Risk Assessment

Application risk assessment is the process of evaluating the potential risks that a software
application may face and determining the level of risk that those risks pose to the application.
It is an important aspect of application security, as it allows organizations to proactively
identify and address potential risks before they can be exploited by attackers.

The process of application risk assessment typically involves the following steps:

• Identify risks: This involves identifying the potential risks that the application may
face, such as attacks, vulnerabilities, and other threats.
• Assess risks: This involves evaluating the likelihood and impact of the identified risks
and determining the level of risk they pose to the application.
• Prioritize risks: This involves ranking the identified risks based on their likelihood and
impact and determining which risks should be addressed first.
• Document risks: This involves documenting the identified risks, the assessment of
their likelihood and impact, and the controls and measures that are in place to
mitigate them.

By following this process, organizations can help to ensure that their applications are secure
and protected against potential risks.

Threat Modeling
Application threat modeling is the process of identifying, analyzing, and mitigating the
potential threats and vulnerabilities that a software application may face. It is an important
aspect of application security, as it allows organizations to proactively identify and address
potential risks before they can be exploited by attackers.

The process of application threat modeling typically involves the following steps:

• Identify assets: This involves identifying the assets that are associated with the
application, such as data, servers, and infrastructure.
• Identify threats: This involves identifying the potential threats that the application
may face, such as attacks, vulnerabilities, and other risks.
• Analyze threats: This involves evaluating the likelihood and impact of the identified
threats and determining the level of risk they pose to the application.

90
 • Mitigate threats: This involves implementing controls and measures to mitigate the
identified threats and reduce the risk of a security incident.
• Monitor and review: This involves regularly monitoring the application for new
threats and vulnerabilities and reviewing and updating the threat model as needed.

By following this process, organizations can help to ensure that their applications are secure
and protected against potential threats.

OWASP TOP-10
The OWASP Top 10 is a list of the most common and most critical web application security
risks, as identified by the Open Web Application Security Project (OWASP). The list is updated
on a regular basis to reflect the most current threats and vulnerabilities facing web
applications.

The current version of the OWASP Top 10 is as follows:

1. Injection: Injection flaws allow attackers to execute arbitrary code or commands by

injecting malicious input into an application.
2. Broken authentication and session management: This category includes
vulnerabilities related to the management of user credentials and session tokens.
3. Cross-site scripting (XSS): XSS vulnerabilities allow attackers to inject malicious scripts
into web pages that are viewed by other users.
4. Insecure direct object references: This category includes vulnerabilities related to the
direct access of objects, such as files or database records, that should be restricted.
5. Security misconfiguration: This category includes vulnerabilities related to the
misconfiguration of security settings, such as default accounts or permissions.
6. Sensitive data exposure: This category includes vulnerabilities related to the exposure
of sensitive data, such as passwords or credit card numbers.
7. Cross-site request forgery (CSRF): CSRF vulnerabilities allow attackers to execute
actions on behalf of a user without their knowledge or consent.
8. Using components with known vulnerabilities: This category includes vulnerabilities
related to the use of third-party components, such as libraries or frameworks, that
have known vulnerabilities.

91
SANS Top-25
The SANS Top 25 is a list of the most dangerous software errors, as identified by the SANS
Institute. The list is based on the prevalence and impact of these errors, as well as the
availability of tools and techniques to detect and prevent them.

The current version of the SANS Top 25 is as follows:

1. Injection flaws
2. Cross-site scripting (XSS)
3. Insecure direct object references
4. Security misconfiguration
5. Sensitive data exposure
6. Cross-site request forgery (CSRF)
7. Using components with known vulnerabilities
8. Insufficient logging and monitoring
9. Failure to restrict URL access
10. Insufficient transport layer protection
11. Unvalidated inputs
12. Failure to sanitize inputs
13. Unvalidated redirects and forwards
14. CSRF protection bypass
15. Cross-site scripting protection bypass
16. Insecure use of cryptography
17. Insufficient authentication controls
18. Insufficient authorization controls
19. Insufficient session expiration
20. Insufficient session locking
21. Trusting data from untrusted sources
22. Insufficient password controls
23. Insecure communication channels
24. Insufficient security configuration management
25. Insufficient testing for vulnerabilities

92
Secure Code Analysis
Secure code analysis is the process of systematically reviewing source code in order to identify
potential vulnerabilities or weaknesses that could be exploited by an attacker. This can be
done manually by a security expert, or automatically using a tool that is designed to scan the
code and identify potential issues.

The goal of secure code analysis is to identify and fix vulnerabilities before they can be
exploited, thereby improving the security of the software. This can be an important part of
the software development process, especially for applications that will be used in sensitive
environments or handle sensitive data.

There are several different approaches to secure code analysis, including static analysis, which
involves analyzing the code without executing it, and dynamic analysis, which involves
executing the code and analyzing its behavior. Secure code analysis tools can also be
configured to focus on specific types of vulnerabilities, such as injection attacks or cross-site
scripting (XSS).

Overall, the goal of secure code analysis is to ensure that software is developed in a way that
minimizes the risk of security vulnerabilities and maximizes the security of the system as a
whole.

SAST
SAST, or Static Application Security Testing, is a type of software testing that involves analyzing
source code to identify potential security vulnerabilities. SAST is typically performed during
the development process, before the software is deployed, and is designed to identify and fix
vulnerabilities before they can be exploited by attackers.

SAST tools work by analyzing the source code for patterns or constructs that are commonly
associated with vulnerabilities. For example, a SAST tool might look for input validation issues,
improper error handling, or the use of vulnerable libraries. The tool will then report any issues
it finds, along with recommendations for how to fix them.

SAST is often used in conjunction with other types of security testing, such as dynamic analysis
and penetration testing, to provide a comprehensive view of the security posture of an
application. By identifying and fixing vulnerabilities early in the development process,

93
organizations can reduce the risk of security incidents and improve the overall security of their
applications.

DAST
DAST, or Dynamic Application Security Testing, is a type of software testing that involves
analyzing the behavior of an application while it is running, in order to identify potential
security vulnerabilities. DAST is typically performed after the software has been deployed and
is designed to identify vulnerabilities that may not be detectable through other types of
testing, such as static analysis or manual code review.

DAST tools work by interacting with an application in the same way a hacker might, in order
to uncover vulnerabilities that may not be apparent when the application is used in normal
operation. This can include testing for common vulnerabilities such as SQL injection, cross-site
scripting (XSS), and improper input validation.

DAST is often used in conjunction with other types of security testing, such as static analysis
and penetration testing, to provide a comprehensive view of the security posture of an
application. By identifying and fixing vulnerabilities after deployment, organizations can
reduce the risk of security incidents and improve the overall security of their applications.

Change Management
Change management is important in application development because it helps ensure that
changes to the application are made in a controlled and coordinated manner. This can help
prevent unintended consequences and reduce the risk of errors or security vulnerabilities.

Effective change management can help organizations:

• Maintain stability and reliability: By carefully controlling changes to the application,

organizations can minimize the risk of introducing new bugs or other issues that could
negatively impact the stability and reliability of the application.
• Improve communication and coordination: Change management processes can help
ensure that all stakeholders are aware of and involved in the change process, which
can improve communication and coordination among team members.

94
 • Improve security: By carefully reviewing and testing changes to the application before
they are deployed, organizations can reduce the risk of introducing new vulnerabilities
or security weaknesses.
• Enhance compliance: Change management processes can help organizations meet
regulatory or compliance requirements by ensuring that changes to the application
are properly documented and reviewed.

Overall, change management is an important part of the software development process as it

helps organizations control and coordinate changes to the application in a way that maximizes
stability, reliability, security, and compliance.

Secure Deployment
Secure transfer to production refers to the process of safely deploying code or other changes
to a production environment, where the software is used by real users. This process is an
important part of the software development process and involves several steps to ensure that
the code is tested, reviewed, and deployed in a way that minimizes the risk of errors or
security vulnerabilities.

Some common steps involved in a secure transfer to production process include:

• Testing: Changes to the application should be thoroughly tested in a staging or test

environment before being deployed to production. This can help ensure that the
changes do not introduce new bugs or other issues that could negatively impact the
application.
• Review: Changes to the application should be reviewed by a team of developers or
security experts to ensure that they are of high quality and do not introduce any
security vulnerabilities.
• Approval: Changes to the application should be approved by a designated person or
team before they are deployed to production. This can help ensure that changes are
properly reviewed and that any potential risks are identified and addressed.
• Deployment: Once changes have been tested, reviewed, and approved, they can be
deployed to the production environment. This process should be carefully planned
and coordinated to minimize the risk of errors or disruptions to the application.

95
Overall, a secure transfer to production process is designed to ensure that changes to the
application are made in a controlled and coordinated manner, which can help improve the
stability, reliability, and security of the application.

Application Testing
The testing phases in application development can vary depending on the specific
development process being used, but some common testing phases include:

• Unit testing: This type of testing involves testing individual units or components of the
application to ensure that they are working correctly.
• Integration testing: This type of testing involves testing how different units or
components of the application work together.
• System testing: This type of testing involves testing the entire application as a system
to ensure that it is working correctly.
• Acceptance testing: This type of testing involves testing the application to ensure that
it meets the requirements and expectations of the users or customers.
• Performance testing: This type of testing involves testing the performance of the
application, including how it handles large volumes of data or users, and how it
responds to different workloads.
• Security testing: This type of testing involves testing the application for vulnerabilities
or other security issues.

Overall, the testing phases in application development are designed to ensure that the
application is working correctly and meets the requirements and expectations of the users or
customers.

Sprint Coding
Sprint coding is a software development process in which developers work in short, iterative
cycles known as sprints to build and deliver software. Sprints are typically one to four weeks
in length and are focused on delivering a specific set of features or functionality.

The sprint coding process involves several steps:

96
 • Planning: During the planning phase, the team defines the scope of work for the sprint
and creates a plan for delivering it.
• Development: During the development phase, the team works on implementing the
planned features or functionality. This may involve writing code, testing, and
debugging.
• Review: At the end of the sprint, the team reviews the work that has been completed
and may demonstrate it to stakeholders or customers.
• Retrospective: After the review, the team reflects on the sprint and identifies areas
for improvement in the next sprint.

The goal of sprint coding is to deliver working software in short, iterative cycles, which can
help organizations respond more quickly to changing business needs and customer
requirements. It is often used in agile software development methods, such as Scrum.

There are several steps that organizations can take to secure sprint coding, which is the
process of developing software in short, iterative cycles known as sprints:

• Use secure coding practices: Developers should be trained in secure coding practices
and should follow best practices when writing code. This can include following secure
coding guidelines, using secure libraries and frameworks, and properly validating and
sanitizing input.
• Use code review: Code should be reviewed by other team members or security
experts to ensure that it is of high quality and does not introduce any vulnerabilities.
• Use automated tools: Organizations can use automated tools such as static analysis
or dynamic analysis tools to scan code for potential vulnerabilities. These tools can
help identify issues that may be missed during manual code review.
• Use secure development environments: Development environments should be
configured in a way that minimizes the risk of vulnerabilities being introduced during
the development process. This can include using secure development practices, such
as separating development and production environments, and using secure source
code management systems.
• Test code thoroughly: Code should be thoroughly tested in a staging or test
environment before it is deployed to production. This can help ensure that it is
working correctly and does not introduce any new vulnerabilities or issues.

97
Overall, securing sprint coding involves following secure coding practices, using code review
and automated tools, using secure development environments, and thoroughly testing code
before it is deployed to production.

QA security testing
There are several ways to involve Quality Assurance (QA) in security testing:

• Train QA team members in security testing: QA team members should be trained in

the principles and techniques of security testing, including how to identify and test
for common vulnerabilities such as injection attacks and cross-site scripting (XSS).
• Include security testing in QA processes: Security testing should be included as a
standard part of the QA process, alongside functional testing, and other types of
testing. This can help ensure that security testing is given the same level of importance
as other types of testing.
• Use automated security testing tools: Automated security testing tools can help QA
team members identify potential vulnerabilities more efficiently and accurately.
These tools can be configured to focus on specific types of vulnerabilities, such as
injection attacks or cross-site scripting (XSS).
• Use penetration testing: Penetration testing, which involves simulating an attack on
the application to identify vulnerabilities, can be an effective way to involve QA in
security testing. QA team members can work with security experts to design and
execute penetration tests and analyze the results.

Overall, involving QA in security testing involves training QA team members in security testing
principles and techniques, including the use of automated tools and penetration testing, and
incorporating security testing into the QA process.

Product Security
Product security refers to the measures that are taken to ensure that a product is secure and
does not expose users or customers to unnecessary risks. In simple terms, product security
involves designing and building products in a way that minimizes the risk of security
vulnerabilities or breaches.

98
There are several ways to improve product security, including:

• Using secure development practices: This can include following secure coding
guidelines, using secure libraries and frameworks, and properly validating and
sanitizing input.
• Performing security testing: This can include using tools such as static analysis or
dynamic analysis to scan code for potential vulnerabilities and conducting penetration
testing to simulate attacks on the product.
• Ensuring secure data handling: This can include encrypting sensitive data, properly
handling authentication and authorization, and implementing access controls to
prevent unauthorized access to data.
• Implementing secure communication: This can include using secure protocols for
communication, such as HTTPS, and ensuring that communication between different
components of the product is secure.

Overall, product security involves designing and building products in a way that minimizes the
risk of security vulnerabilities or breaches and taking steps to ensure that sensitive data is
handled and communicated securely.

Secure Key and Secret Management

Secure key and secret management refer to the processes and measures that are put in place
to ensure the secure storage and management of keys and secrets, such as encryption keys
and passwords. These are used to protect sensitive data and enable secure communication,
and it is important to ensure that they are not compromised.

There are several ways to improve secure key and secret management, including:

• Using strong and unique keys and secrets: It is important to use strong keys and
secrets that are difficult to guess or crack, and to use unique keys and secrets for each
system or application.
• Storing keys and secrets securely: Keys and secrets should be stored in a secure
location, such as a password manager or a hardware security module, and should be
protected by additional layers of security, such as multifactor authentication.
• Rotating keys and secrets regularly: Keys and secrets should be rotated on a regular
basis, such as every six months or year, to minimize the risk of compromise.

99