Information about Application Security
Application security encompasses measures taken to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, or deployment of the application.
Applications only control the use of resources granted to them, and not which resources are granted to them. They, in turn, determine the use of these resources by users of the application through application security.
Vulnerability scanners, and more specifically web application scanners, are often used by security experts to automate the security testing, but this doesn't completely eliminate the need for manual testing. Common examples of vulnerability scanners designed for testing applications include Nikto (open source), N-Stalker [1] (commercial or freeware, depending on the edition) and Sandcat [2] (freeware).
Health Insurance Portability and Accountability Act (HIPAA)
IEEE P1074
ISO17799
Gramm-Leach-Bliley Act
PCI Data Security Standard (PCI DSS)
..... Click the link for more information.
..... Click the link for more information.
Applications only control the use of resources granted to them, and not which resources are granted to them. They, in turn, determine the use of these resources by users of the application through application security.
Common exploits
Networks still face many challenges but advancements in network security have made networks less exploitable. As networks become more secure, the comparatively insecure application layer becomes an attractive target for hackers. These are just a few of the exploitable vulnerabilities and attack methods common to applications.- SQL injection
- Cross-site scripting (XSS) This flaw has become the most popular among attackers, according to a recent study
- Buffer overflow
- Directory traversal
- Denial of Service (DoS)
- Man-in-the-middle
- Session hijacking
Security testing for applications
Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle.Vulnerability scanners, and more specifically web application scanners, are often used by security experts to automate the security testing, but this doesn't completely eliminate the need for manual testing. Common examples of vulnerability scanners designed for testing applications include Nikto (open source), N-Stalker [1] (commercial or freeware, depending on the edition) and Sandcat [2] (freeware).
Security standards and regulations
Sarbanes-Oxley Act (SOX)Health Insurance Portability and Accountability Act (HIPAA)
IEEE P1074
ISO17799
Gramm-Leach-Bliley Act
PCI Data Security Standard (PCI DSS)
External links
- Open Web Application Security Project
- The Web Application Security Consortium
- CGISecurity - Application Security Portal
- SearchAppSecurity.com
- Security blog
Application Security definitions
A security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys
..... Click the link for more information.
..... Click the link for more information.
Application software is a subclass of computer software that employs the capabilities of a computer directly and thoroughly to a task that the user wishes to perform. This should be contrasted with system software which is involved in integrating a computer's various capabilities,
..... Click the link for more information.
..... Click the link for more information.
An operating system (OS) is the software that manages the sharing of the resources of a computer. An operating system processes system data and user input, and responds by allocating and managing tasks and internal system resources as a service to users and programs of the
..... Click the link for more information.
..... Click the link for more information.
vulnerability refers to a weakness in a system allowing an attacker to violate the confidentiality, integrity, availability [i.e (C.I.A) NSTISSC's triangle], access control, consistency or audit mechanisms of the system or the data and applications it hosts.
..... Click the link for more information.
..... Click the link for more information.
Software design is a process of problem-solving and planning for a software solution. After the purpose and specifications of software is determined, software developers will design or employ designers to develop a plan for a solution.
..... Click the link for more information.
..... Click the link for more information.
Software engineering is the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software.[1] The term software engineering
..... Click the link for more information.
..... Click the link for more information.
Software development process
Activities and steps
Requirements | Architecture | Implementation | Testing | Deployment
Models
Agile | Cleanroom | Iterative | RAD | RUP | Spiral | Waterfall | XP
Supporting disciplines
..... Click the link for more information.
Activities and steps
Requirements | Architecture | Implementation | Testing | Deployment
Models
Agile | Cleanroom | Iterative | RAD | RUP | Spiral | Waterfall | XP
Supporting disciplines
..... Click the link for more information.
access control refers to the practice of restricting entrance to a property, a building, or a room to authorized persons. Physical access control can be achieved by a human (a guard, bouncer, or receptionist), through mechanical means such as locks and keys, or through
..... Click the link for more information.
..... Click the link for more information.
Network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access and the effectiveness (or lack) of these measures
..... Click the link for more information.
..... Click the link for more information.
vulnerability refers to a weakness in a system allowing an attacker to violate the confidentiality, integrity, availability [i.e (C.I.A) NSTISSC's triangle], access control, consistency or audit mechanisms of the system or the data and applications it hosts.
..... Click the link for more information.
..... Click the link for more information.
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not
..... Click the link for more information.
..... Click the link for more information.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts.
..... Click the link for more information.
..... Click the link for more information.
buffer overflow, or buffer overrun, is a programming error which may result in a memory access exception and program termination, or in the event of the user being malicious, a possible breach of system security.
..... Click the link for more information.
..... Click the link for more information.
A directory traversal is to exploit insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" is passed through to the file APIs.
..... Click the link for more information.
..... Click the link for more information.
"DoS" redirects here. For other uses, see DOS (disambiguation).
A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users...... Click the link for more information.
In cryptography, a man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised.
..... Click the link for more information.
..... Click the link for more information.
The term Session Hijacking refers to the exploitation of a valid computer session - sometimes also called a session key - to gain unauthorised access to information or services in a computer system.
..... Click the link for more information.
..... Click the link for more information.
An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).
..... Click the link for more information.
..... Click the link for more information.
A software development process is a structure imposed on the development of a software product. Synonyms include software life cycle and software process. There are several models for such processes, each describing approaches to a variety of tasks or activities that
..... Click the link for more information.
..... Click the link for more information.
This article or section may contain original research or unverified claims.
The Sarbanes-Oxley Act of 2002 (Pub. L.
..... Click the link for more information.
Please help Wikipedia by adding references. See the for details.
This article has been tagged since August 2007.
This article has been tagged since August 2007.
The Sarbanes-Oxley Act of 2002 (Pub. L.
..... Click the link for more information.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996.
According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when
..... Click the link for more information.
According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when
..... Click the link for more information.
The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition
..... Click the link for more information.
..... Click the link for more information.
Introduction to PCI DSS
PCI DSS stands for Payment Card Industry (PCI) Data Security Standard (DSS). It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other..... Click the link for more information.
This article is copied from an article on Wikipedia.org - the free encyclopedia created and edited by online user community. The text was not checked or edited by anyone on our staff. Although the vast majority of the wikipedia encyclopedia articles provide accurate and timely information please do not assume the accuracy of any particular article. This article is distributed under the terms of GNU Free Documentation License.
Herod_Archelaus
