DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. What is Application Security?

What is Application Security?

We always throw around the phrase application security, but what does it actually mean? Find out.

Christopher Lamb user avatar by
Christopher Lamb
CORE ·
Nov. 21, 15 · Analysis
Like (11)
Save
Tweet
Share
3.27K Views

Join the DZone community and get the full member experience.

Join For Free

Basically, application security is the security profile of application level software and communication. So what does that mean? and what does that look like? and really, who cares?

Well, let’s start from the first question and work our way backward. Applications are becoming much more important as initial attack vectors into systems. Over the past decade or so, operating system vendors and developers have become much more conscious of the security of the systems they deliver. They’re spending much more time reviewing the code they deliver and becoming more disciplined in refining what exactly they deliver. They’re also incorporating more and more advanced cyber-security techniques into delivered operating systems everyday. In fact, Microsoft Windows, once the butt of just about every cyber-security joke told, is arguably the most secure baseline operating system on the market today - certainly much more secure than it was five years ago. As operating systems and related systems become more secure, attackers need to begin to look at other areas to exploit. More and more of these attackers are looking, today, at applications.

So who cares? Well, attackers really care. They’re really interested in finding applications that are running with open network connections, with system privileges, and with security flaws. Really, they don’t care that much about the authority the applications run with - the more the better, but any foothold is better than nothing. And since attackers care, application vendors need to care, and because the vendors care, we developers need to pay attention too.

It doesn’t look like things are going to change anytime soon in this regard either. Today, companies are beginning to be held liable for information leakage. We’ve seen lawsuits brought against companies, we’ve seen C-Level executives fired, and we’ve seen profound differences with respect to how liability for cyber-security negligence is determined today when compared to event a few years ago. The stakes are higher, and people way above our pay grade are paying attention.

Application software isn’t clearly defined, really, but we can do a little better than that. Fortunately, operating systems and network communication models have this nifty application layer that runs on top of the software delivered by infrastructure and operating system vendors. The OSI model has it, Windows has it, Linux and Unixes have it, and TCP/IP has it. So from a network communication perspective, anything that runs in the application layer is fair game for an application security analysis. HTTP, for example, is an ubiquitous application level protocol. I mean, it’s everywhere. If you ever look at a typical packet capture, it is just riddled with HTTP traffic. And applications use HTTP for just about everything today. Need RPC? use REST/JSON. Need to send information for storage? POST or PUT that information to an HTTP endpoint. Need to grab some data? go GET it from a web server. It’s absolutely everywhere. And there’s other cross-platform application protocols too, like Apache Thrift or Avro, or Google’s Protocol Buffers. In fact, from the perspective of the TCP/IP stack, if you’re above the TCP layer, you’re in application space.

Likewise, any program that runs in userland is an application too. This isn’t limited to third-party programs either. Anything from any vendor that runs above the kernel is fair game for application security reviews. On linux or windows, this includes everything from in-house enterprise applications to word processors and utilities to unix commands like ls or ssh. On mobile devices, this includes apps in Swift or Objective-C on iOS and Java or C++ on Android. It doesn’t include drivers, kernel modules, network infrastructure firmware, or anything like that.

So, DZone will look at all things security in the application space. We’ll look at how to write secure code, and how those techniques make your code more secure. We’ll dive into specific types of exploits and show you exactly how attackers use them to compromise application software so you understand exactly how certain exploits work and what they can do. We’ll even go into how programs can be exploited as pivots to attack other systems or increase privileges, and how attackers use multi-stage exploits to progressively compromise systems so you know how modern adversaries will attack and leverage your code. If you follow this zone, you’ll have knowledge and riches beyond compare and be the envy of all your friends! Well, maybe not, but you’ll be able to write better software, and you’ll know exactly why it’s better, which is at least a good first step.

mobile app security Application security operating system

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Three SQL Keywords in QuestDB for Finding Missing Data
  • Using QuestDB to Collect Infrastructure Metrics
  • Handling Virtual Threads
  • A Beginner's Guide to Back-End Development

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: