What is an application vulnerability?

An application vulnerability refers to a weakness or flaw in either the design or code of an application. This flaw can be exploited by attackers in order to access the application or compromise its security. 

How do application vulnerabilities happen? 

Application vulnerabilities occur for a variety of reasons. The most common causes for an application vulnerability are: 

1. Unpatched software: Often, organizations will fail to patch (fix) known software or hardware vulnerabilities. Sometimes resource constraints mean that organizations either take too long or fail to prioritize patching vulnerabilities at all. Organizations that purchase software or hardware from a 3rd party vendor will again either take too long or fail to implement the patches (known fixes) released by the vendor. Failure to patch vulnerabilities in a timely manner leaves an easy access point to applications and systems, meaning bad actors can gain unauthorized access, steal data, or compromise operations. 

2. Poor security practices:  Inadequate security practices, tooling, and resources are a frequent cause of application vulnerabilities. From a resource standpoint, orgs with too few security experts, or untrained staff unable to effectively identify and mitigate vulnerabilities, yields the risk of unidentified or unpatched vulnerabilities. Poor tooling or application security (AppSec) testing practices can also leave a gap in an org’s security program. Even companies that have resources and tools in place still need a robust security program (a plan, policies, responsibilities and a strategy) in order to effectively minimize security vulnerabilities and risk. 

3. Coding errors. Often, inadvertent mistakes are made during the software development lifecycle (SDLC). Developers may make mistakes or unknowingly build software in such a way that it is vulnerable to exploit. Use of 3rd party code or open source code without adequate testing may also introduce vulnerabilities into the application. Organizations that fail to adopt AppSec tooling and practices throughout the SDLC risk allowing insecure software to slip through the cracks. AppSec tools that scan code while it’s being written + a security-as-culture mindset can help to minimize this risk. 

Top 10 examples of application vulnerabilities

There are many different types of application vulnerabilities. To help security teams prioritize those that are most prevalent and most concerning when not adequately addressed, the Open Web Application Security Project a.k.a. OWASP, a non-profit with the goal of improving software security, was created. OWASP created a list, called OWASP Top 10, to describe the top 10 vulnerabilities  organizations should consider, and how to mitigate them. 

Those on the OWASP Top 10 list include:

1. Broken Access Control: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.

2. Cryptographic Failures: When the encryption process, intended to protect data, is either not used at all, implemented incorrectly, or relies on weak algorithms or configurations, leading to the exposure or compromise of sensitive information.

3. Injection: Where malicious data is inserted into an application to alter its behavior or gain unauthorized access. 

4. Insecure Design; Risks related to design and architectural flaws. Requires use of threat modeling, secure design patterns, and reference architectures to resolve. 

5. Security Misconfiguration: Any incorrect or suboptimal settings on a system or application that can lead to vulnerabilities.

6. Vulnerable and Outdated Components: Vulnerabilities in existing and outdated components in your systems. When you do not know the versions of all components you use (both client-side and server-side) - this includes components you directly use as well as nested dependencies- you leave yourself open to risk. If the software is vulnerable, unsupported, or out of date, it must be identified and fixed.

7.  Identification and Authentication Failures: Vulnerabilities in an application's security related to how it identifies and verifies users. These failures can lead to unauthorized access, data breaches, and more.

8. Software and Data Integrity Failures: These failures occur when orgs make assumptions related to software updates, critical data, and CI/CD pipelines without verifying data integrity.

9. Security Logging and Monitoring Failures: When systems don't adequately log and monitor security-related events, failing to provide sufficient data for identifying and responding to threats. 

10. Server-Side Request Forgery (SSRF): SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

What is the impact of application vulnerabilities

When bad actors successfully exploit application vulnerabilities, the consequences can be devastating; from financial losses to reputational damage, and legal consequences, having a robust security program in place is critical. 

Critical consequences of leaving application vulnerabilities unpatched include:

1. Denial of service: Bad actors may be able to effectively ‘shut down’ or disrupt an application’s function, resulting in a denial of service for users (the application becomes unavailable to users). 

2. Data breaches: Successful exploitation of an application vulnerability can result in a data breach, where bad actors gain access to sensitive information and either steal or compromise it. 

3. System failures: Attackers can often make systems cash, making them inoperable, and therefore impacting business operations. 

4. Malware: When attackers access a system or application, they can inject malicious software into the system. This can have a cascade of negative impacts for the application and the business as a whole. 

What are best practices for preventing application vulnerabilities?

There is no quick fix for preventing and remediating application vulnerabilities within your organization. The best approach is to implement the following;

1. A complete suite of AppSec testing and tooling solutions to address different types of vulnerabilities, and a multi-layered approach to security. Basic security tooling considerations should include: 

   1. SAST (Static Application Security Testing): Analyzes the source code of an application to identify vulnerabilities and compliance issues during development. 

   2. DAST (Dynamic Application Security Testing): Simulates attacks on a running application to identify vulnerabilities. It identifies runtime issues (those that occur when the system is running). 

   3. IAST (Interactive Application Security Testing): Combines SAST and DAST techniques to analyze an application's security in real-time. 

   4. RASP (Runtime Application Self-Protection): Monitors and protects applications against attacks at runtime. 

   5. SCA (Software Composition Analysis): Scans an application's dependencies for vulnerabilities in third-party libraries. This lets you know whether the application has insecure code from a vendor or open source repository, and any licensing issues. 

   6. CNAPP (Cloud-native application protection platforms): Provides security for applications running in cloud environments. 

   7. Web Application Security Testing (WAST): Specifically focuses on the security of web applications. 

   8. Mobile Application Security Testing (MAST): Focuses on the security of mobile applications. 

   9. Database Security Scanning: Identifies vulnerabilities and misconfigurations in database systems. 

   10. Web Application Firewalls (WAF): Protect web applications from malicious traffic. 

   11. Cloud Security Posture Management (CSPM): Helps organizations assess and improve their cloud security posture. 

2. A security-as culture mindset: everyone should take responsibility for security. From developers making certain they don’t ship insecure code, to Dev and security teams taking all security measures necessary. 

3. Adopt DevSecOps strategy: In essence, DevSecOps involves moving security testing and activities throughout the development lifecycle, testing early and often, or ‘shifting security left’ to be a consideration from start to finish when developing software. Tooling should also be automated and frictionless, fitting into existing workflows and not requiring lots of hands-on tuning or management. 

4. Constant iteration and improvements: Orgs should work to get vulnerability assessments, or overall security program assessments to determine areas for improvement. 

How Fastly can help

There is no single silver-bullet to keep your web application safe from the threats in the OWASP Top 10. You’ll need to ensure security is taken into account in code, in infrastructure configuration, and in the third-party components you use.

That said, a Web Application Firewall can take a lot of the footwork out of securing your web app. The OWASP definition of a WAF

 calls out the common use cases of mitigating attacks like XSS and SQL Injections.

So, how exactly can a WAF help in these cases? Properly configured WAFs can detect and block potentially malicious requests. By using a combination of default detections plus customizable functionalities in solutions like 

Fastly’s Next-Gen WAF, and leveraging the capabilities of our Edge Cloud Platform, you can gain strong coverage of the OWASP Top 10. 

For more detailed guidance and real-life examples of solving OWASP threats with Fastly, you can check out our whitepaper.