Most applications need a client interface to push or pull data to users. Increasingly, applications themselves are also running on active scripting in the browser itself. This creates new security consequences and therefore new requirements for testing and defense.
A typical web application often makes use of at least one or more web server add-ons in its architecture. These servers are the basis for web applications, but they also allow add-ons such as modules, plugins, libraries, frameworks, and extensions that add functionality. This increases complexity and broadens the attack surface of an application.
The application access control tier is the gateway that users pass through for authentication and authorization. Client credentials are often stored in a database or apps can leverage shared on-premises solutions, or they can connect to SSO gateways.
The transport layer tier provides encryption as network packets pass over untrusted networks like the Internet or convenience WiFi services. Transport Layer Security (TLS) also ensures that attackers haven’t tampered with the data in transit and verifies the application with a proper domain certificate from a trusted certificate authority.
DNS is a globally distributed service running on agreed-upon standards of operation. If DNS is disrupted or tampered with, applications can suffer severe security impacts. Since the apps themselves may need connectivity to other services outside the application’s direct control, the app is also dependent on accurate and functional DNS.
Clients need to connect to application servers, which almost always happens over the Internet. The network tier also includes all application network services such as Internet Service Providers (ISPs), last-mile connections from ISPs to their customers’ premises, and Internet routing protocols.
- App Infrastructure Attacks
Attackers have learned that if it’s too much trouble to break into the application or steal access credentials, they can strike at the application’s supporting infrastructure instead.
- Client-side Attacks
Attackers often target vulnerabilities in clients (such as web browsers) in order to breach an application or its supporting infrastructure.
- DDoS Attacks
A distributed denial-of-service (DDoS) attack uses multiple computers to flood a server with requests, making a website slow or completely unavailable to users.
- Web Application Attacks
Attackers target vulnerabilities in web applications because applications are the gateway to the data—exactly what attackers are after.
Applications are made up of many independent components, running in separate environments with different requirements and a supporting infrastructure that's glued together over networks. Each component, or tier, can be a target. To evaluate defenses, you need to understand the attack surface of each tier.