Application-Centric Security

Security Threat Landscape

This section describes an overview of assets in Domain 5 on application-centric security. Details on attacks linked to the identified threats are reported for interested readers in Appendix A.5. It includes an overview of assets and threats that span the full spectrum of applications. Major sources of information for this study are OWASP[1] and SANS[2] reports. It is important to note that this section does not consider applications providing functionalities for infrastructure/system/network management, which are already discussed in other domains in this chapter.

Assets

According to OWASP TOP 10 2017,[3] risk and threats are continuously evolving as the fundamental technology and architecture of application change. For instance, the advent of microservice architecture, which replaces monolithic applications, comes with specific security challenges. The increasing trend in moving functionalities from server-side to client-side is changing the pace of security assessment and protection.

In addition to the OWASP TOP 10 2017, a major source of information for this study is the work undertaken by the SANS institute resulting in CWE/SANS TOP 25 Most Dangerous Software Errors.[4]

Assets can be categorized into 5 different classes as follows:

• Data – It includes all types of application data and metadata.
• Interfaces – Platform and APIs
• Security techniques – It refers to all security techniques that are the target for an attacker. These represent the interesting components that would result in application breaches, if compromised. Examples are security best practice documents, cryptography algorithms and methods, information about the access control model used, and the like.
• Roles – Introduced by the NIST Big Data Public Working Group, it includes human resources and related assets.

---

Data assets can be summarized as follows:

• Application data – It includes all data that are managed and exchanged by an application with the internal network and the external world. It ranges from raw data to final results, via all possible layers of data transformations/analysis.
• Application metadata – It includes all metadata associated with applications, from configurations to credentials.

---

Interfaces assets can be summarized as follows:

• Platform interfaces – It refers to the interfaces offered by the platform (including traditional OS) hosting the applications and used by the application itself to access platform functionalities/libraries.
• Application APIs – It includes all APIs offered by an application to users as well as other services/applications. For instance, it refers to REST APIs, SOAP APIs, and the like.
• Service compositions – It includes all artifacts related to service composition including service orchestration and choreography. For instance, it considers the specific composition workflow, the configuration of the component services, the orchestrator.

---

Security techniques assets can be summarized as follows:

• Platform security – It considers the security of the hosting platform, as well as the corresponding service container, the service distributed computation systems, libraries, and security tools, including security best practices and policy set-ups.
• Application security – It considers the security of the specific application, including local protection mechanisms (e.g., firewall, IDS/IPS, anti-virus).
• CIA triad – It refers to all security and privacy solutions and tools for protecting confidentiality, integrity availability of applications and corresponding data.

---

Roles assets can be summarized as follows:

• Application provider – Enterprises, organizations, public agencies, academia, network operators and end-users providing applications to application consumers.
• Application consumer – Enterprises, organizations, public agencies, academia, and end-users consuming applications.
• Operational roles – System orchestrators (e.g., business leader, data scientists, architects), application providers (e.g., application and platform specialists), application framework providers (e.g., Cloud provider personnel), security specialists, technical management (e.g., in-house staff).

---

[1] OWASP™ Foundation – the free and open software security community, https://www.owasp.org/index.php/Main_Page

[2] SANS Institute, https://www.sans.org/

[3] OWASP Top 10 -2017 The Ten Most Critical Web Application Security Risks https://www.owasp.org/images/7/72/OWASP_Top_10-2017_(en).pdf.pdf

[4] CWE/SANS TOP 25 Most Dangerous Software Errors https://www.sans.org/top25-software-errors#__utma=32063036.1074415474.1568715260.1568715260.1568715260.1&__utmb=32063036.10.9.1568715627949&__utmc=32063036&__utmx=-&__utmz=32063036.1568715260.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided)&__utmv=-&__utmk=42405799