AppSec

AppSec includes all tasks that (hopefully) introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance. To contrast AppSec with a traditional penetration-test: the latter tries to find vulnerabilities within an already existing application while AppSec focuses upon preventing vulnerabilities from entering the application code in the first place. Penetration Tests are also part of AppSec but they are used rather late in the project runtime to verify the security quality of the application and as input for how the development process can be augmented to prevent similar vulnerabilities from subsequently entering the application. ...

Recently I had a couple of customers that needed some guidance about secure software development. I assume that this happens because I am a developer gone pen-tester so I’ve seen both side of the “problem”. Of course, suggestions differ between software stacks and the overall customer professionalism level, but there is a common starting ground that should be suitable for any professional software project. Without those, anything more advanced would be built upon shaky grounds. Please note, that those are just the starting ground and should not be a limiting set for further improvements. ...