The fundamental concept around application security is preventing bugs in software. These bugs become known as vulnerabilities. Application Security is about how we use tools and methodologies when developing applications to try prevent any vulnerabilities from making it into the system.
Almost all vulnerabilities can simply be thought of as nothing more than bugs in software. However the difference between in vulnerabilities and ordinary software bugs is the fact the bug has some negative security repercussions associated with it. A vulnerability on it's own only represents a degree of risk to a piece of software. In order for the vulnerability to pose a threat to the software, there needs to be an associated exploit.
Exploits are a means to attack a known vulnerability. A vulnerability on it's own is not very useful to an attacker, since it does not achieve anything on it's own. The attacker needs to run an exploit in order to exploit (hence the name) the security weakness which the vulnerability introduces.
Application Security are the techniques and procedures used to help reduce the likelihood of software containing vulnerabilities. Typically this involves adopting some form of a secure development methodology. This methodology would include things such as:
- Security based training for developers and testers
- Security best practices
- Implement security related software features
- Security code reviews
- Security tests
The purpose of this post is only to provide a very basic introduction as to what Application Security is about. There will be more detailed posts coming along with training session to further expand on the numerous concepts in Application Security.