search

Application Security

hashtag
1. Application Security Overview

  • Definition: Application security involves measures to improve security by finding, fixing, and preventing security vulnerabilities.

  • Key Stages: Security vulnerabilities are addressed during design, development, deployment, upgrade, and maintenance stages.

hashtag
2. Key Terminology

  • Network Security: Protection at the network level (e.g., routers, servers, firewalls).

  • Application Security: Protection at the software level (e.g., websites, databases, mobile apps).

  • Threat: Potential for a security violation (e.g., malware, hackers).

  • Risk: Likelihood of an attack (e.g., risk of malware compromising an application).

  • Vulnerability: A security flaw in code that can be exploited.

hashtag
3. Software Development Lifecycle (SDLC)

  • Common Phases: Plan, develop, test, deploy, maintain.

  • Popular Methodologies:

    • Waterfall: Top-down approach, simple but inflexible.

    • Agile: Iterative approach, flexible but may neglect security testing.

    • Scrum: Agile variant with focused sprints (1-4 weeks).

    • Spiral: Iterative with a focus on minimizing risk, more secure but slower.

    • Iterative: Development in smaller prototypes, lessons learned from each cycle.

hashtag
4. Penetration Testing Types

  • White-Box Testing: Attackers have detailed system information, increases likelihood of finding flaws.

  • Black-Box Testing: Attackers have no prior information, simulates external attacks.

  • Gray-Box Testing: Combines elements of both white-box and black-box testing for balanced assessment.

hashtag
5. Security Testing Techniques

  • Static Application Security Testing (SAST):

    • Analyzes source code for vulnerabilities before deployment.

    • Requires access to source code, fewer false positives, needs expert configuration.

  • Dynamic Application Security Testing (DAST):

    • Scans application during runtime by feeding the URL into a scanner.

    • Highly scalable, but prone to false positives and negatives.

  • Interactive Application Security Testing (IAST):

    • Combines SAST and DAST, assesses applications from within using software instrumentation.

    • Provides access to code, traffic, and backend connections.

hashtag
6. Integration in Information Security

  • Both network and application security are integral parts of overall information security programs, working together to mitigate IT risks.

hashtag
7. Industry Tools

  • Technologies used for application security include:

    • Web Application Firewalls (WAFs)

    • Source Code Analyzers

    • Penetration Testing Tools

    • Security Testing Automation Tools (e.g., SAST, DAST, IAST)

  1. Agile Manifesto Review the Agile Manifestoarrow-up-right

PreviousUsing Security Patterns for Infrastructure and ApplicationsNextApplication Security Threats and Attacks

Last updated