Web application or often referred to as web app is a program that performs a specific task by using a web browser as the interface or client in a server-client environment. Some common type of web applications you may be already familiar with can be as simple as a chat board, word processor or an online spreadsheet to as advanced as a project management tool or a point-of-sale program to name a few.
What make using web applications so desirable to many organizations is that it lightens the developer of the responsibility of building a client for a specific type of computer or a specific operating system. Prior to web applications, organizations would have to create a client that would operate on a Windows-Based system, Mac-Based system as well as a Linux-based system. At times different operating systems with in the same family would require a different client implementation for example a Windows 7 version and a Windows XP version.
Since web apps operates using a web browser such as Firefox, Safari or Internet Explorer anyone can access the application as long as they have internet access. For the most part any Internet connected device should be able to access the intended web app though some applications require a specific Web browser to operate correctly at times.
I was asked once during a class I was teaching, “Prof. Charles, what is the difference between a website and a web app?” My response mainly stated, a website’s main purpose and function is to provide information to the end user such as http://foxnews.com and http://cnn.com while web apps primary function or purpose is to allow the end user to perform actions such as webmail and online timesheets.
The security issues associated with web apps are that they are connected via the web and anyone can potentially access them. So testing them during the development stage, before they are deployed as well as when they are in production is paramount to the security of the application, users and the organization.
From all indications the trend of increasing use of web applications will continue, creating a bigger landscape for potential application security problems. In fact, data from a web application vulnerability report from 2017 found vulnerabilities in every web application that was analyzed, furthermore, 58% of the web apps that were analyzed had at least one high-severity vulnerability.
The Equifax incident that compromised the personal data of over 143 million Americans is a prime example of what can go wrong when web application security is not continually tested and fails.
There are three main types of application security testing (AST) that are performed against web apps. Each tool tackle the issue of securing web apps from a different perspectives. These three approaches are:
- Static Application Security Testing (SAST) searches for known patterns of vulnerabilities and defects in the source code.
- Dynamic Application Security Testing (DAST) use known types of attacks against a running instance of the software in production to determine if the software is vulnerable.
- Interactive Application Security Testing (IAST) is an emerging approach that combines static and dynamic techniques to improve testing.
In my next posting, I will discuss SAST, DAST and IAST in detail.