Application Security Jun 12, 2012 by Checkmarx Application security describes the measures used to detect and remediate potential vulnerabilities in an application throughout its’ Software Development Life Cycle, or SDLC, and post-release. By carefully examining an application prior to release, it is possible to identify weaknesses in the software that could be exploited by hackers and other external threats, and mitigate these weaknesses prior to the software release. Application security aims to protect an organization from external threats and internal risks by ensuring the code that runs the applications used in an organization is secure and free of high-risk vulnerabilities. Over the past several years, applications and the code that runs them have taken over our digital life, and as network and operating system security has improved, hackers have increasingly turned to applications. Today, Gartner estimates, 84% of attacks are aimed at the application layer. What is the role of Application Security in an organization? In general, there are three main areas which Application Security is intended for: Reducing security vulnerabilities and security risks in applications already in production Preventing the introduction of new risks into applications new and old Ensuring compliance with any relevant security standards, such as HIPAA, PCI-DSS, or MISRA C. The goal of application security is to reduce the overall risk that an application poses to the organization releasing it and/or using it by detecting holes within the application. Just as Quality Assurance testers are tasked with ensuring bug-free releases, Application Security testers are tasked with ensuring security flaw-free releases. These ‘holes’ are gaps in the security posture of the code that could be used by attackers for an array of malicious uses, including data theft, unauthorized access into sensitive areas of the organization, and modifying data in an organization’s database. Security standards like the OWASP Top 10 and SANS 25 are designed to help organizations defend their applications against attack by pinpointing the riskiest and most common vulnerabilities so that organization’s around the world can constantly improve their application security, and by extension, the organization.