The business world uses a lot of confusing terminology, and cybersecurity is no exception. Many buzzwords and catchphrases, while annoying, are harmless. But there is also terminology whose misapplication is problematic. Application security (AppSec) and information security (InfoSec) are two terms that are often conflated. Sure, there’s plenty of crossover between these disciplines, and there’s certainly a point of convergence, but they are different. Even more, looking at AppSec with traditional InfoSec technologies and tactics offers a misguided approach and won’t get the job done.
1. The Basic Definitions
Information security is a broad term describing the means of protecting information from unauthorized access or use. Under that umbrella, there are many different types of InfoSec functions within an enterprise. There’s network security (NetSec), IT security and other specializations. While they are distinct—IT security focuses on hosts and NetSec on flows between hosts—lumping them under InfoSec is less problematic. All organizations, even those with small IT environments supporting only the most basic technologies, must do InfoSec.
Application security is concerned with building software free from exploitable vulnerabilities. AppSec happens in the software development lifecycle (SDLC)—design, coding, testing, maintenance, etc. Only businesses developing software must do AppSec, which nowadays means basically every organization on the planet.
2. Information Security Takes a (Mostly) Outside-In Approach
Historically, InfoSec was about guarding the perimeter. It was a simpler time, and there was a clear distinction between “inside” and “outside” of an organization. As businesses embraced digital transformation, the perimeter all but disappeared and more sophisticated controls were needed. Some tools, such as behavioral analysis, do use non-border-based approaches, but the goal is still to keep bad things out. Even some new approaches requiring a significant re-think of the network, such as Zero Trust, are still border-based. Instead of drawing the line around a large chunk of the enterprise, however, each individual component has its own tiny perimeter.
3. Application Security Starts With Inside-Out Controls
AppSec is about how you develop software before it goes into the environment protected by InfoSec controls, aka into production. Because development is a process, security can’t focus only on insulating the ultimate application. It’s been tried, but such after-the-fact, bolted-on approaches increase the effort, time and cost it takes to fix vulnerabilities. This is a no-go in CI/CD pipelines or other development environments where agility and speed are critical. Instead, you need to ensure the code being developed is secure from the start. Training developers to use secure coding practices reduces the number of vulnerabilities introduced into the software as it’s created. But most developers don’t have deep secure coding skills or experience, so testing is an essential component of AppSec. Testing catches issues so they can be resolved before the code moves to the next phase in the SDLC.
Even testing is a catch-all term, because the type of testing needed depends on where you are in the lifecycle. Static application security testing (SAST) analyzes code, both source and compiled, at the earliest development stages to identify potential security risks. Because SAST doesn’t require the application to be “runnable,” it can identify problems in individual components very early. Of course, not all code is developed in house from scratch. Software composition analysis (SCA) tools enable teams to detect and manage the open source components in their code base.
Once software moves into testing/QA, dynamic application security testing (DAST) identifies vulnerabilities of the application in its running state. Container and cloud testing tools ensure the security of the environment the application runs in.
4. InfoSec and AppSec Are Part of a Risk Ecosystem
Those last few AppSec testing approaches can start to look more like InfoSec controls. It’s logical when you think about it. The further along software is in the SDLC, the closer it gets to deployment—thereby putting it in the InfoSec realm. You can’t adequately secure applications in the SDLC with InfoSec approaches, but you also can’t do it in a vacuum. Even though AppSec and InfoSec are different, they are still interconnected and can’t be managed in isolation.
Nor can companies compartmentalize how they think about risk. You need to understand your overall attack surface as an organization, which includes both development and IT processes and systems. To do that, you need visibility and assurance across your applications and infrastructure, as well as your software supply chain. Only by understanding each element and managing its particular risks can you secure the ecosystem as a whole.
Find Rapid AppSec
If you need to ramp up your AppSec program fast, ZeroNorth can help. Our platform includes pre-configured, open source application security scanning tools with out-of-the-box automation, orchestration, centralized management and actionable risk intelligence. The ZeroNorth platform for rapid AppSec is ideal for technology and security teams who need to quickly and cost-effectively jumpstart their security vulnerability program. To learn more, request a demo or contact us anytime.