chapter three

3 Components of application security

This chapter covers:

Building a threat model
Using developer tools to mitigate software security issues
Security Analysis tools used in the development pipeline
Protection tools that are available for running applications
Vulnerability collection, correlation, and prioritization
Bug Bounty and Vulnerability Disclosure programs
Where security fits in the SDLC

So, you have seen the issues that are caused by not having application security integrated into your lifecycle and you’re starting to ask the great question of where to start. There is a not a one size fits all package that works for all organizations. A lot depends on the following:

Size of the organization
The industry and the regulations impacting the organization
The culture of the organization
The security budget at the organization

3.1 Threat modeling

3.1.1 Basic threat modeling terminology

3.1.2 Manual threat modeling

3.1.3 Starting the manual process

3.1.4 Threat modeling with linking bank accounts

3.1.5 What to do with the found threats

3.1.6 Threat modeling using a tool

3.2 Security analysis tools

3.2.1 Static application security testing

3.2.2 Tools in the development environment

3.2.3 Dynamic application security testing

3.2.4 Software composition analysis

3.3 Penetration Testing

3.4 Run-time protection tools

3.5 Vulnerability collection and prioritization

3.5.1 Integrating with defect tracking

3.5.2 Prioritizing vulnerabilities

3.5.3 Closing vulnerabilities

3.6 Bug bounty and vulnerability disclosure program

3.6.1 Vulnerability disclosure program

3.6.2 Bug bounty program

3.6.3 Third party help with vulnerabilities

3.7 Putting it together

3.8 Summary