Skip to content

Security Tooling

Application Security

Application security focuses on securing the application. In the case of web applications they are widely available and open to the public. This can be the case for both the UI and API's. The UI and the API can both be maliciously manipulated by bad actors without getting internal access to a network. The ability to exploit an application for data without network access makes it an increasingly targeted entry point for hackers. Application security can be instrumented at the very beginning of application development. Stating with a secure development mindset.

Secure Development

There are many useful tools that can be used SDLC. These tools include SAST, DAST, IAST. In CRM we can run SAST with SonarQube which also provides a IDE integration SonarLint. SonarQube is paid for by CRM and maintained. Contrast Security provides IAST scanning (Assess) and RASP (Protect). Contrast can also build an SBOM for applications using the IAST feature. The Contrast CLI offers SCA and SAST scanning as well. Other important steps to developing and release a secure application are IaC scanning, Image Scanning, Cloud Posture Management, Admission Control and secrets management. Those features can be accessed from the Checkpoint - Cloudguard suite of tools. Contrast and Cloudguard are paid for and managed by GSO. CRM SW is a user of those tools but not an owner.

OWASP

The Open Web Application Security Project (OWASP) provides a ranking of the 10 most critical web application security concerns.

The OWASP Top 10:

  1. Injection—code injection involves a query or command sent to a software application, which contains malicious or untrusted data. The most common is SQL injection, but it can also affect NoSQL, operating systems, and LDAP servers.
  2. Broken Authentication—many applications have inadequate or malfunctioning authentication and authorization functions. This can allow an attacker to steal user credentials, or easily gain access without appropriate credentials.
  3. Sensitive Data Exposure—applications and APIs may openly expose sensitive data belonging to the organization or its customers, including financial or payment details and personally identifiable information (PII).
  4. XML External Entities (XXE)—attackers can make malicious use of external entity references in XML documents, due to vulnerabilities in old XML parsers. These can be used to gain access to internal files, scan ports, and execute code remotely.
  5. Broken Access Control—restrictions for authenticated users are not implemented correctly. An attacker could use this to gain access to unauthorized functions or data, access another user’s account, view sensitive files, or change permissions for other users.
  6. Security Misconfiguration—even if an application has security features, they can be misconfigured. This commonly occurs because no-one changed the application’s default configuration. This includes failure to patch operating systems and frameworks.
  7. Cross-Site Scripting (XSS)—allows an attacker to run a malicious script in a user’s browser. This can be used to steal their session, redirect users to malicious sites, or perform defacement of websites.
  8. Insecure Deserialization—faults in the way code is taken from a file and constructed into an object. This can enable malicious code execution, privilege escalation, and replaying activity by authorized users.
  9. Using Components with Known Vulnerabilities—multiple vulnerability databases report known vulnerabilities in software components. Software that uses a vulnerable component (even just as a dependency of one of its components) is exposed to attack.
  10. Insufficient Logging & Monitoring—many applications may not have means of identifying or recording attempted breaches. This can mean that breaches go undetected, and attackers may perform lateral movement to compromise additional systems.

Helpful links: OWASP Top10 AppSec via Checkpoint Checkpoint - Cloudguard Contrast Security SonarQube