ABSTRACT
Application security is broken down into three parts: (1) the application in development, (2) the
application in production, and (3) the commercial off-the-shelf software (COTS) application that is
introduced into production. Each one requires a different approach to secure the application. As with the
Common Criteria ISO 15408, one must develop a security profile or baseline of security requirements
and level of reasonability of risk.