# Application security

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Application_security
> Markdown URL: https://mediated.wiki/source/Application_security.md
> Source: https://en.wikipedia.org/wiki/Application_security
> Source revision: 1346926251
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Measures taken to improve the security of an application

**Application security** (**AppSec**) includes all tasks that introduce a secure [software development life cycle](/source/Software_development_life_cycle) to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.[1]

**Web application security** is a branch of [information security](/source/Information_security) that deals specifically with the security of [websites](/source/Website), [web applications](/source/Web_application), and [web services](/source/Web_service). At a high level, web application security draws on the principles of application security but applies them specifically to the [internet](/source/Internet) and [web](/source/World_Wide_Web) systems.[2][3] The application security also concentrates on [mobile apps](/source/Mobile_app) and their security which includes iOS and Android Applications

Web Application Security Tools are specialized tools for working with HTTP traffic, e.g., [Web application firewalls](/source/Web_application_firewall).

## Approaches

Different approaches will find different subsets of the security [vulnerabilities](/source/Vulnerability) lurking in an application and are most effective at different times in the software lifecycle. They each represent different tradeoffs of time, effort, cost and vulnerabilities found.

- [Design review](/source/Design_review). Before code is written the application's architecture and design can be reviewed for security problems. A common technique in this phase is the creation of a [threat model](/source/Threat_model).

- [White-box testing](/source/White-box_testing), or [code review](/source/Code_review). Critical examination of internal structure, architecture, design, etc.

- [Black-box testing](/source/Black-box_testing). Tests functionality rather than internal structure.

- Automated Tooling. Many security tools can be automated through inclusion into the development or testing environment. Examples of those are automated DAST/SAST tools that are integrated into code editor or CI/CD platforms.

- [Coordinated vulnerability platforms](/source/Bug_bounty_program). These are hacker-powered application security solutions offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs.

## Security threats

The Open Worldwide Application Security Project ([OWASP](/source/OWASP)) provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2017 results from recent research based on comprehensive data compiled from over 40 partner organizations. This data revealed approximately 2.3 million vulnerabilities across over 50,000 applications.[4] According to the OWASP Top 10 - 2021, the ten most critical web application security risks include:[5][6]

1. Broken [access control](/source/Access_control#Computer_security)

1. Cryptographic failures

1. [Injection](/source/Code_injection)

1. Insecure design

1. Security misconfiguration

1. Vulnerable and outdated components

1. Identification and authentification failures

1. Software and data integrity failures

1. Security logging and monitoring failures*

1. Server-side request forgery (SSRF)*

## Security controls

The [OWASP Top 10 Proactive Controls 2024](https://top10proactive.owasp.org/) is a list of security techniques every software architect and developer should know and heed.

The current list contains:

1. Implement access control

1. Use cryptography the proper way

1. Validate all input & handle exceptions

1. Address security from the start

1. Secure by default configurations

1. Keep your components secure

1. Implement digital identity

1. Use browser security features

1. Implement security logging and monitoring

1. Stop server-side request forgery

## Tooling for security testing

Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to [exploitation](/source/Exploit_(computer_security)). Ideally, security testing is implemented throughout the entire [software development life cycle](/source/Software_development_life_cycle) (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner.

There are many kinds of automated tools for identifying vulnerabilities in applications. Common tool categories used for identifying application vulnerabilities include:

- [Static application security testing](/source/Static_application_security_testing) (SAST) analyzes source code for security vulnerabilities during an application's development. Compared to DAST, SAST can be utilized even before the application is in an executable state. As SAST has access to the full source code it is a white-box approach. This can yield more detailed results but can result in many false positives that need to be manually verified.

- [Dynamic application security testing](/source/Dynamic_application_security_testing) (DAST, often called [vulnerability scanners](/source/Vulnerability_scanner)) automatically detects vulnerabilities by crawling and analyzing websites. This method is highly scalable, easily integrated and quick. DAST tools are well suited for dealing with low-level attacks such as injection flaws but are not well suited to detect high-level flaws, e.g., logic or business logic flaws.[7] [Fuzzing](/source/Fuzzing) tools are commonly used for input testing.[8]

- Industry application security research highlights increasing risks related to insecure APIs, client-side code tampering, and runtime exploitation, reinforcing the importance of comprehensive dynamic and runtime security testing.[9]

- Interactive application security testing (IAST) assesses applications from within using software instrumentation. This combines the strengths of both SAST and DAST methods as well as providing access to code, HTTP traffic, library information, backend connections and configuration information.[10][11] Some IAST products require the application to be attacked, while others can be used during normal quality assurance testing.[12][*[promotional source?](https://en.wikipedia.org/wiki/Wikipedia:RS#Questionable_sources)*][13][*[promotional source?](https://en.wikipedia.org/wiki/Wikipedia:RS#Questionable_sources)*]

- [Runtime application self-protection](/source/Runtime_application_self-protection) augments existing applications to provide intrusion detection and prevention from within an application runtime.

- Dependency scanners (also called [software composition analysis](/source/Software_composition_analysis)) try to detect the usage of software components with known vulnerabilities. These tools can either work on-demand, e.g., during the source code build process, or periodically.

## Regulatory requirements

Application security practices are increasingly driven by regulatory mandates that require organizations to protect the software systems processing sensitive data.

The [Health Insurance Portability and Accountability Act](/source/Health_Insurance_Portability_and_Accountability_Act) (HIPAA) Security Rule requires covered entities to implement technical security measures to guard against unauthorized access to [protected health information](/source/Protected_health_information) transmitted over electronic communications networks under 45 CFR 164.312(e)(1), and to implement procedures to verify that a person or entity seeking access to electronic protected health information is who they claim to be under 45 CFR 164.312(d).["Security Standards: Technical Safeguards"](https://www.hhs.gov/hipaa/for-professionals/security/guidance/technical-safeguards/index.html). U.S. Department of Health and Human Services. Retrieved April 1, 2026. The December 2024 HIPAA Security Rule notice of proposed rulemaking (90 FR 898) would mandate vulnerability scanning and penetration testing of applications handling electronic protected health information, and require deployment of anti-malware protection and network segmentation, codifying application-level security controls as explicit regulatory obligations.["HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information"](https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information). Federal Register. January 6, 2025. Retrieved April 1, 2026.

The [Payment Card Industry Data Security Standard](/source/Payment_Card_Industry_Data_Security_Standard) (PCI DSS) version 4.0 Requirement 6 establishes comprehensive application security requirements including secure development practices (6.2), identification and management of vulnerabilities (6.3), protection of public-facing web applications (6.4), and change control procedures for all software changes (6.5).["PCI DSS v4.0"](https://www.pcisecuritystandards.org/document_library/). PCI Security Standards Council. March 2022. Retrieved April 1, 2026.

## Security standards and regulations

- [CERT Secure Coding standard](/source/CERT_C_Coding_Standard)

- ISO/IEC 27034-1:2011 *Information technology — Security techniques — Application security -- Part 1: Overview and concepts*

- ISO/IEC TR 24772:2013 *Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use*

- [NIST Special Publication 800-53](/source/NIST_Special_Publication_800-53)

- OWASP ASVS: Web Application Security Verification Standard[14][15][16]

## See also

- [Common Weakness Enumeration](/source/Common_Weakness_Enumeration)

- [Data security](/source/Data_security)

- [Mobile security](/source/Mobile_security)

- [OWASP](/source/OWASP)

- [Microsoft Security Development Lifecycle](/source/Microsoft_Security_Development_Lifecycle)

- [Usable security](/source/Usable_security)

## References

1. **[^](#cite_ref-1)** Happe, Andreas (3 June 2021). ["What is AppSec anyways?"](https://snikt.net/blog/2021/06/03/what-is-appsec-anyways/). *snikt.net*.

1. **[^](#cite_ref-2)** ["Web Application Security Overview"](https://msdn.microsoft.com/en-us/library/ff648636.aspx). 2015-10-23.

1. **[^](#cite_ref-3)** Shuaibu, Bala Musa; Norwawi, Norita Md; Selamat, Mohd Hasan; Al-Alwani, Abdulkareem (2013-01-17). "Systematic review of web application security development model". *Artificial Intelligence Review*. **43** (2): 259–276. [doi](/source/Doi_(identifier)):[10.1007/s10462-012-9375-6](https://doi.org/10.1007%2Fs10462-012-9375-6). [ISSN](/source/ISSN_(identifier)) [0269-2821](https://search.worldcat.org/issn/0269-2821). [S2CID](/source/S2CID_(identifier)) [15221613](https://api.semanticscholar.org/CorpusID:15221613).

1. **[^](#cite_ref-4)** Korolov, Maria (Apr 27, 2017). "Latest OWASP Top 10 looks at APIs, web apps: The new OWASP Top 10 list is out, and while most of it remains the same, there are new additions focusing on web applications and APIs". *CSO*. [ProQuest](/source/ProQuest) [1892694046](https://www.proquest.com/docview/1892694046).

1. **[^](#cite_ref-5)** ["OWASP Top 10 - 2021: The Ten Most Critical Web Application Security Risks"](https://owasp.org/Top10/). *Open Web Application Security Project*. 2021. Retrieved January 11, 2022.

1. **[^](#cite_ref-6)** ["What is Application Security | Types, Tools & Best Practices | Imperva"](https://www.imperva.com/learn/application-security/application-security/). *Learning Center*. Retrieved 2025-07-17.

1. **[^](#cite_ref-7)** ["Web Application Vulnerability Scanners"](http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html). NIST.

1. **[^](#cite_ref-8)** ["Fuzzing"](https://owasp.org/www-community/Fuzzing). OWASP.

1. **[^](#cite_ref-9)** [https://quixxi.com/mobile-app-threat-landscape-in-2024/](https://quixxi.com/mobile-app-threat-landscape-in-2024/)

1. **[^](#cite_ref-10)** Williams, Jeff (2 July 2015). ["I Understand SAST and DAST But What is an IAST and Why Does it Matter?"](https://www.contrastsecurity.com/security-influencers/question-i-understand-sast-and-dast-and-how-to-use-them-but-what-is-iast-and-why-does-it-matter). Contrast Security. Retrieved 10 April 2018.

1. **[^](#cite_ref-OWASP_IAST_11-0)** ["OWASP DevSecOps Guideline — Interactive Application Security Testing"](https://owasp.org/www-project-devsecops-guideline/latest/02c-Interactive-Application-Security-Testing). *OWASP*. 2025-04-24. Retrieved 2025-04-24.

1. **[^](#cite_ref-12)** Abezgauz, Irene (February 17, 2014). ["Introduction to Interactive Application Security Testing"](https://web.archive.org/web/20180403193750/http://www.quotium.com/resources/interactive-application-security-testing/). Quotium. Archived from [the original](http://www.quotium.com/resources/interactive-application-security-testing/) on April 3, 2018. Retrieved January 25, 2018.

1. **[^](#cite_ref-13)** Rohr, Matthias (November 26, 2015). ["IAST: A New Approach For Agile Security Testing"](https://blog.secodis.com/2015/11/26/the-emerge-of-iast/). Secodis.

1. **[^](#cite_ref-14)** ["OWASP Application Security Verification Standard"](https://owasp.org/www-project-application-security-verification-standard/).

1. **[^](#cite_ref-StatPearls-HIPAA_15-0)** Edemekong, Peter F.; Annamaraju, Parvathi; Haydel, MJ (2024). [*Health Insurance Portability and Accountability Act*](https://www.ncbi.nlm.nih.gov/books/NBK500019/). StatPearls Publishing. Retrieved April 3, 2026. {{[cite book](https://en.wikipedia.org/wiki/Template:Cite_book)}}: |work= ignored ([help](https://en.wikipedia.org/wiki/Help:CS1_errors#periodical_ignored))

1. **[^](#cite_ref-HHS-NPRM-factsheet_16-0)** ["HIPAA Security Rule Notice of Proposed Rulemaking – Fact Sheet"](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html). U.S. Department of Health and Human Services. Retrieved April 3, 2026.

v t e Information security Threats Adware Advanced persistent threat Arbitrary code execution Backdoors Bombs Fork Logic Time Zip Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Fraudulent dialers Hacktivism Infostealer Insecure direct object reference Keystroke loggers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie vectorial version Defenses Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Software obfuscation Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Information security management Information risk management Security information and event management (SIEM) Runtime application self-protection Site isolation Related security topics Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electronic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management

---
Adapted from the Wikipedia article [Application security](https://en.wikipedia.org/wiki/Application_security) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Application_security?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.