We addressed the question "What is application security?". Now let's address the question "How can teams and companies identify what to protect?", bridging frontend domains and cybersecurity concepts, serving as a practical continuation of security awareness in web applications.

The main purpose is not to precisely or exhaustively define any term but rather to bridge both knowledge shores to build a solid and iterative foundation enabling conceptual tools for a deeper immersion for those who desire it.

How do we identify what to protect by teams or companies

The more we know the web application, the better we can identify the entry points that an attacker sees as the surfaces to attack. Identifying which assets are most vulnerable, and which are most likely to suffer data breaches, information disclosures, or unauthorized access, helps to build the structured representation of the application from the cybersecurity point of view.

Attacker's actions often go from the binary substitution of boolean values like false by true to advanced techniques for chaining vulnerabilities, errors, or behaviors to break into companies, clouds, or networks, steal sensitive data, or blockage the whole company via ransomware. Identifying the pain points allows us to understand and communicate the actual threats we expect and the mitigations we can achieve to protect our company and the software we build.

This structured representation of threats or threats model, identifies potential security risks, enabling proactive measures to protect our digital assets. Conducting comprehensive threat modeling teams can determine the complete attack surface of its components and the interconnected data accesses.

What is Threat Modeling

Threat modeling identifies potential security risks capturing, organizing, and analyzing the web application producing a prioritized list of security and privacy measures, requirements, and implementations for the web application.

Threat Modeling Manifesto

The Cost

Performing threat modeling will be cheaper than remediation costs, let's see why.

Have you heard about PlayStation, Uber, or Yahoo? They have in common a very very expensive characteristic: They all have suffered cyber attacks that cost Hundreds of Millions of dollars. Other companies like Youbit (south Korean crypto exchange) went into bankruptcy after being breached, and 60% of small businesses closed within six months after the breach.

Most Critical Security Risks to Web Applications

Every risk differs from each other by frequency of occurrence, severity, magnitude of potential impact, etc. In this way, we can define a landscape of web application security awareness, explore and include well-known vulnerabilities and mitigations, attacks and defenses, exploitations and practices, to minimize the presence of well-known risks in our web application.

In the Web Application Security field, the OWASP Foundation has maintained a widely agreed list of the Top 10 most critical security risks for Web Applications.

OWASP Top Ten

OWASP standards help companies and developers adopt processes and increase security awareness toward minimizing risks enabling code improvements. In the top ten, we can find Injections like SQL/NoSQL attacks, Outdated or Vulnerable Components, and Security Logging and Monitoring Failures among many others.

Conclusion

Looking through the eyes of the attacker helps to create a defensive analysis, tackling well-known techniques and attacks early, enabling us to build the big-picture map of threats and attack surfaces from our services and web applications.

Working together as one team, we can conduct a comprehensive analysis to construct a holistic fortress that proactively approaches security, empowering frontend software and safeguarding our systems, endowing them with resilience.