3 Components of application security

This chapter covers

Building a threat model
Discovering security analysis tools used in the development pipeline
Exploring protection tools available for running applications
Explaining vulnerability collection, correlation, and prioritization
Looking at Bug Bounty and Vulnerability Disclosure programs

So, you have seen the issues that are caused by not having application security integrated into your life cycle and you’re starting to ask the great question of where to start. There is not a one-size-fits-all package that works for all organizations. A lot depends on the following:

Size of the organization
The industry and the regulations impacting the organization
The culture of the organization
The security budget at the organization

3.1 Threat modeling

3.1.1 Basic threat modeling terminology

3.1.2 Manual threat modeling

3.1.3 Starting the manual process

3.1.4 Threat modeling with linking bank accounts

3.1.5 What to do with the found threats

3.1.6 Threat modeling using a tool

3.2 Security analysis tools

3.2.1 Static application security testing

3.2.2 Tools in the development environment

3.2.3 Dynamic application security testing

3.2.4 Software composition analysis