What is AppSec
AppSec is short for Application Security. As the name implies, it is a discipline of securing an application, particularly in the domain of software.
What it means
AppSec includes all tasks that introduce a secure software development life cycle (SDLC).
The tasks include the following operations:
- Find issues.
- Fix issues.
- Prevent issues.
An SDLC includes the following phases:
- Analysis
- Design
- Implementation
- Verification
- Maintenance
That means each phase in an SDLC has three different AppSec tasks: find, fix, and prevent issues.
Issues
What are issues, and what type of issues are there?
Since AppSec focuses on software security, the issues can be of the following, all of which are related to cybersecurity:
- Platform-agnostic security issues (authentication, authorisation, etc.)
- Platform-specific security issues (cross-site scripting on web, tapjacking on mobile, etc.)
How to address issues
The following are the methods to find, fix, and prevent issues:
- Static application security testing (SAST)
- Dynamic application security testing (DAST)
- Interactive application security testing (IAST)
- Runtime application self-protection (RASP)
An analysis type, for example software composition analysis (SCA), can employ one or more of the above methods, depending on how it is implemented.
Assessing security software products
When evaluating a security software product, take note on the following:
- Which tasks does it perform?
- Which SDLC phases does it operate in?
- Which methods does it employ to perform its tasks?