By 
Traditional security frameworks often fail to connect with the realities of development. Usually, we see the results of them in PDFs and compliance documents, making it hard for developers to see how they relate to the actual code.
As someone who tinkered with both worlds, Mitre is more valuable from a developer’s perspective than OWASP Top 10. Insisting at the same time that OWASP has its clear advantage, of providing a list of most commonly used exploits in the Web.
MITRE ATT&CK takes a different approach by documenting actual attack techniques that target applications in production. It essentially bridges the mindset of how an application is evaluated by both attackers and defenders.
What is MITRE ATT&CK?
There’s the site definition, and there’s Sun Tzu reference that I like mentioning it more. Sun Tzu, a Chinese military general, strategist, and philosopher, once famiously said, “Know thy enemy and know yourself; in a hundred battles, you will never be defeated.”
MITRE ATT&CK breaks down attacks into two key components: tactics and techniques. This hands-on method equips developers with a comprehensive understanding of the strategic and technical aspects of cyber threats. Rather than abstract security concepts, it provides a tangible roadmap of attacker behavior, their goals, and the tactics they use.
Recognizing these patterns helps developers protect their applications from real-world threats. But how?
Tactics vs Techniques
Tactics describe what attackers aim to accomplish when targeting your application. Knowledge of attack tactics helps developers prepare their software for different types of attacks, including initial access, credential theft, and data extraction.
In contrast, techniques detail the specific tactics used by attackers. MITRE focuses on specific attack patterns, outlining how attackers exploit SQL injection, environment variables, and template engines, instead of just general warnings.
Attack categories
The framework covers 14 tactical categories, but these three directly impact application security:
Execution
For attackers to succeed, they must find a way to execute their malicious software within your environment. Modern applications combine JavaScript, C#, Python, shell commands, and other interpreters, each offering distinct execution pathways. Overall, in crafting defense on an app, it’s necessary to think of the entire software supply chain, not only tech stack, but infrastructure and ecosystem as well.
It’s important to prioritize input validation and code isolation in this context.
Persistence
Once attackers gain access, they try to maintain it. Here is where automated software embedded in the SDLC (Software Development Lifecycle) is better than manual work. That is because these tools can periodically scan for compromised libraries, infected build processes, and malicious startup scripts.
Supply chain attacks often target development dependencies, making proper CI/CD security essential, and zero day architecture a necessary step in the future. Today, the principle of least privilege stands out as an excellent strategy to limit damage in both execution and persistence scenarios.
Defense Evasion
Attackers try to bypass security controls by encoding payloads, splitting malicious inputs, and uncovering blind spots.
Modern security tools are helpful, but they are not flawless. Web Application Firewalls (WAFs) and runtime protection can detect known patterns, but advanced attackers exploit blind spots and parsing logic edge cases that are not logged. This is why defense in depth, which involves multiple layers of validation and monitoring, is essential.
By integrating automated security testing into the SDLC, you can detect attempts to bypass security measures early on, preventing them from reaching production. We have to acknowledge that this is a continuous fight between two sides. Because in this case we’re moving away from known methodologies and attack techniques and land in a non-heuristic way of working, where certain attack patterns can be seen as safe, and if enforcing too much strictness, safe patterns can be blocked by the security monitoring tool.
Defense evasion, as most techniques here, can be damn right complex.
Understanding these methods helps build better validation and monitoring systems.
Complete MITRE ATT&CK tactics reference
While we focused on the three most critical categories for application security, here’s the complete list of MITRE ATT&CK tactics for comprehensive understanding:
- Reconnaissance: Gathering information about the target system through active or passive means
- Resource Development: Setting up infrastructure and capabilities needed for the attack
- Initial Access: First point of entry into the target system
- Execution: Running malicious code on the target system
- Persistence: Maintaining access to system restarts
- Privilege Escalation: Gaining higher-level permissions
- Defense Evasion: Avoiding detection by security controls
- Credential Access: Stealing account names and passwords
- Discovery: Learning about the target environment
- Lateral Movement: Moving through the environment
- Collection: Gathering valuable data
- Command and Control: Communicating with compromised systems
- Exfiltration: Stealing data
- Impact: Manipulating, interrupting, or destroying systems and data
Each tactic represents a specific goal attackers try to achieve, and understanding them all helps build a complete defensive strategy. We will uncover each, in a separate article.
However, for most developers, focusing on execution, persistence, and defense evasion provides the most immediate security benefits for application development. We can confidently state, leave the rest for the security specialists.
Practical Applications for Developers
Developers can leverage MITRE ATT&CK (particularly focusing on execution, persistence, and evasion tactics) in several practical ways:
Create security tests based on real attack patterns
Rather than generic vulnerability scanning, create tests that simulate actual attack scenarios. For example, test how your application handles encoded payloads split across multiple parameters, or attempt known bypass techniques against your input validation.
Design better application logging
Build logging that captures indicators of potential attacks. Log not just errors, but also suspicious patterns like repeated failed parameter validations, unusual encoding patterns, or attempts to execute commands through user inputs.
Evaluate security controls against specific threats
Instead of implementing security controls blindly, assess them against known attack techniques. For instance, test your WAF rules against documented evasion methods, or verify your input validation against various injection patterns.
Prioritize security fixes based on actual risk
Use MITRE ATT&CK’s documentation of real attacks to understand which vulnerabilities attackers actively exploit. Focus on fixing issues that match common attack patterns before addressing theoretical vulnerabilities.
Implement targeted defensive coding patterns
Write code that specifically counters known attack techniques. For example, implement context-aware escaping based on documented injection attacks, or add integrity checks to prevent known persistence mechanisms.
Final Thoughts
This framework helps close the gap between development and security through real examples of application attacks. While other guides may focus on broad advice, Mitre emphasizes specific, targeted approaches for patching and preparing against known attack patterns.
It’s a long list, but you don’t need to memorize it (except for us). It’s designed for security engineers and penetration testers, but even if you’re not, there’s a lot of great stuff to learn from it.
However, if you don’t find that interesting, OWASP 10 is always available.
Photo by Josue Valencia on Unsplash.