Get A Free Quote

Application Security

Application Security
Application Security
Application Security
Application Security
services-details-image

Application security services*

Cloud migration, microservices and container adoption are driving application modernization, but are your applications secure? Application vulnerabilities are often uncovered late because DevOps and security processes can be disjointed. Application security  services professionals with a deep understanding of the software development lifecycle (SDLC) can help assess and transform your “shift-left” and DevSecOps practices.*

 
About Us

Inside application security services*

Application security services involves three key elements:*

  • Icon

    DevSecOps services*

    Helps development, security and operations teams share skill sets for greater collaboration*

  • Icon

    Application security training*

    Onsite or online help to establish enterprise-grade security and software development*

  • Icon

    Application threat modeling services*

    In-depth analysis of app security architectures and capability against threats*

Application Security Benefits*

Securely build, deploy and iterate applications everywhere by transforming DevOps into DevSecOps including people, processes and tooling*

Unifies people, process and technology*

Unifies people, process and technology*

Plans, designs, implements, integrates and deploys security strategically into every step of the development lifecycle. Shared skills sets and collaboration help transform people, process and technology into DevSecOps best practices, backed up by the IBM® Application Security Center of Excellence.*

 
Increases quality, regulatory compliance and cost reduction

Increases quality, regulatory compliance and cost reduction

Empowers “shift-left” practices to reduce app security defects early in the SDLC. This helps reduce the cost of fixing software vulnerabilities and improve compliance with industry and government regulations.*

Securely accelerates development and innovation*

Securely accelerates development and innovation*

Enables security automation and integration into the continuous integration and  continuous deployment  pipeline.  Application security training onsite or online can drive productivity between DevOps and security for rapid innovation and security-focused software development.*

Shape
Shape
Shape

Frequently Asked Questions

There are a number of precautions you should take. For example, all unused services, command shells and programming language interpreters or compilers should be removed. Web servers should be configured correctly and file permissions should be granted on a need-to-know basis to authorised parties only. System and web logs should also be regularly checked for suspicious activity. In addition, the number of web user accounts that can login to web servers should be properly managed (e.g. ensure that all users select good passwords). User authentication on the web server should be protected by at least SSL/TLS to ensure that passwords cannot be eavesdropped by attackers. Two-factor authentication should also be considered if the system involves sensitive or confidential information.

The following can be observed for enhancing the security of web servers:

  • Configure your web server software to prevent any leak of information such as web server software version, internal IP address, directory structure, etc.
  • Disable or remove unnecessary modules from your web server software
  • Identify application files on the web sever and protect them with access controls
  • When using SSL, backup the private key for server certification and protect it from unauthorised access

The following are most common vulnerabilities found in web applications:

 
  • Cross Site Scripting (XSS)
  • Injection Flaws
  • Malicious File Execution
  • Insecure Direct Object Reference
  • Cross Site Request Forgery (CSRF)
  • Information Leakage and Improper Error Handling
  • Broken Authentication and Session Management
  • Insecure Cryptographic Storage
  • Insecure Communications
  • Failure to Restrict URL Access

The following are security tips for end-users:

  • Don't login to critical web applications from a public computer
  • Don't cache your username and password in your workstation
  • Remember to logoff at the end of a session
  • Use different sets of logins and passwords for different web applications and services
  • Regularly change your passwords used in critical web applications if a one-time password is not supported
  • Report abnormal behaviour to the service provider immediately
  • Ensure that the operating system and system components like Internet Explorer (browser) are fully patched and up-to-date
  • Install a personal firewall as well as anti-virus software with the latest virus signatures
  • Don't download software or plug-ins from unknown sources

Various security controls should be considered throughout the entire development lifecycle of the project:

  • Collect together the application security requirements
  • Adopt standards or benchmarks according to best practices
  • Define secure coding standards to eliminate attacks like SQL injections, and cross-site scripting
  • Sanitise application responses to capture all output, return codes and error codes
  • Do not trust HTTP referrer headers, client browser parameters, cookies, form fields or hidden parameters unless they are verified using strong cryptographic techniques
  • Keep sensitive session values on the server to prevent client-side modification
  • Encrypt pages containing sensitive information and prevent caching
  • Implement session management
  • Implement proper end-user account and access right management
  • Restrict access to back end databases, and running SQL and OS commands
  • With application system calls, do not make calls to actual file names and directory paths. Use mapping as a filtering layer
  • Build a centralised module for application auditing and reporting
  • Use the most appropriate authentication methods to identify and authenticate incoming user / system requests
  • Create and perform threat modelling
  • Design and implement a web application security architecture
  • Perform security risk assessment during the development stages to identify the security controls required
  • Enforce secure code standards execution
  • Perform security tests, such as stress tests, system tests, regression tests, unit tests etc.
  • Perform a thorough code review
  • Conduct a full security audit before a production launch and after any major changes to the system
  • Review application logs regularly
  • Implement version control and a separate environment for application development
  • Install a web application firewall

The following are some examples of areas that might be examined in an assessment of web application security:

Identification and Authentication

 
  • How are users and processes authenticated?
  • Is the authentication process implemented in accordance with specifications and in compliance with the security policy of the organisation?
  • If the authentication is based on passwords, how are the user passwords being handled and stored?
  • Is the password handling mechanism in compliance with the security policy of the organisation?
  • Are there any hard-coded passwords or keys embedded in the program source?
  • Is the application required to authenticate each and every session?

Data Protection

  • Is the data protection mechanism implemented in accordance with the security policy of the organisation?
  • Is all data protected adequately at rest?
  • Is all data protected adequately in transit?
  • If encryption is used, how is the encryption handled?
  • Does encryption handling comply with the overall security policy of the organisation?

Logging

  • Is the audit trail logging mechanism implemented in accordance with specifications?
  • Are the application audit records vulnerable to unauthorised deletion, modification or disclosure?

Error Handling

  • How are error messages handled?
  • Is there any chance of an information leak that could be utilised in a subsequent attack?
  • Would an application failure result in the system entering an insecure state?

Operation

  • Are segregation of duties and least privilege principles enforced?
  • Have all built-in user IDs, testing user IDs, and IDs with default passwords been removed from the operating system, web servers and application itself before final production launch?
  • Are the system administration procedures, change management procedures, disaster recovery procedures, and backup procedures fully and clearly defined?
  • It must be emphasised that this checklist is not exhaustive. Depending on the security requirements and specific nature of the target web application, additional test cases or checking criteria should be included according to specific needs.
  • In addition, when any information system is outsourced to third party service provider, proper security management processes must be in place to protect data as well as to mitigate the security risks associated with outsourced IT projects/services.

There are three basic authentication factors (i.e. "something you know", "something you have", and "something you are") commonly referred to in an authentication system. As a way of tackling the increasing threat of identity theft, two-factor authentication for conducting high-risk e-transactions should be implemented. There are five common authentication methods; namely passwords and PINs based authentication, SMS based authentication, symmetric-key authentication, public-key authentication and biometric authentication. Details of each method is available at the e-Authentication website.

 

A suggested process flow for business owners wishing to implement a secure e-Authentication system is available at the e-Authentication website . You can find more information here on determining the assurance levels and corresponding security requirements.

Let’s Talk About How Can Help You Securely Advance

Get A Free Quote
Application Security
Application Security