Application security is key to prevent most cyber-attacks that target system loopholes, as seen from the attack trends for the past few decades. Application security involves fixing the fundamental problem of an application – the source code. This is done through the use of assessment tools to test for vulnerabilities of an application. This domain covers the few action items that form application security life cycle:
- Secure Development Life Cycle comprises of secure coding and best practices throughout the development cycle. Source code scanning is fundamental to ensure that the code is healthy.
- Vulnerability Assessment (VA) should be performed before an application moves into production environment, as well as periodically after an application goes live to ensure that no new vulnerabilities are spawned during any code modifications, patches, updates, etc. VA also allows an organization to simulate what an attacker see or do, in a sterile environment.
- Constant protection of the web server through the use of a Web Application Firewall (WAF). A WAF is a specialized “firewall” that safeguard customers from attacks like SQL Injection, Cross-Site Scripting (XSS), and takes reference from OWASP.
- Constant review and assessment of the security of applications are necessary to ensure that vulnerabilities and loopholes are minimised to reduce attack vectors. This will also increase the effort for an attacker to compromise user facing applications.