Application Security

If you believe that your software should do what it is supposed to do and nothing more in spite of the efforts of attackers, haphazard user input, or accidents, then application security is probably something you will be interested in. Gaining assurance that the software products you acquire or develop are free of known types of security weaknesses can leverage public knowledge, such as the Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC) collections. By leveraging these collections, along with high-quality tools and services for finding the security weaknesses in code and testing software with misuse and abuse test cases, you can systematically organize and document the assurance activities as you conducted them.

By focusing application security efforts so that they go after the most "important" ones first can leverage community priority lists like the OWASP Top Ten or the CWE/SANS Top 25 or you can organize a priority list specific to your application. One approach is to go for the weaknesses with the most dangerous impact to your organization. The Common Weakness Risk Analysis Framework (CWRAF) and Common Weakness Scoring System (CWSS) support prioritizing weaknesses.

Another approach to prioritizing would be to consider the most likely types of attacks to your system and the weaknesses they are effective against. This is the basic methodology described in ISO/IEC Technical Report 20004, "Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045" and on the "Engineering for Attack" page on the CWE Web site.