Application Security

Application security testing is performed by organizations to ensure that their applications and software contain no errors or vulnerabilities and interact with users and other applications securely. According to the National Institute of Standards and Technology's guideline document (Scarfone et al., 2008):

Application security assessment should be integrated into the software development life cycle of the application to ensure that it is performed throughout the life cycle. For example, code reviews can be performed as code is being implemented, rather than waiting until the entire application is ready for testing. Tests should also be performed periodically once an application has gone into production; when significant patches, updates, or other modifications are made; or when significant changes occur in the threat environment where the application operates. (p. C-1)

The application security testing techniques can be broadly classified into white box and black box techniques. White box techniques are implemented by directly analyzing the source code, whereas black box techniques are implemented using the binary executable code.

References

Scarfone, K., Souppaya, M., Cody, A., & Orebaugh, A. (2008). Technical guide to information security testing and assessment: Special Publication 800-115. National Institute of Standards and Technology. .  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf