AppSec: The Security Specialty That Rules Them All

Michael Levan - Aug 16 - - Dev Community

In this blog post, you'll learn about what AppSec (Application Security) is, what you need to break into AppSec, various AppSec tools, AppSpec terminology, and why it's exciting.

Image description

What's AppSec?

AppSec (Application Security) is the process of finding, fixing, and preventing security issues at the code or API (or both) level. The goal with AppSec is to stop the majority of vulnerabilities, which are usually found at the code level, as soon as possible.

You'll also find that AppSec helps with:

  1. Guidance on app design.
  2. Injecting security throughout the entire software process.
  3. Proper architecture design to help mitigate vulnerabilities.

It's really all about applying best practices at the application layer. This is why implementing AppSec throughout the entire SDLC process is so crucial. Just about every issue starts at the code level and said issues will not be mitigated unless AppSec is within the SDLC process.

AppSec handles everything from mobile to cloud to backend/frontend and even containers/Kubernetes.

What You Need To Know

Everyone in AppSec either has:

  1. A background in programming.
  2. A background in automation/scripting.

Without one of those two, you can't secure applications because you can't secure what you don't know. If you don't know code, you can't secure it.

Because app stacks contain everything from company data to user data to tons of third-party libraries, the app layer is a huge target for bad actors. This is why XSS (an attack that injects malicious code into web apps) is so prominent.

As someone in AppSec, you most likely won't be writing application-level code, but you will definitely be writing a ton of scripts and automation techniques via code. Two of the most popular languages for this are:

  • Python
  • PowerShell

How AppSec Differs From Other Security Disciplines

Regardless of whether or not you're going blue team or red team, security typically falls under the realm of:

  1. Systems
  2. Networks

(You could technically say cloud as well, but let's just stick with Systems and Networks).

Network Security is huge and what you'll see in a majority of organizations, especially in a SOC.

The goal is to either secure networks (proper routing, firewall rules, ensuring the ports that are open are necessary, and a bunch of other pieces to the puzzle) or systems (overall infra, system hardening, OS patching, authentication and authorization, etc.).

The big differentiator with AppSec is it's at the code level.

AppSec And Pentesting/Red Teaming

It's important to understand red teaming/pentesting as someone in AppSec because "attacking" apps (especially web apps) is a huge method of cyber attacks.

Engineers on the Red Team:

  1. Emulates Techniques, Attacks, and Procedures (TTP).
  2. Show the organization from a real-world perspective where they’re falling short with security.
  3. Increases security posture.

Red Teamers can do anything that “hackers” do from running Payloads to performing DDoS attempts. They use “hacking” (I use that term loosely) tools like Metasploit, vulnerability scanners, and just about all software suites that come on distros like Kali Linux.

Penetration Testing (pentest), is all methodical. Typically, pentesters are an outside party (otherwise, they would probably be on the Red Team) and the goal is to attack a network (ethically and with permission) to see how vulnerable an environment is. They either have zero information about the network (Black Hat), some information (Gray Hat), or a lot of information (White Hat).

Pentests can occur across the environment, but there are dedicated pentests for applications and web apps. Because of that, you should 100% know how to pentest as someone in AppSec.

AppSec Terms To Know

Here is a list of AppSec terms you should be familiar with. Please note that the definitions below are from various sources and I did not create them.

Threat modeling: The process of using hypothetical scenarios, system diagrams, and testing to help secure systems and data. By identifying vulnerabilities, helping with risk assessment, and suggesting corrective action, threat modeling helps improve cybersecurity and trust in key business systems.

XSS: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user

OWASP: A non-profit foundation built specifically around webapp security.

Fuzzing: An automated software testing method that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities.

Static Application Security Testing (SAST): Static application security testing is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities.

Dynamic Application Security Testing (DAST): The process of analyzing a web application through the front-end to find vulnerabilities through simulated attacks. This type of approach evaluates the application from the “outside in” by attacking an application like a malicious user would.

Run-time Application Security Protection (RASP): A tool that can detect attacks on applications as they occur. A RASP implementation can protect applications from malicious data and behavior by analyzing how the program behaves. If the application's behavior indicates something is wrong, RASP can help stop the threat

Interactive Application Security Testing (IAST): A combo of SAST and DAST. You can analyze the code during any stage of development and in real-time in the production applications.

Pentesting: The practice of ethically attempting to find vulnerabilities within an application or system and report on them to better prepare defensive measures. Pentesting/offensive work (Red Team) is also known as "hacking".

AppSec Tools

Static Application Security Testing (SAST) Tools

Quickly identify security vulnerabilities in the code and fix them during development.

Dynamic Application Security Testing (DAST)

Analyze security vulnerabilities in real-time in production environments. DAST tools also enable developers to simulate cyberattacks and detect runtime errors.

  • Intruder
  • HCL AppScan
  • Veracode

Webapp Pentesting (also under Red Team/Pentesting)

💡 Lots of pentesting tools (Nmap, Nessus, etc.) fall under the “webapp pentesting” category.

Container Security

Containers are currently the smallest form factor to run an application. You decouple your application stack (sometimes called microservices) into multiple pieces so they can be managed and deployed separately.

Kubernetes Security

Kubernetes is an orchestration system (originally for just containers) that allows you to scale application stacks.

  • Kubescape
  • Aqua Security

Vendors/Tools that “do it all”
1. Snyk (https://snyk.io/)/(https://snyk.io/solutions/application-security/)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .