Before this happened, we have conceptual security tasks, starting with the implementation we have those concerning the realization. I will call these "meta security phases". This distinction is vital since it describes two relatively separated phases where completely different views and approaches and do exist.
The following diagram depicts the development phases where conceptual app security is mainly practiced. Is has, of course, a hugh impact on the later, realization, phases though.
Within the application security, which is of course highly influenced by web application security, the conceptual meta phase is, from my experience, often though not as widely understood as an essential part of security projects as it is within the IT security field in general. In fact you will often find only those activities practiced in projects that concern identity management.
Granted, identity management (or IdM) has surely a great impact on application security. It is though just one of many functional security aspects. For instance validation or secure data handling, and of course those non-functional security aspects like security robustness, fault-tolerant or code correctness.
Activities concerning conceptual application security include secure coding standards, architectural analysis and threat modeling as well as secure requirement engineering and review. Many of those are often referenced but often little understood from a methodical point of view.
Since from my impression discussions (and also blogs) around appsec are mostly related to programmatic or operational security measures I decided to set-up this blog to share some of my conceptual ideas and thoughts of application security, or as you might say, the very foundations of secure applications.
No comments:
Post a Comment