly place an item in a cart, making it unavailable for sale over an extended time. An attacker’s motive may be to hurt store sales or perhaps drive up a product’s scarcity, and thus value, on the market.

Istio is a service mesh that manages distributed microservices in a cloud-native application. (See Service mesh)

One of longest-running cyberexploits, keystroke logging is the use of software to track a user’s keystrokes as they access an application or website. The program sends the data back to the attacker, who then has a ready-made log-in script with user name, password, and credit card numbers. More sophisticated keylogging software, used on a mobile device, can capture screen grabs, GPS data, and even audio or video data. Keystroke software is also used legitimately by businesses to track user experience issues and by law enforcement.

First developed by Google, Kubernetes is an open-source system for automating, scaling, and managing the containerized applications that are prevalent on today’s distributed networks. For better security, sensitive information can be stored in Kubernetes’ objects known as “secrets” that are largely invisible in the network. Although not inherently insecure, containers can be vulnerable to attack, especially if they are misconfigured or treated as a security afterthought.

APIs that don’t limit the size or number of resources a user/client can request leave themselves open to denial of service and brute force attacks.Limits you should enforce:* Execution timeouts* Max allocable memory* Number of file descriptors* Number of processes* Request payload size (e.g. uploads)* Number of requests per client/resource* Number of records per page to return in a single request response.

Like faucets and tires, APIs can leak. But what APIs leak is much more precious than water or air; they can expose personal information. APIs are used to exchange sensitive data in cloud applications, integrate third-party partnerships, and enable smartphone apps. Attackers can access account records by exploiting the fact that there is no agreed upon protection solution, and that companies will often give short shrift to API security in favor of a better user experience. A new category of API security solutions use an end-to-end approach to understand the big picture of every API transaction and identify malicious activity.

Local file inclusion is a vulnerability that allows a hacker to gain access to a system. By including a file in the attack that is already present on the target server, the attacker exploits vulnerable inclusion procedures implemented in the application.LFIs can be thwarted in part by avoiding the passing of user-submitted input. or creation of an allow list of files.

Machine learning is a branch of artificial intelligence that studies computer algorithms that are able to learn from experience. They do this by analyzing large amounts of data and using that data to build statistical models. The program can use the models to make predictions, take action, and learn from that action.

Magecart is a form of data-harvesting exploit used by attackers to target online shopping carts and web forms even as a customer is checking out. Using JavaScript injected into a site, the attacker skims off user account information that may include passwords, e-mail addresses, and card numbers. The purloined data is sent back to a server operated by the attacker. Shopping cart technology is a popular target because it is often developed by third-party providers whose security provisions may be poorly vetted by website operators before deployment. Magecart may also refer to cybercriminal groups that perform these attacks.

Objects in modern applications have many properties, but not all the properties should be updated directly by a client. A mass assignment flaw exists when an API endpoint automatically converts client parameters into internal object properties without considering the sensitivity of the properties. What to look for in your code:* Using objects instead of view models within your API endpoints* Relying on frameworks to assign property values taken from parameters and request bodies.

Microsegmentation allows network administrators to securely isolate workloads in cloud environments and data centers. System administrators can secure each application separately, preventing east-west cross-contamination if a breach occurs. Microsegmentation works well in a zero trust security environment.

Microservices are small services that together make up an entire web application or API. They take the “do one thing exceptionally well” mantra of Unix/Linux development and apply it to software applications. In a microservice architecture, one request to a site may result in dozens or even hundreds of separate requests to focused microservices on the back end. Advantage of microservice architecture include increased speed of development, flexibility, developer autonomy, and scalability.

‍Links

• Blog: The Evolution to Cloud-Native Applications and APIs
• Wikipedia

Next Generation WAFs, or NG-WAFs, are WAFs with added features to help overcome the shortcomings of rules-based security. NG-WAFs add ML features such as behavior analysis and anomaly detection to find and prevent attacks traditional WAFs miss. NG-WAFs are also more compatible with cloud-native applications.

Links

• Blog: Why Web App Firewalls Aren’t Protecting Your Cloud-Native Apps
• Wikipedia

See Injection

OAuth is a delegated authorization framework for REST APIs that allows users to to log-in to third-party services without having to expose their password. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with bearer tokens granting access, rather than relying on credentials. Attackers can exploit the token technology to gain access.

The Open Web Application Security Project is a nonprofit foundation that works to improve software security all over the world. OWASP has many projects, each with the goal of helping developers and organizations build secure applications. Some of the most well-known projects are the Top 10 LIst, the Application Security Verification Standard, and the Software Assurance Maturity Model.

The OWASP Top 10 is a list of the 10 most common and impactful web application vulnerabilities. It was built by contributions from over 40 companies, who sent vulnerability data so OWASP could determine the most common attacks happening in the wild. The vulnerabilities are also graded based on how easy they are to find and the impact of exploitation. The OWASP Top 10 is a foundational starting point for web application security.

The OWASP API Top 10 is similar to the web application top 10 but has a focus on API vulnerabilities. The different tools and technologies used to create APIs also changed the way attackers attack applications. The API Top 10 brings attention to the common flaws seen in APIs that aren’t necessarily present in traditional web applications.If your application uses APIs, review the API Top 10 as you build them.

The Payment Card Industry creates standards for handling payments with credit cards. The most well known is the Payment Card Industry-Data Security Standard (PCI-DSS), which outlines security controls required for ensuring the protection of credit card data such as credit card numbers, card strip data, expiration dates, and cardholder names. If your business processes credit card payments, you need to be PCI compliant or face fines and penalties from PCI and your bank.

Penetration testing mimics an attacker to anticipate vulnerabilities within a software application. Highly trained and experienced testers understand how attackers think and what tactics they use to compromise applications and steal data. These testers use real-world techniques against a running application in order to find vulnerabilities before malicious actors find them. The development teams then have the opportunity to fix issues before they cause major problems.

Personally Identifiable Information is any information that can be used to identify a specific person. Some examples are name, Social Security number, address, and birth date. Some data can be used alone to identify someone (like SSN), and others can be combined to identify a person (name, birth date, address). Attackers often want to steal PII for identity theft purposes or to sell on the dark web.

In some NAC implementations, the PDP is a wired switch or wireless access point. In others, it’s a firewall, IPS, server, or inline appliance. Depending on the implementation, the PEP and PDP can either be standalone devices or consolidated into a single device.

The Policy Enforcement Point is the place on a network where policy decisions around access are enforced.

While many security models start with a premise that all users are valid until proven otherwise, positive security begins tabula rasa, a blank slate. All users are rejected unless they are specifically authorized by correctly answering a security challenge or appearing on an approved list. Positive security is also known as the “whitelist model.”

Protected Health Information is PII in a medical context. PII that appears on medical records and is used in the course of medical treatment or the discussion of such treatment by medical staff is PHI. It is protected under the Healthcare Insurance Portability and Accountability Act. PHI includes past, present, and future medical records of an individual, services rendered to that individual, and billing information. Like PII, PHI is a tempting target for attackers.

Some organizations create purple teams to facilitate the communication and cooperation of the red and blue teams (red and blue make purple). It’s debatable whether a separate purple team is actually necessary, especially when red and blue teams collaborate well together. However, there can be value in a “purple team exercise” where red and blue teams work in tandem on a single project to build better relationships between the teams.

RESTful API Modeling Language is used by developers to document REST APIs. The documentation describes an API’s structure and intent so it can be easily understood by developers and other API users. RAML can also be used to define the security to be used for the API.

If WAFs serve as the moat of the castle, Runtime Application Self-Protection (RASP) tools are the castle guards. RASP is deployed within the runtime environment of the web application. It’s able to see and change application behavior to prevent attacks in realtime.

Links

• Blog: What Runtime Application Self-Protection (RASP) Doesn’t Solve
• Wikipedia

Red teaming takes penetration testing to the next level, using advanced tactics to find software, hardware, physical, and human vulnerabilities. It’s usually performed by a team of experts, each launching different hacking and social engineering attacks and finding weaknesses in a company’s infrastructure. Traditional penetration testing tends to focus only on software, whereas red teams focus on all aspects of a company’s security. Another key difference is that red teams don’t announce their presence before the test. This ensures that the results reflect more accurately what would actually happen if the attack occurred for real.

RCE allows a hacker to remotely inject any code on an unsuspecting victim’s computer for execution. Contrast RCE with arbitrary code execution (ACE), which allows a hacker to take over a machine through a vulnerable application (not remotely) and execute arbitrary commands on the host operating system.

See API Security

Assessing an organization’s vulnerability to inside or outside cyberattack is called risk assessment. Risks to be evaluated include understanding external connections such as customer-facing APIs, connections to partners, external SaaS services, and data backends. Organizations can also hire professional hackers to attack their systems to expose vulnerabilities (See Penetration testing). Business risk is also essential to determine, such as loss of customers, loss of reputation, and exposure to lawsuits and regulatory fines.

Static Application Security Testing is the process of scanning application code to find possible vulnerabilities. The term “static” refers to the testing of precompiled code to detect programming patterns that could lead to exploitation. For example, a SAST tool may find concatenation of untrusted input within the code and flag it as a possible SQL injection vulnerability. A downside of SAST is a tendency for false positives since code that looks incorrect may not be a vulerability.

In 2018, a massive denial of service attack on GitHub was quickly extinguished in part by the actions of a scrubbing center. GitHub routed its traffic to DDoS mitigation service Akamai Prolexic, which did what scrubbing centers do: scrub out malicious traffic and send the remaining clean traffic towards its final destination. Scrubbing centers are often used as part of a comprehensive solution that could include CDN, DNS protection, and edge and application DDoS appliances.

A secure SDLC is the series of activities and milestones used to create secure software. It takes the typical stages of the SDLC and includes necessary security activities to ensure a piece of software is not vulnerable to attack.

Web application frameworks often have many options for developers to choose from that affect how they operate. This choice leads to misconfiguration, as making the wrong decision (or leaving unsecure defaults) leaves security holes attackers use to steal data or otherwise compromise the application.What to look for in your code:* Missing or misconfigured security headers* The use of default values* Revealing stack traces when errors occur.

For all their benefits, distributed cloud-native networks increase the threat surface that malicious actors can operate on. The concept of observability is simply designing an architecture so that its many layers, levels, and connections are easily observable, allowing IT and security teams to detect abnormalities quickly.

An organization’s SOC is commonly a physical location where security defenses and responses are coordinated. SOC’s typically monitor for attacks, upgrade defenses to counter emerging threats, invest and maintain equipment, and train personnel.

A security posture is the overall “grade” of security for an organization. It includes all security controls an organization has in place as well as the way the organization detects and defends against cyber attacks. A security posture takes into account network, software and hardware assets, services, and information.

Many applications don’t protect sensitive data, such as financial, healthcare, or PII. Attackers can steal or modify this data to perform credit card fraud and identity theft. Sensitive data requires extra protection, such as encryption in transit and at rest.What to look for in your code:* Transmitting data in plaintext, such as using HTTP, FTP, and SMTP.* Using old or broken encryption algorithms* Poor cryptographic key management.

Serverless computing is the ability to run code within a cloud environment without worrying about server configuration and deployment. It’s not truly “serverless,” but rather features an interface for developers to write and run code without provisioning and configuring servers. From the developer’s point of view, the code just runs when required. AWS Lambda is an example of serverless computing.

Service meshes, which are commonly deployed with cloud-based applications, containers, and microservices, control delivery of service requests to microservice applications. That makes service mesh technology a natural ally for distributed tracing, which can track activities resulting from requests to an application,

Shadow APIs are unknown APIs that are publicly exposed. These APIs pose a risk because APIs that no one knows are publicly exposed could be a target for attackers. API discovery tools can help find shadow APIs so you can properly protect them or shut them down if they’re unnecessary.

Cloud computing presents a dilemma, As organizations move their resources from their own premises to the cloud, who owns security? The shared responsibility model. According to the Cloud Security Alliance (See entry above), responsibility is shared. In general, the cloud provider is responsible to secure physical infrastructure, compute, and network systems from outside physical access and from digital access and insider threats. The customer’s responsibility is to protect everything they run in the cloud. Responsibility roles continue to evolve, however, as newer cloud services go beyond providing just infrastructure-as-a-service, with offerings like serverless compute services.

As more open source software is incorporated into codebases, it is imperative for security teams and IT administrators to identify where and how it is used. Software Composition Analysis (SCA) is an application security testing method used to understand how open source components are utilized.

The Software Development Lifecycle is the series of activities and milestones that take an idea for a piece of software from conception to implementation. A typical cycle includes gathering requirements or acceptance criteria for the application, writing the code, testing it, and deploying it to production. Most modern development teams automate as much of this process as possible.

See Injection

See Injection

Swagger is a brand of open-source tools used o design, build, document, and use RESTful web services. Swagger was originally an open API specification developed by SmartBear Software that has since been renamed the OpenAPI Specification.

Taint analysis is part of Static Code Analysis to identify vulnerabilities in code that can be triggered by user input, whether deliberately or by mistake. For example, attackers can exploit these vulnerabilities with SQL injections to hijack or erase a database. Static Code Analysis tools are used by software engineers to analyze the flow of user input and identify potential unanticipated results.

A threat landscape is a group of threats within a given context or environment. It includes threat actors, risks, vulnerable assets, and current and emerging trends.

Building security into your applications from the start is the best way to protect data. Threat modeling is the process of reviewing the architecture and design of an application to identify potential threats before it’s been built. When threats are anticipated ahead of building an application, mitigations can be designed into it instead of bolted on after the application is finished.

Most applications use open source or third-party frameworks to achieve desired functionality. These components run at the same privilege level as the application. Therefore, if vulnerabilities exist within the components your application depends on, they can perform server takeover or steal data.What to look for in your code:* No up-to-date record of the components in use* No mechanism to update components when patches are released* Using vulnerable, unsupported, or out-of-date software.

A VPC is an on-demand private cloud within a public cloud environment. They offer users greater separation from other cloud customers. and advanced security options.

Web application and API Protection services protect modern web applications and APIs from a variety of attacks. WAAP services include NG-WAF and RASP capabilities along with Distributed Denial of Service (DDoS) protection and malicious bot detection. WAAP aims to meet the security needs of modern, API and microservice-based web applications.

Web application firewalls take the idea of network firewalls and apply them to web applications. It scans all traffic coming into a web application to find possible attacks, such as cross-site scripting and SQL injection. WAFs use rules and signatures to know what to look for within the request that flags it as a possible attack.

Links

• Blog: Why Web App Firewalls Aren’t Protecting Your Cloud-Native Apps
• Wikipedia

see API Security

Web application security is the discipline of applying sound security principles to protect the confidentiality, integrity, and availability of web applications. Web applications are the most common way for customers to interact with businesses and they are a juicy target for attackers. Web application security seeks to protect web applications by hardening network, code, and infrastructure against attack.

Web scraping software allows the user or an automated bot to extract underlying HTML code and data from a site, then replicate the entire website content elsewhere.Scraping is not automatically illegal — in fact, sites that offer comparison shopping, for example, depend on their ability to scrape data from product sites. Talent hunters use the technology to scour resume sites to identify potential hires. But bad guys using bad bots use the technology to steal intellectual property, hunt for vulnerabilities, and hijack accounts. Specialized antibot services claim to be able to mitigate scraping abuse, and some cybersecurity defenses are equipped to detect and block scraping bots.

WebSocket is a communication protocol between a browser and web server designed to speed real-time, two-way data transfer, such as in a chat app. As with many newer technologies, security best practices around WebSockets are not well evolved and can lead to a complete security breach, such as in the case of a cross-scripting attack. To protect against these attacks developers are often advised to avoid tunneling in favor of other secured protocols on top of WebSockets, and to use the wss:// protocol over the less secure ws://.

Applications that accept XML content (i.e. XML uploads) may use vulnerable XML processors that evaluate external entity references. Attackers exploit this vulnerability to perform many attacks, such as remote code execution, denial of service attacks, and disclosing internal files.What to look for in your code:* Having document type definitions (DTDs) enabled in an XML processor* Accepting XML directly, or XML uploads from an untrusted source* Using SOAP prior to version 1.2

Often, companies will disclose application vulnerabilities along with the patches used to fix those vulnerabilities. However, a zero-day flaw is a known vulnerability without an existing patch. Zero-day attacks use zero-day flaws to attack software. Patches don’t exist likely because the maintainers of the software don’t know the vulnerability even existed, making zero-day flaws very dangerous. These vulnerabilities are traded on the darkweb for use by malicious actors.