3 Components of application security

 

This chapter covers

  • Building a threat model
  • Discovering security analysis tools used in the development pipeline
  • Exploring protection tools available for running applications
  • Explaining vulnerability collection, correlation, and prioritization
  • Looking at Bug Bounty and Vulnerability Disclosure programs

So, you have seen the issues that are caused by not having application security integrated into your life cycle and you’re starting to ask the great question of where to start. There is not a one-size-fits-all package that works for all organizations. A lot depends on the following:

  • Size of the organization
  • The industry and the regulations impacting the organization
  • The culture of the organization
  • The security budget at the organization

3.1 Threat modeling

3.1.1 Basic threat modeling terminology

3.1.2 Manual threat modeling

3.1.3 Starting the manual process

3.1.4 Threat modeling with linking bank accounts

3.1.5 What to do with the found threats

3.1.6 Threat modeling using a tool

3.2 Security analysis tools

3.2.1 Static application security testing

3.2.2 Tools in the development environment

3.2.3 Dynamic application security testing

3.2.4 Software composition analysis