WEB

APPLICATION
SECURITY
STRATEGY

EC-Council would like to thank Abbas Kudrati, APAC Chief Cybersecurity Advisor,
Microsoft, for authoring this whitepaper.
ABSTRACT
Web applications are at the center of business operations and user experience development
across many industries today. With the increasing use of web-based applications has come
a simultaneous surge in corresponding vulnerabilities. Malicious hackers tend to exploit
bugs in code and design architectures to access sensitive information. Substantial security
measures and frameworks are needed to protect applications from the security risks
identified in the OWASP top 10. This paper discusses the threat landscape described by
OWASP in the context of relevant application security principles, the need for security
during the SDLC lifecycle, and novel methods for achieving it.

Keywords: application security, web applications, OWASP, CVE, CWE, DevSecOps

CONTENTS
Introduction 4 Software Quality Factors 10

Web Applications at the Security Front 4 Web Application Security Tactics 10

Fault Detection
OWASP Top 10 2021 5
Fault Recovery
Broken Access Control
Fault Prevention
Cryptographic Failures
Injection Implementing Security During SDLC 12
Insecure Design The DREAD Threat Model
Security Misconfigurations Increased Collaboration
Vulnerable and Outdated Components Developer Companion Framework
Identification and Authentication Failures Obfuscation Approach
Software and Data Integrity Failures Security Expert Perspectives
Security Logging and Monitoring Failures
Conclusion 15
Server-Side Request Forgery
References 15
Sustainable-Security Attributes 8
Level 1 Attributes
Level 2 Attributes
Level 3 Attributes
INTRODUCTION
A web application is designed to meet specific goals of an organization; therefore, the web architecture should be an amalgamation of appropriate design, security, and function. It is challenging for
developers to create an application architecture that considers both performance and security. Consequently, many businesses and developers do not pay much heed to the security aspect of the
application, even though it is critical in light of the current threat landscape. Hence, scores of design solutions often fall short of securing the application and associated database against a potential
breach. Since many businesses rely on web-based applications to conduct their operations, a security incident could lead to a massive loss. It is critical for organizations with a digital presence to prioritize
web application security and invest in a robust information security architecture. Developers must thoroughly analyze the potential causes and effects of security breaches during the software
development stage and fix vulnerabilities. This paper discusses application security assessment, parameters, and challenges faced during the SDLC (Software Development Life Cycle).

WEB APPLICATIONS AT THE SECURITY FRONT

Multiple studies and surveys advocate the need for stable security design tactics to fix issues related to application security. Reports indicate that an estimated 54% of enterprises across the globe
experience a security incident at least once per year. However, only 38% of organizations can mitigate a security attack without any significant impact. Because an organization's website is typically at the
forefront of its information network, a poorly designed website is likely to be a prime target for a malicious attack. Hence, any defects, bugs, and vulnerabilities could render the application architecture
unsecure. To guard against this outcome, the developer should design the application with necessary security controls built in (Hoff, 2013).

Websites and web applications have become an essential resource for businesses to spread their activities across platforms and provide a heightened user experience. But these applications can also
become an entry point for malicious attackers, increasing the security risk significantly. Application security is continuously evolving in response to emerging technological trends, which poses multiple
challenges for organizations that develop custom software for risk management. Many have responded to the issues associated with the changing threat landscape with primarily reactive measures.

Due to the increase in the use of web applications and the proportional growth in the scale and sophistication of the attacks, it is imperative for organizations to incorporate security in the development
stage. The traditional approach involves testing for security flaws and issues following design implementation, but this approach is costly and time-consuming. Hence, security leaders and researchers
prefer to incorporate security aspects during the development process, taking advantage of techniques such as novel source code review and obfuscation techniques.

04
OWASP TOP 10 2021
The OWASP (Open Web Application Security Project) Top 10 list represents the cybersecurity communityʼs consensus regarding the critical risks currently threatening the security of application
architectures. The current top 10 list, released in fall of 2021, differs from the previous list, released in 2017, in several respects. Some categories have been consolidated, and there are three new
categories. Four categories have been renamed and rescoped to accommodate a new focus on root cause over symptom (“OWASP TOP 10,” 2021).

Eight of the 10 categories were selected from data contributed by AppSec researchers, but OWASP acknowledged that it often takes years for them to find weaknesses, test them at scale, and develop
applicable tools and processes. For balance, it selected the remaining two categories from survey results reflecting what AppSec community experts currently view as essential weaknesses, although
these issues may not yet be apparent in the contributed research data. Following are the OWASP Top 10 - 2021 application security risks:

1 Clients
Moving up from the fifth position in the 2017 list, broken access control is now considered the most serious web application security risk. Contributed data show more than 318k occurrences of the 34
common weakness enumerations (CWEs) mapped to this category. Broken access control includes all the security vulnerabilities that allow threat actors to bypass the enforced security access
controls.

2 Cryptographic Failures
Renamed and rescoped, cryptographic failures currently occupy the second position, having evolved from sensitive data exposure, which was the third-place risk in 2017. Cryptography failures can
lead to breaches and data compromise due to:
• Incorrect use of cryptography
• Obsolete or weak cryptographic algorithms, such as SH1
• Operational failure, such as bad key management, or exposure of encryption keys in side-channel or bulk analysis attacks
• Failure to use any encryption

3 Injection
Though injection moved down to the third position from the 2017 listʼs first spot, injection attacks are still a major concern. Ninety-four percent of the applications were tested for injection, and there
were 274k occurrences of the 33 CWEs mapped to this category. Cross-site scripting (XSS) is now included in the injection category, increasing its scope. Injection attacks are commonly traced to
vulnerabilities in web application code that allow unfiltered user inputs.

05
 4 Insecure Design
One of the new categories in the list, insecure design is a response to application security professionalsʼ observations of multiple increased risk issues related to design flaws. Planning is the most
important phase in any software design methodology; developing an application without considering security in the planning phase can leave it defenseless against certain types of attacks.

5 Security Misconfigurations
Ninety percent of applications were tested for misconfiguration-related vulnerabilities, and more than 208K occurrences of CWEs were found. Security misconfigurations rank fifth in the 2021 list, up
from the sixth position in 2017. Formerly separate, XML External Entities (XXE) are now included in this category. Application security misconfigurations can result from the following vulnerabilities:
• Unnecessary features (unused administrator ports or accounts left open, allowing remote attackers to gain unauthorized access)
• Default account credentials
• Important application and backend database information disclosed in error messages
• Cloud security misconfiguration
• Failure to reconfigure servers and databases following application upgrades
• Unsecure development framework (PHP or ASP.NET) configuration

6 Vulnerable and Outdated Components

This category climbed to sixth from ninth on the 2017 list, where it appeared as Using Components with Known Vulnerabilities. Respondents to the OWASP community survey identified it as the current
second-most-serious threat. Vulnerable and outdated components pose challenges for application security professionals with regard to testing and assessing risks. They affect both the client and
server sides of an application. If the operating system, database, API, development framework, libraries, modules, or any software components that interact with the application are out of date and
not supported, the application can become vulnerable to exploits.

7 Identification and Authentication Failures

Renamed from its previous title, Broken Authentication, this risk category includes CWEs primarily related to identification failures. Its downward trajectory from second place on the 2017 list to
seventh in 2021 is credited to standardized frameworks having become more available. According to OWASP, weak authentication can result from the following attack types:
• Credential stuffing
• Brute-force attacks
• Session hijacking

06
 8 Software and Data Integrity Failures
This new category is related to software updates, critical data, and failure to verify the integrity of continuous integration and continuous delivery (CI/CD) pipelines. An analysis of Common
Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data indicated that one of the highest impacts was associated with the CWEs in this category. That finding resulted in
its placement on the list, with the previous Insecure Deserialization category included. As an example, an attack due to software and data integrity failures could occur if a web application were to
download an update without verifying its file integrity. An attacker could inject malicious code into the update package and distribute it to all connected applications.

9 Security Logging and Monitoring Failures

This risk category, named Insufficient Logging & Monitoring and occupying tenth place in 2017, moved up to the ninth position due to the attention it received in the latest community survey. Many
industry professionals mentioned its impact on risk visibility, incident alerts, and forensics, ranking it third among current risks. Security logging and monitoring failures do not cause vulnerabilities
directly. However, logs play a crucial role in helping security teams and digital forensics examiners investigate security incidents and respond to active breaches.

10 Server-Side Request Forgery

This new risk category occupies the tenth position on the OWASP Top Ten 2021 list, despite having a low incidence rate, due to its prominence in the community survey. Respondents ranked it as the
number one risk. Server-side request forgery (SSRF) can allow adversaries to force server-side applications to make HTTP requests to domain names they control or to execute arbitrary commands.

07
SUSTAINABLE-SECURITY ATTRIBUTES
The requirements for software to be considered sustainable include ease of maintenance, fulfillment of its purpose over time, and ability to function in spite of uncertainty. Sustainability attributes are
classified into three levels, with each level interdependent on the other (Agrawal et al., 2019).

The level 1 factors are confidentiality, integrity, availability, and perdurability. The sustainability factors at level 2 are reliability, extensibility, flexibility, functionality, effectiveness, and
understandability. There are seven design attributes that influence sustainable security at the third level: abstraction, coupling, encapsulation, inheritance, polymorphism, design size, and cohesion.

Level 1 Attributes

Confidentiality: The confidentiality principle requires that the website or associated application data be accessible only to authorized users with credentials. Access restrictions are managed by
creating user roles with specific functions and limitations.

Integrity: The integrity principle guards against accidental or intentional modification throughout the data lifecycle. Data integrity may be tested using either a closed box or open box method. With
the closed box method, the tester has limited knowledge of the application; with the open box method, the tester has visibility into the internal workings of the application.

Availability: The availability principle requires that error-free data be accessible to all authorized users as intended or required by the business operation.

Perdurability: Perdurability applies to the extent a software system may be modified and reused for the purpose of carrying out intended functions under specific conditions and within certain time
periods.

Level 2 Attributes

Level 1 sustainability software-security factors interact with the other two levels to achieve ideal application performance and sustainability (Agrawal et al., 2019). The factors at lower levels affect the
higher-level attributes. For example, reliability has an influence on confidentiality, integrity, and availability.

Reliability: Reliability is the extent to which the software operates without failure under given conditions within a specified time frame.

Extensibility: Extensibility is the degree to which a software system can accept additional capabilities.

08
Flexibility: Flexibility is a measure of how easily software can adapt to external changes.

Functionality: Functionality refers to the softwareʼs operational capabilities.

Effectiveness: Effectiveness is a measure of the softwareʼs degree of success in achieving desired outcomes.

Understandability: Understandability in the sustainable-security context refers to the applicationʼs information comprehension.

Level 3 Attributes

The sustainable-security design attributes at the third level influence the application architecture’s first and second levels.

Abstraction: Abstraction involves highlighting significant features and hiding unused data to reduce complexity and increase security. Abstraction improves the reliability and functionality of the
design. Hiding irrelevant data and presenting crucial features at the design level helps enhance the comprehension and flexibility of the application code.

Coupling: Coupling refers to the interdependency between software modules. Data coupling is best, and a good software design ideally will have a low coupling value. It impacts reliability, flexibility,
functionality, and effectiveness.

Encapsulation: Encapsulation refers to the enclosure of all essential resources within an object. It is essential for security stability and helps with code security, flexibility, and maintainability.
Encapsulation helps increase the efficiency and functionality of the web application.

Inheritance: Inheritance is the design factor that enables a class to inherit properties and characteristics from another class, in support of code reusability. Inheritance improves the reliability,
effectiveness, functionality, and understandability of the code, further supporting sustainability and security.

Polymorphism: Polymorphism allows software functions to take on multiple forms to enable code reuse, thus increasing software sustainability. It affects reliability, extensibility, effectiveness, and
understandability.

Design Size: Design size refers to estimating an application’s design size in order to optimize the extensibility and effectiveness of the code. Constraints on the design size reduce complexity, which
aids sustainability. Design size estimates can help improve code understandability and functionality, benefiting the software’s sustainable security.

Cohesion: Cohesion is the degree to which software modules relate to one another at the functional level. High cohesion is necessary for a good design. Cohesion is positively affected by extensibility,
effectiveness, and functionality.

09
SOFTWARE QUALITY FACTORS
The attributes that influence software quality include correctness, reliability, efficiency, integrity, usability, maintainability, flexibility, testability, portability, reusability, and interoperability (Albarrak &
Alrahhal, 2020).

Correctness refers to how well the software meets required objectives. Usability is a measure of how easy the system is to use. Maintainability applies to the ease of identifying and fixing bugs. Portability
is an indicator of the ease of running the system/software on a different machine. Interoperability is a gauge of how well systems can work together.

Sustainability and quality are further influenced by performance metrics such as accuracy, suitability, communication commonality, completeness, complexity, conciseness, consistency, execution
efficiency, expandability, hardware independence, error tolerance, and tractability.

WEB APPLICATION SECURITY TACTICS

The need for web application security has furthered research and development of new architectural frameworks and tactics relevant to the availability, testability, and usability attributes in the design
context (Alenezi et al., 2020). Availability is the softwareʼs ability to deliver as intended. Testability refers to the softwareʼs amenability to procedures that can expose security problems or attacks. Usability
is a measure of the systemʼs responsiveness to changes that might be necessitated as users work with it. These attributes, according to Alenezi et al., can be broken down further into three tactics—fault
detection, fault recovery, and fault prevention—each with their own sub-tactics.

1 Fault Detection
Fault detection refers to the processes involved in uncovering issues that could interfere with the availability of data. The sub-tactics ping/echo, heartbeat, and exceptions help uncover failures.

2 Fault Recovery
Fault recovery refers to the set of sub-tactics employed to prepare for a system repair.

Input/Output Management: Input/Output (I/O) management is used during testing. It includes the record sub-tactic for information capture and the specialized access sub-tactics, which enables the
capture of variable values for a test.

10
Recovery Preparation and Recover : Recovery preparation and recovering from a fault involve three factors: voting for a component, active redundancy, and passive redundancy. Voting aids recovery
from a fault, while redundancy passes information from a faulty component to another component.

Internal Monitoring: During internal monitoring, three tactics—built-in monitors, external audit, and audit trail—are used to implement security tactics and analyze monitoring logs.
Support User Initiative: The support user initiative tactic is for maintaining functionality from the consumer perspective. Its security sub-tactics include cancel, undo, and aggregate.
Support System Initiative: Support system initiative includes the user model, system model, and task model sub-tactics, which facilitate the usability of the architecture from the system perspective.
Recovery Reintroduction: The following recovery reintroduction sub-tactics aid fault recovery: shadow, resynchronization, and rollback. Shadow applies to running a corrected component briefly to
check its performance before reintroducing it. Resynchronization refers to upgrading the state of a component before its restoration. Rollback is applied when a fault requires restoration using a
checkpoint of a previous consistent state.

3 Fault Prevention
Fault prevention sub-tactics include removal from service, transactions, and process monitor. Removal from service is appropriate to prevent expected failures from occurring. Process Monitor can delete
a process found to have a fault and create a new instance of it. A transaction consists of several sequential steps that can be removed as a bundle to protect data in the event of a process fault.

11
IMPLEMENTING SECURITY DURING SDLC
There are significant downsides with the traditional approach to application security, which calls for the security audit to be done following the applicationʼs design and development stages. Researchers
have been motivated to develop new frameworks and strategies for implementation that would take place earlier in the software development lifecycle (SDLC), in order to enhance security and reduce
time consumption. Some research findings indicate that a developer companion framework might be a valuable approach, while others point to a framework guided by industry executives. Other
recommendations include building increased collaboration into the implementation framework and using the obfuscation method during code construction.

1 The DREAD Threat Model

To achieve robust security for applications, it is necessary to incorporate threat modeling at every stage of the SDLC—that is, at the requirement, design, coding, testing, and deployment stages. Threat
modeling helps developers identify potential vulnerabilities in an application, which can then be mitigated by fixing related design weaknesses. It can proactively defend an application against future
security incidents (Poston, 2020).

In DevSecOps, threat modeling begins at the earliest stage in the SDLC. The aim is to identify an applicationʼs potential attack surfaces in order to improve its overall security posture. Some threat
modeling methodologies include STRIDE, PASTA, TRIKE, VAST, OCTAVE, and DREAD.

The DREAD model, developed by Microsoft in 2002, identifies vulnerabilities during the web application development phase and helps classify them according to their impact in order to assess the overall
threat level. This model emphasizes detection and mitigation of vulnerabilities according to business and operational priorities, given that it is not always possible to remove all of them. The DREAD model
provides a method to weigh the severity of a productʼs vulnerabilities and mitigate them before its release. The DREAD index is the average of metrics associated with factors such as damage,
reproducibility, exploitability, number of affected users, and discoverability. The DREAD index can be used to prioritize vulnerabilities based on its quantification regarding the existing data/state of the
web application (Gupta, 2017).

12
 Figure 1: Components of the DREAD Threat Model

D R E A D
Damage Reproducibility Exploitability Affected Users Discoverability

Source: The DREAD model is segmented into the following categories:

• Damage potential—the expected amount of damage caused by the attack

• Reproducibility—how challenging it is to execute a potential attack

• Exploitability—the sum of effort and expertise needed to carry out a particular attack

• Affected users—the number of users affected by a successful attack and the extent of harm caused

• Discoverability—how easy it is to discover the threat

By assigning a number or value for each category, an organization can measure threats and prioritize their handling (e.g., dedicate more resources) based on damage potential.

2 Increased Collaboration
There is a direct proportionality between the increase in web technology development and the exploitation of vulnerabilities. This is due in large part to a lack of collaboration between IT and security
professionals during the SDLC, resulting in avoidable vulnerabilities in the application design. A framework such as the agent-based system architecture proposed by Albarrak & Alrahhal can help improve
collaboration between design and security teams.

It has become imperative for IT and security personnel to collaborate in order to reduce the potential risks in web applications. Training, an enhanced collaborative environment, and standardized models
and approaches can significantly improve application security (Albarrak & Alrahhal, 2020).

13
 3 Developer Companion Framework
The traditional approach of testing applications following the design phase has proven to be problematic. This can be addressed by adopting a framework such as the one proposed by Alenezi et al., which
enables the developers to find code vulnerabilities during the system implementation. This approach uses the Common Weakness Enumeration (CWE) category system, the U.S. governmentʼs National
Vulnerability Database (NVD), static analysis, and other methods to identify errors and security issues.

The framework requires that written code be tested by employing static analysis tools and using the available CWE and NVD databases to collect relevant information and provide security
recommendations. This approach seeks to address software security issues and educate developers at the same time. Open-source static analysis tools can be integrated with IDE (integrated development
environment) tools for this purpose. The machine-readable CWE and NVD lists are open-source. All the recommendations and analytics gained from using these methods can be aggregated by the
framework for improved output efficiency through automation, machine learning, and other approaches (Alenezi & Javed, 2016).

4 Obfuscation Approach
Cross-site scripting (XSS) and SQL injection also play a significant role in the application threat landscape. With the increased dependence of almost every industry across the globe on online services, it
is crucial to incorporate security measures such as obfuscation into design development. A proposed obfuscation approach could combat reverse-engineering techniques malicious hackers use to study
code in search of opportunities to launch XSS and SQL injection attacks (Kumar, 2021).

The proposed framework obfuscates input from SQL queries or web data during transmission over the internet. When the obfuscated code is obtained, special tools are used to deobfuscate the data to
obtain the original copy. This framework helps guard against XSS and SQL injection attacks without changing the applicationʼs functionality.

5 Security Expert Perspectives

In a wide-ranging interview study, Thomas et al. examined the opinions of security auditors on application development processes relevant security vulnerabilities. Among the many aspects covered are
security process, developer interactions, technical challenges, and organizational challenges (Thomas et al., 2018).

Security Processes: Participants in the study found that security practices were commonly labor-intensive and manual. Typically, it was up to security auditors to find code vulnerabilities, although
developers were responsible for correcting the detected problems.

Developer Interactions: The participating auditors concluded that developer and security teams must collaborate via effective communications to improve understanding of risk factors and fix
problems uncovered through audits. Breakdowns of communication between security teams, developers and other stakeholders could lead to vulnerabilities going unaddressed.

Organizational Challenges: An organizationʼs resources are limited, and security is only one of many areas of concern in the application development process. Balance among competing requirements
is necessary to achieve the optimal level of security in the final product.

14
CONCLUSION REFERENCES
The traditional web application development approach has Agrawal, A., Alenezi, M., Kumar, R., & Khan, R. (2019). Measuring Gupta, B. (2017, July 11). Requirements Based Web Application
severe drawbacks when it comes to achieving sustainable the Sustainable-Security of Web Applications Through a Security Testing–A Preemptive Approach! [Conference
software security. Novel frameworks that incorporate security Fuzzy-Based Integrated Approach of AHP and TOPSIS. IEEE presentation]. PNSQC 2017 proceedings.
tactics in the design phase early in the software development Access, 7, 153936-153951. http://www.bgupta.com/resources/21-Gupta-2017-Gold.pdf
lifecycle (SDLC) can save time and other resources while https://doi.org/10.1109/ACCESS.2019.2946776
reducing risk and improving application performance. Hoff, J. (2017). A strategic approach to web application security
Albarrak, M., & Alrahhal, M. (2021, January). Web Applications [White paper]. WhiteHat Security.
Security: More Collaboration. International Research Journal of https://www.whitehatsec.com/resources/strategic-approac
Engineering and Technology, 8(1), 1366-1372. h-web-application-security/
https://www.researchgate.net/publication/348716685_Web
_Applications_Security_More_Collaboration Kumar, D., Kumar, A., Singh, L. (2021, May 23). Enhance Web
Application Security Using Obfuscation. Turkish Journal of
Alenezi, M., & Javed, Y. (2016, July). Developer Companion: A Computer and Mathematics Education, 12(12), 1984-1989.
Framework to Produce Secure Web Applications. International https://www.researchgate.net/publication/351984086_Enh
Journal of Computer Science and Information Security, 14(7), ance_Web_Application_Security_Using_Obfuscation
12.
https://www.researchgate.net/publication/306108112_Dev Poston, H. (2020, December 22). Role and purpose of threat
eloper_Companion_A_Framework_to_Produce_Secure_We modeling in software development. Infosec Institute.
b_Applications https://resources.infosecinstitute.com/topic/role-and-purp
ose-of-threat-modeling-in-software-development/
Alenezi, M., Agrawal, A., Kumar, R., & Khan, R. (2020). Evaluating
Performance of Web Application Security Through a Fuzzy Thomas, T., Tabassum, M., Chu, B., & Lipford, H. (2018, April).
Based Hybrid Multi-Criteria Decision-Making Approach: Design Security During Application Development: an Application
Tactics Perspective. IEEE Access, 8, 25543-25556. Security Expert Perspective. In Proceedings of the 2018 CHI
https://doi.org/10.1109/ACCESS.2020.2970784 Conference on Human Factors in Computing Systems (pp. 1-12).
https://doi.org/10.1145/3173574.3173836
Andrian, R. & Fauzi, A. (2019). Security Scanner for Web
Applications Case Study: Learning Management System. Jurnal Welcome to the OWASP Top 10 – 2021. (2021). In OWASP.
Online Informatika, 4(2), 63-68. https://owasp.org/Top10/
http://join.if.uinsgd.ac.id/index.php/join/article/view/394

15
www.eccouncil.org