Protecting Web Apps Against Vulnerabilities: SAST, DAST, and WAF
Web application security is a set of practices and technologies that allow web developers to build a web application that is able to withstand cyberattacks. As with all software, web applications contain bugs or weaknesses introduced due to insecure coding practices. Some of these flaws create security vulnerabilities that can be exploited and lead to damaging cyberattacks.
Web application security focuses on eliminating these flaws through secure development practices and ongoing security testing throughout the software development lifecycle (SDLC). In addition, a range of web application security tools have been developed that can help detect and remediate security vulnerabilities and protect web applications at runtime.
Web Application Security Risks
Here are common yet critical security risks threatening web applications:
Injection attacks occur when threat actors send untrusted data to an interpreter through a query or command. The threat actor injects malicious code designed to seem like legitimate code, which tricks the interpreter into performing malicious commands or accessing data without authorization.
A successful injection attack can compromise the targeted web application and result in access authorization loss, a total loss of system control, or data loss. Common attacks include operating system injection, lightweight directory access protocol (LDAP) injection, SQL injection (SQLi), and NoSQL injection.
Denial of Service (DoS) and Distributed Denial of Service (DDoS)
DoS and DDoS attacks occur when threat actors attempt to overload a targeted server or infrastructure with massive amounts of attack traffic. This traffic overwhelms the target until it can no longer effectively process incoming requests. As a result, the target begins to slow down and deny service to incoming legitimate requests.
Cross-Site Request Forgery (CSRF)
CSRF occurs when threat actors attempt to trick a target into making a malicious request with their authorization or authentication. The actors leverage a legitimate user’s account privileges to send a request impersonating the user.
Once the actor compromises a user’s account, they can destroy, modify, or exfiltrate important information. CSRF attacks often target highly privileged user accounts like executives and administrators.
Cross-Site Scripting XSS
XSS vulnerabilities allow threat actors to inject a client-side script into a web page. A successful attack enables the actor to hijack user session access, deface websites, access sensitive information directly, redirect a user to a malicious website, or impersonate the user.
A security misconfiguration is a security flaw that can occur due to various issues, including:
- Unpatched flaws
- Insecure default configurations
- Open cloud storage
- Misconfigured HTTP headers
- Long error messages that include sensitive information
- Ad hoc or incomplete configurations
You can secure applications by ensuring all configurations are properly set up, covering all configurations, including frameworks, libraries, operating systems, and applications. Additionally, you must upgrade and patch configurations promptly.
XML External Entities (XXE)
Weakly-configured XML processors can assess external entity references in XML files. Threat actors can potentially exploit external entities to expose internal files via internal port scanning, DoS attacks, internal file share, a file URI handler, or remote code execution.
Deserialization recreates a data object from a byte stream. Insecure deserialization can occur when threat actors apply untrusted code to remotely execute code or create a vulnerability. Threat actors can use deserialization flaws to execute various attacks, including privilege escalation, replay attacks, and injections.
Web Application Security Tools
Modern web application security relies heavily on automated tools that can help identify and remediate vulnerabilities throughout the software development lifecycle. Let’s review four important tool categories that can help identify and mitigate threats from the development stage through to production environments.
Software Composition Analysis (SCA)
SCA tools analyze software to identify the origins of libraries and components and find known vulnerabilities in popular components. SCA tools can help identify open source components, their licensing, and known vulnerabilities affecting them. However, these tools cannot detect vulnerabilities in custom-developed components.
SCA tools are highly effective at finding common libraries and components. They compare known modules in your code against a list of known vulnerabilities, locating components with known and documented vulnerabilities. Additionally, these tools can inform you when patches are available for a component and when finding outdated components.
SCA tools leverage Common Vulnerabilities and Exposures (CVEs) databases, and additional public or proprietary data sources, to recognize known vulnerabilities. You can run SCA tools on source code, binary code, byte code, or some other combination.
Static Application Security Testing (SAST)
SAST tools employ white-box techniques that involve receiving information about the tested system or software, including access to the source code. SAST tools analyze source code at rest to identify potential security vulnerabilities.
You can run source code analyzers on non-compiled code to find various flaws, including numerical errors, race conditions, input validation, path traversals, and pointers and references. Some tools can run on source code while others only check compiled code. Binary and byte-code analyzers can test built and compiled code.
Dynamic Application Security Testing (DAST)
DAST tools employ black-box techniques that do not involve receiving information about the tested system or software. DAST tools can detect potential security vulnerabilities in an application during runtime. You can run DAST tools on operating code to identify various issues related to interfaces, responses, requests, scripting, sessions, data injection, and authentication.
Web Application Firewall (WAF)
A WAF can monitor, filter, and block data packets traveling to and from a web application or website. There are various types of WAFs, including network-based, cloud-based, or host-based. You can deploy a WAF by using a reverse proxy and placing it in front of one or several applications or websites.
A WAF can run as a network appliance, cloud service, or server plugin to inspect WAF each packet. It employs a rule base to assess Layer 7 web application logic and filter out possibly malicious traffic that can allow web exploits.
WAFs use customized inspections, a WAF to detect and immediately block dangerous web application security flaws missed by traditional network firewalls, intrusion prevention systems (IPS), and intrusion detection systems (IDS). Enterprises use WAFs to protect web systems against many threats, including zero-day exploits, impersonation, and malware infections.
In this article, I explained the basics of web application security and reviewed four types of tools that can help you automatically secure your applications:
- Software Composition Analysis (SCA) - identifies third-party components in software projects and helps identify and update or remove vulnerable components.
- Static Application Security Testing (SAST) - scans source code at rest to discover quality issues, security weaknesses and known vulnerabilities.
- Dynamic Application Security Testing (DAST) - scans applications at runtime in staging or production environments to discover exploitable vulnerabilities.
- Web Application Firewall (WAF) - protects production applications against a variety of threat vectors, blocking malicious traffic before it reaches the application.
I hope this will be useful as you explore ways to improve the security posture of your web applications.