Cybersecurity: Application Security

City and County of Denver seal on the Webb Municipal building.

Overview

Auditors conducted a cybersecurity assessment of an agency in the City and County of Denver. This assessment found some areas of strength and some areas that need improvement. Because of the security sensitivities involved with this assessment the findings were communicated to the agency separately. This report gives a general overview of application security.

Application Security

For each service the City and County of Denver provides its residents, the city usually has a supporting website or application it must develop, support, and host.

Many of these applications need to be publicly accessible so that individuals can log in, submit files, or fill out forms. The data the city collects through these means is potentially sensitive or personal information that must be protected to ensure both confidentiality and data integrity

Each application the City and County of Denver uses increases the risk to the city, because each one can potentially provide a way for a digital attacker to probe the city’s systems, try to gain a foothold into the city’s network, or compromise a user’s or employee’s account.

Because of that risk, software applications must be configured with security controls to protect them against such malicious attacks. Applications are widely available, so even the tools that protect us — such as those that alert us to vulnerabilities — can be a source of significant risk.

Information security professionals understand that attempted attacks happen constantly. These attacks try to take advantage of common vulnerabilities, default configurations in systems, and weak passwords. This makes security assessments — which verify whether issues exist — increasingly important.

The city uses controls such as multifactor authentication to protect accounts from unauthorized access, but the city also needs to consider other scenarios to ensure the overall security of the applications it uses so it can best protect the data being stored.

Web Application Assessments

Application security assessments use both manual and automated tests to identify vulnerabilities, security flaws, and threats to web applications. An assessment may involve using any of the known kinds of malicious attacks — such as poor security configurations — to see whether a vulnerability can be exploited. In this way, information security professionals can more accurately determine the risks to an organization.

To ensure the testing is thorough and that all risks are addressed, information security experts will rely on a testing methodology framework — such as the one from the Open Web Application Security Project, a global nonprofit foundation that works to improve software security.

The foundation’s framework is “an open-source web application that explains secure coding principles in multiple programming languages” and was designed to help train teams to write secure computer code.

This tool aims to help organizations address vulnerabilities that lead to the most common attacks. Organizations can do this by analyzing current trends and threats and updating the organization’s approach to align itself with known threats.

The Open Web Application Security Project updated its framework in 2017 and again in 2021. In that time, security threats have changed substantially — demonstrating the ever-evolving nature of cybersecurity. Some of what were the most prevalent attacks have decreased since 2017, while other emerging threats have become more common. For example, in 2017, injection — an attack method that inputs malicious data into a web application — was by far the most common attack. As developers learned how to code to better protect against this attack, injection became less common.

By 2021, attackers focused more on uncovering broken access controls.

To do this, an attacker might sign up for a free, basic account that should only be able to read data. The attacker would then explore the various ways that a user might upload files. Then, by changing the request that goes between their computer and the application’s server, the attacker can, for example, request to delete a file. Such basic account access should not be able to do this, so if the request went through, the access control would be considered broken.


 

Tim_mug.png

AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor



Denver Auditor´s Office

201 W. Colfax Ave. #705 Denver, CO 80202
Emailauditor@denvergov.org
Call: 720-913-5000
Follow us on Facebook     Connect with us on Twitter
Read our social media policy

Auditor´s Office Logos for Footer