Application Security
  • 23 April, 2023
  • 2 Min read

Application Security

Measures taken to protect software applications from threats and vulnerabilities.

Application Security is the practice of protecting software applications from security threats throughout their entire lifecycle, from development to deployment and beyond.

Application Security means finding and fixing weaknesses in websites, apps, or software so hackers can’t break in or misuse them.

Background

Technique

Application security (short AppSec) includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.

Web Application Security Tools are specialized tools for working with HTTP traffic, e.g., Web application firewalls.

Web application security is a branch of information security that deals specifically with the security of websites, web applications, and web services. At a high level, web application security draws on the principles of application security but applies them specifically to the internet and web systems. The application security also concentrates on mobile apps and their security which includes iOS and Android applications.


Goals

AppSec

  • Prevent unauthorized access to app data or functions.
  • Fix coding mistakes (vulnerabilities) like SQL Injection, XSS, SSRF, Vulnerable and Outdated Components, etc.
  • Ensure users only perform actions they are authorized to do.
  • Secure Apps against known attacks (like from the OWASP Top 10 list).

Activities

StageWhat happensExample
DevelopmentSecure Coding, Code ReviewsAvoid Hardcoded Passwords
TestingManual or automated scanningUse tools like Burp Suite
DeploymentSecure Configuration, PatchingDisable Debug mode in production
MaintenanceMonitor and update appsApply security patches regularly

Standards

The OWASP Top Ten is a list of the 10 most critical web application security risks published by the Open Web Application Security Project (OWASP). It is widely used by developers, security professionals, and organizations to improve web application security.

OWASP Top 10

  1. Broken Access Control — Users can access data or actions they shouldn’t (e.g., viewing others’ accounts, deleting unauthorized files).
  2. Cryptographic Failures — Weak or missing encryption exposes data like passwords, credit cards, etc.
  3. Injection — Untrusted input leads to attacks like SQL Injection, Command Injection.
  4. Insecure Design — Flawed design decisions that make the app insecure, even if the code is bug-free.
  5. Security Misconfiguration — Default passwords, verbose error messages, open ports, or misconfigured servers.
  6. Vulnerable and Outdated Components — Using old libraries or plugins with known security holes.
  7. Identification and Authentication Failures — Broken login systems, weak passwords, no account lockout, or exposed session tokens.
  8. Software and Data Integrity Failures — Failure to validate code, software updates, or third-party content.
  9. Security Logging and Monitoring Failures — No proper logging or alerting — attacks go undetected.
  10. Server-Side Request Forgery (SSRF) — Server is tricked into making requests to internal systems (often used to bypass Firewalls).

Why?

  • It’s a global standard for web security.
  • Helps developers and companies identify and fix common flaws.
  • Often required in security audits, compliance, and secure SDLC (Software Development Life Cycle).

Akshahy Kumar

I am currently exploring the exciting field of Application Security, with hands-on exposure gained here and through projects at Incedo. As a beginner in this domain, I have worked on identifying common web vulnerabilities, assisting in secure development practices, and using tools like Burp Suite, Postman, and Nmap. I am actively learning about real-world security challenges, particularly those highlighted in the OWASP Top 10, and I’m committed to growing my skills to contribute to building secure and resilient software systems.