IT security can be seen as a crosscutting concern. This means it affects an IT system throughout its complete lifecycle. There are basically two different stages of such a system we can look at: The pre-implementation phase and the one after it. We could name the later one post-pre-implementation phase or simple everything beginning with the implementation.
Before this happened, we have conceptual security tasks, starting with the implementation we have those concerning the realization. I will call these "meta security phases". This distinction is vital since it describes two relatively separated phases where completely different views and approaches and do exist.
The following diagram depicts the development phases where conceptual app security is mainly practiced. Is has, of course, a hugh impact on the later, realization, phases though.
Within the field of IT security in general, both meta phases are pretty well understood. We have a lot of security consultants working on security concepts at the one hand and quite a lot of others doing security assessments, pentests and operational security at the other.
Within the application security, which is of course highly influenced by web application security, the conceptual meta phase is, from my experience, often though not as widely understood as an essential part of security projects as it is within the IT security field in general. In fact you will often find only those activities practiced in projects that concern identity management.
Granted, identity management (or IdM) has surely a great impact on application security. It is though just one of many functional security aspects. For instance validation or secure data handling, and of course those non-functional security aspects like security robustness, fault-tolerant or code correctness.
Activities concerning conceptual application security include secure coding standards, architectural analysis and threat modeling as well as secure requirement engineering and review. Many of those are often referenced but often little understood from a methodical point of view.
Since from my impression discussions (and also blogs) around appsec are mostly related to programmatic or operational security measures I decided to set-up this blog to share some of my conceptual ideas and thoughts of application security, or as you might say, the very foundations of secure applications.