What’s the difference between IT security and application security? And what do all those acronyms mean? Learn more in our quick cyber security primer.
In many organizations, software security responsibility is divided between IT security and application security.
At the most fundamental level, IT security is about buying software, while application security is about building software.
The core mission of both groups is bringing risk down to an acceptable level for the organization.
IT security
IT security is part of the information technology group, which is generally responsible for supplying the computing infrastructure for an organization. This includes network equipment and configuration, laptops, servers, printers, and mobile devices. IT is usually responsible for software applications as well, including directory services, single sign-on solutions, and multifactor authentication, not to mention applications such as Microsoft Office and whatever else employees use to get their jobs done.
Application security
Also known as product security, the application security team is responsible for the security of software produced by the organization.
The adaptation of existing development processes into a secure software development life cycle (SSDLC) is the primary mechanism for minimizing risk in application security. Organizations using an SSDLC are always thinking about security, from the design phase through implementation and maintenance.
IT security is mainly reactive
A firewall is a classic example of a reactive solution; it reduces exposure to known external threats. Antivirus software is a classic reactive security technology, as it defends (to some degree) against known malware but is powerless when faced with new, unknown malware.
Application security is mainly proactive
Application security, by contrast, is almost entirely proactive. Application security is focused on locating and fixing as many weaknesses as possible before releasing a product into the big, bad world.
The centerpiece of application security is the adoption of an SSDLC, which uses a proactive approach to minimize risk at every phase.
The implementation and testing phases of the SSDLC are fertile ground for acronyms, sprouting a variety of terms to describe different kinds of software security testing:
- SAST (static application security testing) refers to tools that examine an application’s source code to look for weaknesses.
- SCA (software composition analysis) means looking at an application’s source code (and sometimes its executable files) to determine which third-party software components were used, and assessing known vulnerabilities and license compliance.
- DAST (dynamic application security testing) means any testing that is done on a running application.
- IAST (interactive application security testing) is a kind of dynamic testing in which the tool is able to observe data flowing inside the application and can, in some cases, replay dataflows to verify findings.
- MAST (mobile application security testing) is testing performed on mobile apps, which has its own nuances.
Don’t let your dreams be dreams
The most important thing is to keep sight of the overall goal, despite the tangle of acronyms. The overall goal is minimizing risk. In application development, this means adopting an SSDLC, which includes a variety of security testing that is automated and integrated with your existing development processes.
To learn more, read the full article.
Patrick Carey, Director, Product Marketing, Synopsys
Synopsys Software Integrity Group helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle. Learn more at www.synopsys.com/software