c********t
发帖数: 4527 | 1 Simply from Wiki:
Application security encompasses measures taken throughout the application's
life-cycle to prevent exceptions in the security policy of an application
or the underlying system (vulnerabilities) through flaws in the design,
development, deployment, upgrade, or maintenance of the application.
Applications only control the use of resources granted to them, and not
which resources are granted to them. They, in turn, determine the use of
these resources by users of the application through application security.
Open Web Application Security Project (OWASP) and Web Application Security
Consortium (WASC) updates on the latest threats which impair web based
applications. This aids developers, security testers and architects to focus
on better design and mitigation strategy. OWASP Top 10 has become an
industrial norm in assessing Web Applications.
What information we can get from the description?
1. One part of Application security is security (policy) manageability,
generally, Authentication, Authorization and Audit (AAA). In the modern
application (web, enterprise arena), it is called Identity and Access
Management, it further extended to Provisioning, Identity Federation, Risk
Governance.
This is a matured industry. However it is going through the second Spring
due to SAAS.
2. Another part of Application security is system vulnerability. It involved
skills/techniques to analyse System threat and prevent attack and exploit
from application level. This never matured as an industry. It is more like a
hacker vs anti hackers, tools, best practices etc. Of course there are a
few good startups are coming out of it very good (vulnerability scanning
tools). Almost every big companies or sites has small group people called
security research scientists, they are responsible for the application
security design and vulnerability mitigation.
3. How to get to the industry?
Follow: Open Web Application Security Project (OWASP) and Web
Application Security Consortium (WASC)
Find a job in the industry (there are tons of hiring due the second
Spring in the IAM SAAS(Security as a services). I don't think the bar is
high for entering the space.
Get some knowledge skills in the security standards, communities and
open source projects, like SAML, OpenId, OAuth etc.
|
|
