Web application security is a series of protocols and tools that work together to ensure that all mobile, cloud app, website and desktop applications are secure against malicious threats or accidental breaches and failures. It is the process of finding, fixing and eliminating vulnerabilities that leave apps open to attacks by hackers.
A Web application attack is any attempt by a malicious actor to compromise the security of a Web-based application. Web application attacks may target either the application itself to gain access to sensitive data, or they may use the application as a staging post to launch attacks against users of the application.
The most common forms of attack include
Cross site scripting (XSS)
SQL injection (SQLi)
Cross-site request forgery (CSRF)
Denial-of-Service (DoS)
Distributed Denial-of-service (DDoS)
Other attack vectors come from insufficient authorization/authentication and flaws in the business logic of web applications that allow their integrity to be compromised.
Web application security testing is the process of testing, analyzing and reporting on the security of a web application.
It commonly falls into two main categories
Dynamic (automated) testing - Dynamic application security testing (DAST) is known as black-box testing involves using tools where the tester has no prior knowledge of the system, in order to detect possible security vulnerabilities both in the system and any underlying frameworks used.
Static (manual) testing - Static Application Security Testing (SAST) is known as white-box testing, where the tester requires a deeper understanding of the system being tested and access to the source code at rest. SAST tools examine the source code at rest to detect and report on potential security vulnerabilities. Manual (SAST) testing is more intrusive than automated (DAST) testing and may involve adding, altering and deleting data within the application.