Get to Know Application Security
Learning Objectives
After completing this unit, you’ll be able to:
- Describe what an application is.
- Define application security and its role in relation to application development.
What Is an Application?
If you’ve ever used a computer, you’ve used an application. To define it, an application is a computer software package that performs one or more tasks and enables direct user interaction. But let’s break down what that really means by looking at examples of applications and how we use them.
Applications come in many forms such as database programs, web browsers, email clients, spreadsheets, media players, word processors, and image/photo editing software to name a few. Each of these software packages allows a user to interact directly with the application. For example, when you use word processing software, you interact directly with the application when you type, delete, or copy and paste text. And, you interact with applications in different ways—whether it’s on a computer using a photo editing software package like Photoshop, interacting with a mobile app on your smartphone, or conducting business transactions on a web-based banking application. That’s pretty straightforward, right?
There are two ways developers create applications. They develop proprietary code that is not shared outside of an organization, or they develop code through open source projects, which are designed and developed in a public, collaborative manner with developers working together.
Open source applications grant developers the right to use, study, and change the software, thus allowing it to be adapted and applied to a variety of use cases. There is an entire community dedicated to developing open source projects. As someone who may be interested in becoming an application security engineer, contributing to open source projects is a great way to get practical experience in application development and security while sharpening and proving your skills. As a result, you will better understand how applications are developed and function, and start to understand the role of application security in the coding and software development lifecycle.
The Role of Application Security
In an organization’s technology stack, the application layer is the closest layer to the user. It allows interaction with the user and therefore provides the largest attack surface for intruders. Because of this, a relatively large number of security breaches are the result of application vulnerabilities.
Applications can also provide a treasure trove of personal data an attacker would love to steal, tamper with, or destroy, including personally identifiable information (PII) such as names, national identification data (such as Social Security numbers), and email addresses. This means protecting applications is a key part of cybersecurity, in order to minimize the risks of data loss and the resulting negative financial, reputational, privacy, or legal impacts for an organization and its customers.
Application security engineers need to think like an attacker to understand how an application could possibly be misused, while also ensuring that input provided by legitimate users is sanitized, validated, and processed safely by the application.
Application security engineers focus on protecting applications in order to prevent attackers from gaining access to sensitive data. Since it is much easier and less expensive to find security flaws in the early stages of software development, application security engineers should gather security requirements before any design or development work begins.
Application security engineers work with development teams and business units to help design, create, document, code, test, deploy, and maintain secure applications. The process of designing and building applications is known as the software development lifecycle (SDLC). Application developers are responsible for the documentation and programming (coding) steps in this process. They write the source code that causes an application to carry out its desired tasks. Application security engineers partner with application developers and others throughout the SDLC to protect applications by diagnosing, documenting, and remediating application security vulnerabilities.
Typically in an organization, an application developer's main objective is to produce working code as quickly as possible to meet business requirements. As a result, writing secure code is sometimes an afterthought. This is where application security engineers can be super helpful by building security into the development process so that sensitive data remains protected. In doing so, they aim to ensure that an application provides what is commonly referred to as CIA: confidentiality, integrity, and availability.
For example, application security engineers help developers design and deploy the application in a way that requires proper authentication (to protect the confidentiality of data), transfers sensitive information securely to prevent it from being modified (integrity), and ensures that users can access their data (availability).
Application security engineers are often embedded within an application development team and serve as advisers to designers and developers. They ensure that application requirements include security considerations, they suggest secure authentication protocols during the design phase, they implement code reviews to check for common security vulnerabilities, they test applications before deployment, and they advise on the timing and methods for patching vulnerabilities.
In this unit, you learned what an application is and how application development and security functions work together in practice. In the next unit, you learn about the business impact of application security, the skills application security engineers need, and common application security scenarios.
