Application Security
Written on
Definition
Application Security is the discipline of applying engineering activities that result in securely operating an application. In a modern, DevOps-based SDLC these activities comprise all stages of development and operations.
DevOps that embraces security this way is popularly dubbed DevSecOps.
Techniques
Various techniques cover activities at build and run time, targeting architecture, plain source code, packaging, containerization, deployment, and the application execution environment, e.g.
- Threat modeling
- SAST
- IaC scanning
- Secret detection
- Dependency scanning
- Container image scanning
- DAST
- WAF
- Load testing
- Penetration testing
The left side of the DevOps loop is traditionally seen as “pre-production” (Dev), the right side as “production” (Ops). A high grade of automation (e.g. stop-the-pipeline, automatic remediation) characterizes the entire process, typically accompanied by dashboard-based transparency, supporting the development and operations workforce.
See Also
External Resources
- What is Application Security? (hackerone)
- GitLab Application Security (GitLab docs)
- Introduction to DevSecOps (DZone Refcard)
- What is DevSecOps? (AWS)
- Pipeline Bill of Materials (PBOM.dev)
- OWASP Top 10
- Threat modeling (Wikipedia)
- Penetration testing (Wikipedia)
- Supply chain vulnerabilities (OX Security)