Application Security - Erevio Notes

> [!abstract] In short: Application security protects software from threats across its entire lifecycle, from the first line of code to production and maintenance. Many breaches happen at the application level, which is exactly where security often gets skipped. ## What it is Application security focuses on keeping software safe from the first line of code through deployment and ongoing maintenance. It's a critical area, because a large share of breaches happen at the application level when security wasn't properly built in. The main goal is to make sure applications are built, deployed, and maintained in a way that preserves the **CIA triad** (confidentiality, integrity, availability) of the data they handle. That matters even more today, when apps constantly process sensitive information and sit exposed to the internet. It relies on a mix of secure coding practices, rigorous testing, and security controls. Developers are central here, writing code that resists common vulnerabilities like **SQL injection**, **XSS (cross-site scripting)** and **buffer overflows**. ## The house analogy Building an application is like building a house that has to resist burglars (hackers) and bad weather (threats). > [!example] 1. Build the app > > - **Locks on doors and windows** are authentication, only the right people get in. > - **Strong walls** are solid, secure code with no weak spots to exploit. > - **A waterproof roof** is encryption, sensitive data stays protected even when it's "raining" outside. > [!example] 2. Inspect for weak spots (testing) > > - **Test the locks** is penetration testing, trying to break in to confirm the defenses hold. > - **Look for cracks in the walls** is code review, hunting for bugs and weaknesses. > - **Test the roof with water** is data security testing, making sure sensitive data doesn't leak. > [!example] 3. Keep the house safe over time (monitoring) > > - **Security cameras** are continuous monitoring for threats. > - **Repairing cracks and replacing broken locks** is patching vulnerabilities and updating the app. Skip one of these steps, say a lock that's never tested and you've left an open entry point. If a hacker finds that weak spot, that's the way in. ## Security by Design A key idea is **Security by Design**: security is built into the app from the start, not bolted on later. It's like choosing strong materials, good locks and a surveillance system while designing the house, not after it's already built. In practice this includes: - **Threat modeling**: imagining how someone could break in, so risks surface early. - **Secure code reviews**: checking for weak spots before code goes live. - **Securing servers and databases**: the "land and utilities" the app sits on. If they're weak, the whole system is at risk. - **Authentication and authorization**: authentication confirms who you are, authorization decides what you can access. Good locks plus restricted rooms inside the house. ## Who is responsible Application security is shared across several roles. - **Application developers** write secure code and implement security features. They're on the front line. - **Security architects** design the overall security structure of the app and its supporting infrastructure. - **IT operations teams** keep the production environment secure once the app is running. - **Application Security Manager or CISO** set policies, ensure compliance and oversee security across all of the organization's applications. - **Security testers / penetration testers** use static and dynamic analysis, fuzzing, and manual code reviews to find vulnerabilities, and simulate real attacks to test the app's resilience. It's never a one-time task. New vulnerabilities and attack techniques appear constantly, which is why continuous monitoring, automated scanning and regular assessments are needed. ## The speed vs security trade-off > [!warning] Shortcuts leave holes: Many companies struggle to balance security against the pressure to ship fast. Rushing leads to shortcuts and shortcuts leave gaps. Back to the house: if you're rushing to move in, you might skip checking every window or installing the back door locks properly. The house looks finished but burglars have an easy way in. > [!tip] Done right, application security protects critical data and systems, keeps user trust intact and helps the business keep running even as threats evolve. Done in a hurry, it quietly becomes the easiest way in.