Application

What is an application? app stack and tech stack explained

Applications encompass a wide range of functionalities to address various needs, ranging from simple utilities and productivity tools to complex enterprise software solutions. These applications can be written in a wide range of programming languages and can run on various platforms, including desktop computers, mobile devices, web browsers and embedded systems. Typically they have a user interface that allows users to interact with them and may also rely on data processing, storage and communication functionality to accomplish their intended purpose.

Examples of Different Types of Applications:

• Desktop applications range from simple utilities and productivity tools to complex software. Some examples includeCalculator, Notepad, Microsoft Excel, Notion, Visual Studio Code, Docker Desktop and BurpSuite. 
• Mobile applications include messaging and entertainment apps as well as navigation services, mobile banking and mobile gaming. Some examples include Spotify, WhatsApp and Messenger, Google Maps, Waze, Monzo, Bank of America, and Candy Crush Saga.
• Embedded applications can be found everywhere, ranging from automotive infotainment systems, home automation, medical devices and industrial control systems. Some examples includeBMW iDrive, MedTronic Insulin Pumps, and Tesla Gigafactory control software. 

What are web applications?

A web application is a subtype of application designed specifically to operate over the internet and be accessed through a web browser. Modern web applications do not require installation and can be accessed from any device with an internet connection, including desktops, laptops and mobile devices. They consist of a front-end user interface, which loads in a web browser, and a back-end server that handles data processing and storage.

Examples of web applications:

• Email services such as Gmail and Outlook
• Online shopping platforms such as Amazon, Shopify and eBay
• Social networking and entertainment sites such as Facebook, LinkedIn and  Netflix
• Online banking and financial services such as Chase Online, PayPal and Credit Karma
• Complex enterprise software such as Salesforce, SAP, Workday and Jira

What are APIs?

Application Programming Interfaces (APIs) are a set of definitions, routines, protocols, and tools for building and integrating software applications. APIs are increasingly being used within back-end components of web applications. Often a typical application back-end can consist of one or many APIs that provide a standardized and modular set of functionality for the application. APIs can be used to facilitate communication between the front-end and back-end components of the same application, or to allow applications to communicate and interoperate with each other.

Growth in web applications and APIs

Organizations are increasingly opting to build web applications over traditional software due to their accessibility across devices, scalability for growing user bases, cross-platform compatibility, and cost-effectiveness. APIs are also being used more frequently because they facilitate interoperation between systems, tools, and teams and accelerate development time.

Although web applications and APIs have many advantages, they are often targeted by cyber attacks. The increasing use of web applications, APIs and modern software architecture means that modern applications come with increased complexity and more opportunities for vulnerabilities. Developers must follow best practices for web app development and implement robust security measures to ensure their reliability and security.

Web application architecture

Applications can be either stand-alone programs or modules that are integrated into a larger software system. Modern development practices have brought significant changes in the way applications are built and architected. One of the most significant changes in recent years is the move away from traditional monolithic applications towards a microservices-based architecture, which is becoming increasingly popular due to the enhanced scalability, flexibility and maintainability microservices can offer over monolithic applications.  

Monoliths: Typically used in traditional software development, monolithic applications are built as a single, cohesive unit where all components are tightly integrated and deployed together. They typically consist of a single codebase, a unified database, and a shared runtime environment. Monoliths are straightforward to develop and deploy but may encounter scalability and maintenance challenges as they grow in size and complexity.

Microservices: In modern software development, the concept of an application has evolved to include the use of microservices. Microservices architecture decomposes applications into small, independent services, where each is responsible for specific functionalities. These services communicate through well-defined APIs and can be developed, deployed, and scaled independently. Microservices offer greater flexibility, scalability, and fault isolation compared to monolithic architectures. However, they introduce complexities related to service communication, data consistency, and operational overhead.

What is the technology stack or application stack? tech stack explained

The technology stack of an application refers to a collection of software components, frameworks, libraries, languages, and technologies that are used together to build and deploy an application. It’s also known as the “software stack” or “application stack”, or simply shortened to “tech stack” or “app stack”. 

The technology stack typically consists of multiple layers, each serving a specific purpose in the development of the application, including: 

1. Presentation Layer: The user interface components of an application that are presented to the user in the browser or via a graphical user interface (GUI). Front-end technologies such as HTML, CSS and JavaScript are used in combination with front-end frameworks and libraries like Angular, React and Vue.js. 
2. Application Layer: Contains the application logic and business rules to implement the application’s functionality. Back-end programming languages such as Java, .NET, Python, Node.js, Ruby, Go, and PHP are used along with application frameworks and libraries to aid developers with back-end and API development, like Spring, Django, Flask, Express.js, and Ruby on Rails.
3. Data Layer: Allows the application to store, retrieve and manipulate data stored in databases and data stores. Database technologies include MySQL, PostgreSQL and MongoDB. Object Relational Mappings (ORMs) are frequently used to programmatically access databases.
4. Infrastructure Layer: The underlying systems and services that are necessary for running the application, including the cloud platforms, operating systems and application servers.

A traditional example of an application stack is the LAMP stack, which stands for: 

• Linux: the operating system (infrastructure layer)
• Apache: the web server (infrastructure layer)
• MySQL: the database server (data layer)
• PHP: the programming language (application layer)

A modern example of an application stack is the MEAN Stack, which stands for: 

• MongoDB: the database server (data layer)
• Express: the HTTP web server (infrastructure layer)
• Angular: the front-end JavaScript framework (presentation layer)
• Node.js: the back-end programming language (application layer)

The combination of different technologies and components in the application stack is chosen based on factors such as the project requirements, development expertise and organizational preferences. Organizations may opt for technologies that maximize for ease of management and maintainability that also meet performance, scalability and security requirements. 

Dangerous functions across the entire tech stack 

When you think of securing your application, select Application Security Testing tools that take into consideration the entire tech stack of your application, versus just testing the code or the libraries used in the application. 

Your stack likely has lots of very powerful dangerous functions. “Dangerous functions” are simply functions that perform a powerful task that could potentially cause harm if misused. A typical software stack will have thousands of these dangerous methods, to perform tasks such as creating files, parsing documents, executing native commands, deserializing objects, and making database queries. These functions are dangerous because they do things that can affect security. If an attacker could take control of one or more of these functions, they could cause harm to the company by exploiting the relevant application. 

The sheer volume of dangerous functions available to developers across the application stack renders the scale of the AppSec problem enormous. Software applications and APIs are the primary cause of IT security breaches in global enterprises. 

How does Contrast Security protect dangerous functions across the entire tech stack?

Contrast Security is different from other application testing technologies. We use security instrumentation methodology to identify vulnerabilities, block attacks, analyze code and libraries together, provide detailed application inventories, and even enable centralized policy command and control – all in real time.

Instrumentation is a safe and proven way of adding missing capabilities to applications without having to recode, retest, and redeploy them. Many popular logging and application performance management products have relied on instrumentation for over a decade. Contrast Security is the only  application security testing tool that applies this instrumentation to address the root cause of this AppSec problem for web applications, APIs and many message queue-driven applications. Contrast Security instrumentation enables a zero-trust approach to application security. Contrast’s Runtime Security platform unifies IAST (Interactive Application Security Testing), RASP (Runtime Application Self-Protection) and runtime SCA (Software Composition Analysis) under two main products:

• Contrast Assess: Composed of both Interactive Application Security Testing (IAST) and runtime Software Composition Analysis (SCA), Contrast Assess is designed to secure applications from within, across the entire Software Development Life Cycle (SDLC), finding and helping fix vulnerabilities in real time and with full application context.
• Contrast Protect: Combining Runtime Application Self-protection (RASP) and runtime Software Composition Analysis (SCA) designed for protecting applications in production and stopping exploits dead in their tracks, including zero days. 

Together, Assess and Protect actively monitor and analyze your application’s behavior in real time, surrounding dangerous functions with trust boundaries, identifying vulnerabilities in the development and testing phase, blocking attacks in production, and all the time monitoring library usage for both known CVEs and unknown vulnerabilities. We alert the developer when dangerous functions have been invoked without proper sanitization, and we give the developer instant feedback on vulnerabilities. Think of runtime security as adding a security boundary around the entire application that protects them in production and in the development phase. 

Contrast Runtime Security puts in the right checks, in all the right places, to alert the developers of real vulnerabilities and to alert security teams of real attacks, giving them full context and insights into the application, the code, the libraries and frameworks in use, the vulnerabilities, and the attacks. 

Definition of an application for Contrast Assess

Contrast Assess (IAST + SCA) is licensed on a per-application basis. An application license could cover a single monolithic application, or several related microservices or APIs that together make up a single logical application. Per-application licensing allows you the flexibility to assess your application in as many environments as you like under a single license.

Multiple microservices or APIs can be grouped together within the Contrast platform to provide a cohesive set of results for each logical application. A typical application grouping would include all of the microservices and components that a single development team is responsible for. 

Since modern development and microservices architecture comes with added complexity, it has blurred the lines of traditional application definitions. Contrast’s product licensing is flexible to reflect this, and we collaborate with you during onboarding to figure out the optimum application grouping and licensing to ensure all your applications are covered. 

See Contrast’s Product Unit Definitions for more details.

Definition of an application for Contrast Protect

Contrast Protect (RASP + SCA) is licensed on a per-server or application instance basis. An application instance is a single, isolated execution of the application. A server license covers a single application instance. Per-instance licensing allows for flexibility in protecting applications in production as your applications scale up and down.

Modern applications, microservices architecture, and the use of containerization comes with added complexity and has blurred the lines of traditional application definitions. Contrast’s product licensing is flexible to reflect this. We will work with you during onboarding to adjust licensing for microservices and containers to ensure all your applications are protected.

See Contrast’s Product Unit Definitions for more details.