With more and more high-profile hackings taking place in recent years, application security has become the call of the hour. But while the awareness is on the rise, not all security officers and developers know what exactly needs to be secured. One aspect that is often overlooked during development is application layer security. The following article will delve into this very aspect and show how crucial it is to protect applications inside-out.
A common way to understand the fundamentals of application security is to examine the Open Systems Interconnection (OSI) model. This model involves seven layers – the physical layer, the data link layer, the network layer, the transport layer, the session layer, the presentation layer and the aforementioned application layer. Optimal OSI model security cannot be achieved if all layers are not safe. We will also throw in some crucial AppSec developer tips for each and every OSI model layer.
Implementing Security within the OSI Model
The first three layers of the OSI model are media layers.
1 – Physical Layer – This layer defines the technical (electrical and physical) specifications of the data connection and is responsible for the physical communication between the various end stations. Simple actions such as unplugging the power cord or disconnecting a network cable can cause extreme damage (i.e – Denial of Service). Security here is extremely crucial.
AppSec Tips – Safeguarding this layer typically involves enhanced security surveillance with bio-metric authentication solutions, advances locking mechanism and electromagnetic protection.
2 – Data Link Layer – Often ignored by security professionals, this layer includes data packets that are to be transported by the physical layer. Malfunctions and faults in this layer can impede the functionality of the network layer (the third layer in the hierarchy). Vulnerabilities in this layer can include MAC address spoofing and VLAN circumvention.
AppSec Tips – Common methods to protect this layer include MAC address filtering and through evaluation of wireless applications, ensuring they have built in encryption and authentication.
3 – Network Layer – This layer, which is the third and last one that has a correspondence to the physical/real world, revolves around addressing, routing and controlling the data/traffic. Packet (IP Address) Spoofing, which is when inbound malicious packets claim source addresses from within the network, has become a real threat to application security.
AppSec Tips – Strengthening the network layer controls is the only way to secure the data/information. This means rigid anti-spoofing and route filters. Properly configured firewalls are also needed.
The next four layers are host layers.
4 – Transport Layer – The first logical layer in the OSI model, the transport layer transfers variable-length data sequences. The good transport-layer protocol has to be reliable and has the mechanisms to ensure segmentation/desegmentation, along with good flow and error control. The Transmission Control Protocol (TCP) protocol is a commonly used one.
AppSec Tips – Proper firewall implementation, limiting access to transmission protocols and sub-protocol information (i.e – TCP/UDP port number), is paramount to transport layer security.
5 – Session Layer – The session layer basically controls the inter-machine (computer) communication. It handles the interaction between the local and remote application – establishing, managing and terminating the connection as per the need. But weak authentication mechanisms and being vulnerable to brute-force attacks are weak points.
AppSec Tips – The best way to secure the session layer is to ensure encrypted password exchange and storage, along with the limitation of failed session attempts via timing mechanisms.
6 – Presentation Layer – As the name suggests, the presentation layer is responsible for the organization of data transferred from the application layer onto the network. The layer standardizes data to and from the various local formats using various conversion schemes. Unfortunately, poor handling of malicious input can lead to exploits and/or crashes.
AppSec Tips – The most effective way to secure this layer is to separate user input (which should be sanitized before being passed into functions) from the program control functions.
7 – Application Layer – The application layer, which accommodates the user interface and other key functions, is the closest OSI model layer to the user-end. This layer provides the hacker with the widest attack surface. When exploited, the entire application can be manipulated, user data can be stolen or in some cases the network can be shut down completely (Denial of Service).
Poor application code integrity and design flaws can cause a wide range of problems – from performance/stability issues (bugs) to application layer vulnerabilities that can be exploited by hackers. Traditional security methodologies, namely the Web Application Firewall (WAF), are no longer effective as stand-alone solutions due to their inherited deficiencies.
AppSec Tips – So, what can be done to enhance application layer security? The key lies in the application code development. Only secure coding awareness and practices can boost code integrity.
The OSI Model Demystified. Courtesy: Eli the Computer Guy
Static Code Analysis (SCA), For Effective Application Layer Security
While application layer security is not the only thing that will keep the hackers away, it’s becoming common knowledge that this OSI model layer has to be protected. This is because even malicious attackers with low privileges can exploit application layer vulnerabilities such as SQL injections, Cross Site Scripting (XSS) and other flaws mentioned in the OWASP Top 10 and SANS 25.
The dynamic nature of modern applications needs them to be able to sanitize user input properly and also have the ability to detect malicious attacks. In addition to that, developers must make sure that the application is handling and transferring sensitive information securely. These goals can be achieved only with application security built into the development process.
Old methodologies such as Pen Testing and the Web Application Firewall (WAF), while still useful, don’t enter the picture during development. This results in lackluster application layer security. Even Dynamic Application Security Testing (DAST) tools can start working only when a build is reached. Enter Static Code Analysis (SCA), a security solution that blends seamlessly into the developer environment.
With SCA in place, security is automated, enabling the creation of a secure Software Development Life Cycle (sSDLC). In such scenarios, application layer security becomes a part of the daily schedule, where developers get scan results close to real-time and vulnerabilities are fixed early. Organizations thus enjoy better ROI.
Other benefits of implementing SCA solutions in the SDLC include:
- Improved application security awareness with all developers.
- More effective in Agile, DevOps and CICD scenarios.
- Implementation not limited to web applications.
- Doubles as a QA solution. Locates dead code and other logic errors.
- Faster scan results that can be exported for offline scrutiny.
It’s recommended to learn the OSI model inside-out to understand how the modern application works. Once this basic understanding is reached, implementing security on all OSI models levels becomes much easier and effective. Application layer security has become very crucial in the fight against cybercrime. Secure your application before it’s too late!
5 Deadly Code Injections That Can Obliterate Your Application – Read More