Detecting Security Vulnerabilities and Gaps in Web Applications with DevSecOps

摘要

With the internet being a common workplace, web applications which are stored in the remote server, delivered, and serviced through the browser interface is used almost as a tool in every business. The surge in the use of web applications is also leading to web application vulnerabilities. A security vulnerability in a web application refers to a misconfiguration in the application code, web servers, application design flaws which an attacker can use to gain full or partial access to the system and exploit the system. Web application vulnerabilities are encountered due improper security headers, broken authentication, account lockout, Injection and Cross Site Request Forgery attacks. Many tools are used to find such vulnerabilities from port level to application level. The concept is to find vulnerabilities from the initial stages of the product cycle itself rather than finding at the end. For the same purpose tools such as Nessus scanner for port level scanning, Zed Attack Proxy for application level of scanning are used. Application specific test cases are written to find vulnerabilities which cannot be found using the tools. This process can be termed as Development-security- operations in the big picture.