- Client
Most applications need a client interface to push or pull data to users. Increasingly, applications themselves are also running on active scripting in the browser itself. This creates new security consequences and therefore new requirements for testing and defense.Affects these layers:
- Services
A typical web application often makes use of at least one or more web server add-ons in its architecture. These servers are the basis for web applications, but they also allow add-ons such as modules, plugins, libraries, frameworks, and extensions that add functionality. This increases complexity and broadens the attack surface of an application.Affects these layers:
- Access
The application access control tier is the gateway that users pass through for authentication and authorization. Client credentials are often stored in a database or apps can leverage shared on-premises solutions, or they can connect to SSO gateways.Affects these layers:
- TLS
The transport layer tier provides encryption as network packets pass over untrusted networks like the Internet or convenience WiFi services. Transport Layer Security (TLS) also ensures that attackers haven’t tampered with the data in transit and verifies the application with a proper domain certificate from a trusted certificate authority.Affects these layers:
- DNS
DNS is a globally distributed service running on agreed-upon standards of operation. If DNS is disrupted or tampered with, applications can suffer severe security impacts. Since the apps themselves may need connectivity to other services outside the application’s direct control, the app is also dependent on accurate and functional DNS.Affects these layers:
- Network
Clients need to connect to application servers, which almost always happens over the Internet. The network tier also includes all application network services such as Internet Service Providers (ISPs), last-mile connections from ISPs to their customers’ premises, and Internet routing protocols.Affects these layers:
- App Infrastructure Attacks
Attackers have learned that if it’s too much trouble to break into the application or steal access credentials, they can strike at the application’s supporting infrastructure instead.Affects these layers:
- Client-side Attacks
Attackers often target vulnerabilities in clients (such as web browsers) in order to breach an application or its supporting infrastructure.Affects these layers:
- DDoS Attacks
A distributed denial-of-service (DDoS) attack uses multiple computers to flood a server with requests, making a website slow or completely unavailable to users.Affects these layers:
- Web Application Attacks
Attackers target vulnerabilities in web applications because applications are the gateway to the data—exactly what attackers are after.Affects these layers:
