ABSTRACT
Application security is broken down into three parts: the application in development, the application in production, and the commercial off-the-shelf software application that is introduced into production. Each one requires a different approach to secure the application. In an ideal world, information security starts when senior management is approached to fund the development of a new application. A well-designed application would include at least one document devoted to the application’s security posture and plan for managing risks. Security controls in the development life cycle are often confused with the security controls in the production environment. One must remember that they are two separate issues, each with its own security requirements and controls. During the design, development, and testing of a new application, security incidents may occur. These incidents may result from people granted improper access or successful intrusion into both the software and hardware of a test environment and stealing new code.
