Andreas Happe: AppSec
What is AppSec anyways?
AppSec includes all tasks that (hopefully) introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance. To contrast AppSec with a traditional penetration-test: the latter tries to find vulnerabilities within an already existing application while AppSec focuses upon preventing vulnerabilities from entering the application code in the first place.
Secure Software Development Lifecycle Basics
Recently I had a couple of customers that needed some guidance about secure software development. I assume that this happens because I am a developer gone pen-tester so I’ve seen both side of the “problem”. Of course, suggestions differ between software stacks and the overall customer professionalism level, but there is a common starting ground that should be suitable for any professional software project. Without those, anything more advanced would be built upon shaky grounds.