Evolution of AEM from on-prem/AMS to AEM As Cloud service has reduced the security concerns to a certain limit. But there are areas an AEM architect should be concerned about, when the code moves to production.
Role of Application Security Testing (AST)
The application security is a major consideration when new design techniques are adopted and DevSecOps are in demand. Application Security Testing (AST) tools available as On-Premise,Cloud or as a SaaS offering. The current tech-market comprises of Application Security Testing (AST) tools offering core testing capabilities — which can be of type static, dynamic, interactive and various optional, specialized capabilities testing;
Below given a set of the AST techniques in brief
Static AST (SAST): SAST analyzes an application’s source, bytecode or binary code for security vulnerabilities - Mainly during development & testing phases.
Dynamic AST (DAST): DAST analyzes applications in their running/dynamic state during testing mainly during operational phases.
DAST Simulates the attack on web-application(AEM) and APIs(within the boundary of AEM application)
Software composition analysis (SCA): SCA is used to identify other open-source and, less frequently, commercial components in use within an AEM application. From this, known security vulnerabilities, potential licensing concerns and operational risks can be identified.
Interactive AST (IAST): IAST checks a running application, For e.g In case of AEM via the Java Virtual Machine [JVM] and examines its operation to identify vulnerabilities.
Fuzzing: Fuzz testing relies on providing random, malformed or unexpected input to a program to identify potential security vulnerabilities — For e.g., a memory leaks or buffer overflows or application crashes.
Mobile AST (MAST): MAST generally use traditional testing approaches (e.g., SAST and DAST) that have been optimized to support languages and frameworks commonly used to develop mobile and/or Internet of things (IoT) applications. Since mobile & IoT is a related technology with AEM, we must consider such techniques.