Application Security

Every business is a software business today, whether an organization is selling it directly to customers or relying on it to run operations. The safety and security of this software is critical to minimizing business risk. A robust AppSec strategy is the only way to lower business risk and help build trust in the security of your software. 

All forms for application security have the same goal: to identify, mitigate and prevent vulnerabilities. Their difference between these forms is in where, how, and when security testing, practices, and methodologies take place.

Mobile application security: Mobile application security focuses on the software security posture of mobile apps on various platforms like Android, iOS, and Windows Phone. It covers applications that run both on mobile phones and tablets, and it involves assessing applications for security issues in the context of the platforms that they are designed to run on, the frameworks that they are developed with, and the anticipated set of users (e.g., employees vs. end users).

Mobile application security testing involves testing a mobile app in ways that a malicious user would try to attack it. Effective security testing begins with an understanding of the application’s purpose and the types of data it handles. From there, a combination of static analysis, dynamic analysis, and penetration testing are used to find vulnerabilities that would be missed if the techniques were not used together effectively.

Cloud application security: Cloud application security is a system of policies, processes, and controls that enable enterprises to protect applications and data in collaborative cloud environments. Cloud security centers around key activities including identifying and managing access, data protection, infrastructure security, logging and monitoring, incident response, and vulnerability mitigation and configuration analysis.

Web application security: Web application security is the practice of building websites to function as expected, even when they are under attack. It involves a collection of security controls engineered into a web application to protect its assets from potentially malicious agents. Web applications, like all software, inevitably contain defects. Some of these defects constitute actual vulnerabilities that can be exploited, introducing risks to organizations. Web application security defends against such defects. It involves leveraging secure development practices and implementing security measures throughout the software development life cycle, ensuring that design-level flaws and implementation-level bugs are addressed. Tests used include DAST, SAST, pen testing, and runtime application testing (RASP). 

There is no concise answer to this question. Testing needs and timing vary by application, business model, and environment. But the modern model of DevSecOps promotes testing as early and often as possible in the SDLC. Your best practices should be to test whenever you feasibly can to help detect issues early, so they can be remediated before they become a bigger problem that costs time, money, and rework efforts later. 

There are a wide array of AppSec tools, each with its own specific use case and function. Some of the most common include:

• Dynamic application security testing (DAST): This automated application security test is best for internal-facing, low-risk applications that must comply with regulatory security assessments. For medium-risk applications and critical applications undergoing minor changes, using DAST with manual web security testing is the best solution to find common vulnerabilities.
• Static application security testing (SAST): This type of testing can be performed though automated and manual testing techniques. It identifies bugs without the need to execute applications in a production environment. It also enables developers to scan source code and systematically find and eliminate software security vulnerabilities.
• Pen testing: This manual application security test is best for critical applications, especially those undergoing major changes. The assessment involves business logic and adversary-based testing to discover advanced attack scenarios.
• Software composition analysis (SCA): This type of analysis helps teams manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers.
• Interactive application security testing (IAST): Interactive application security testing helps automate web security testing within DevOps pipelines​. IAST automatically retests identified vulnerabilities and validates whether they are real and can be exploited. It is more accurate than traditional dynamic testing and provides a real-time view of the top security vulnerabilities.