From the course: ISC2 Certified Secure Software Lifecycle Professional (CSSLP) (2023) Cert Prep

The goals of application security

From the course: ISC2 Certified Secure Software Lifecycle Professional (CSSLP) (2023) Cert Prep

Start my 1-month free trial Buy for my team

The goals of application security

- [Instructor] I have pretty strong opinions on the importance of the concepts laid out in the CSSLP body of knowledge above and beyond the value that the cert can provide for your career. Application security is one of my favorite areas within cybersecurity. I've been a practitioner for years, and I'm yet to get bored, far from it. Technology continues to change at a breakneck pace, and so do the apps that enable us to interact with that tech. Take the video game industry, for example. Over just a few decades, video games evolved from Pong, a simple paddle and ball game that you played on a single computer to a multi-billion dollar industry with competitive multiplayer games that rely on internet connected applications to work. With all that money on the line, attackers know that finding and exploiting an application security weakness could lead them to a quick payday. If a criminal exploits an AppSec weakness in a video game, they might be able to cheat or get virtual loot they didn't pay for. But what happens when that same criminal turns their attention to critical national infrastructure? The industrial control systems that control power, water, and public communication have become more and more reliant on applications. While consumer facing apps have been modernized to keep pace with consumer expectations, the same can't be said about the apps controlling our infrastructure. If an attacker were to find and exploit a weakness in one of these systems, the end result could be a loss of life on a massive scale. And have you thought about how much software is running in modern automobiles? Two security researchers, Charlie Miller and Chris Valasek were featured in a 2015 WIRED article where they demonstrated how they were able to remotely hack into a vehicle and take control. As more and more self-driving vehicles find their way onto public roads, folks like you and me are really, really hoping that the people creating the software in those vehicles are doing their best to secure those apps. Physical safety concerns aside, I also believe that we have an expectation of a right to digital privacy. That said, how do you think organizations manage our healthcare data, our financial data, or personally identifiable information? Exactly, applications. Hundreds of millions of records have been compromised since we started tracking those numbers in publicly disclosed data breaches. How many of those breaches could have been mitigated with stronger application security controls? Application security is just one of multiple domains necessary for protecting the systems and data that process and store all this information. But make no mistake, it's a really, really important one. At the end of the day, protecting apps isn't just about the technical ones and zeros. It's about protecting the people who might be impacted by a criminal who is able to exploit an application security weakness, and do harm. By improving your application security knowledge, you'll be able to tip those scales in favor of the good guys.

Contents