Securing Applications from the Bottom Up: Layers and Flaws

October 19, 2018 / GuidesFor Team

Applications that we use for our daily work may seem harmless and well built. We trust them with our data and information, and simply forget them and move on with other tasks. But before these applications can reach us, the consumers, they need to pass a multitude of tests to ensure that they are secure and ready for daily use. Unfortunately, it’s an arms race against hackers who are able to exploit hard-to-find loopholes and vulnerabilities, and then work on them to access data and inject malicious code into the application. Their attack could even be designed to spread across the whole system, shutting down days of operations worth. Although difficult to name exact applications with these vulnerabilities, we can pinpoint security flaws that hackers can use, and properly identify how to proactively secure them.


According to security planet, one of the most overlooked vulnerabilities happens when applications use non-validated inputs. Attackers may use non-validated information on web applications to gain access to back-end components. There are more vulnerabilities that a business owner should be aware of. IT managers, on the other hand, are tasked to know all about them and must take action to avoid and mitigate those risks. Unfortunately, cutting costs and strict deadlines can sometimes require shortcuts that can diminish security simply because the company wants to launch the software ASAP.

Updates and application patches can be applied to decrease potential hazards, but when left alone, these can lead to catastrophic downtime and compromised data. One event that caused an influx of concerned users is the newly found bug in Intel chips. The bug was created in order to help the software access memory from the computer’s central kernel. But the bug itself had a latent vulnerability —  the hackers could use them as a jump-off point to penetrate the data stream of devices like smartphones and tablets. According to Wired, these flaws affected user machines, smartphones, and servers run by Google and Amazon. The exploit can gain access to processes on servers. Although this exploit has affected hardware, it’s made clear that hackers can take advantage of a flaw and work on it. This can cause server downtime that could take days or weeks to fix.

The building blocks of applications and software have vulnerabilities that can be generalized into two categories:  application flaws and application layers.


The building blocks of applications and software have vulnerabilities that can be generalized into two categories: application flaws and application layers. Application flaws are similar to what we have discussed earlier, it is a flaw in the system or in the application that can come from programmer errors or undetected vulnerabilities. On the other hand, application layers directly interact with the end users. It provides services and communication for an application within a network. Authentication and identification also occur within the application layer, failure of these instances can mean potential hazards. Spoofing or interference of the application layer can jeopardize data integrity.

There are four layers of web application security that app developers must consider, says mbtmag.

Web Application Firewall: Your first line of defense. It filters and enforces rules for your visitors as to how they can go around your website. Simply put, it identifies potential threats and tries to block them to prevent potential harm.


Access Control: Tasked on protecting both the front end and back end data. It implements access restrictions to certain data on different users. It selects which users can and have read and write access.


Bot Protection: Accounting for the huge amount of bot attacks made by bots alone, they tirelessly attack websites hoping for a prime target that have little to no protection. Bot protection ensures that a real human is accessing your website. A simple bot protection that you may have already encountered is when you are asked to input a CAPTCHA.


Login Protection: On top of having the need to know the login username and password, an authentication code can also be added that can be sent via SMS or email. This can be a very good deterrent to discourage potential hackers.

Recognizing potential risks can mean one thing, but doing something to mitigate and prevent attacks itself can go a long way to keep your data integrity safe. It’s always better to be ready rather than have downtime and lose revenue because of a security breach.

Posted In: , ,