Application security, as explained in this chapter, uses
the Cybersecurity Framework as a substratum to
understand some of the key concepts. To ensure
application security, it is important to identify threats
and what they affect.
Before we talk about the potential risks, it is essential to
understand some key terms and their relationships. The
following are some commonly misunderstood terms:
Asset: An asset is something you’re trying to protect. It could be
information, data, people, or physical property. Assets are of two types:
tangible and intangible. Information and data may include databases,
software code, and critical company records. People include employees
and customers. Intangible assets include reputation and proprietary
information.
Threat: Anything you are trying to protect against is known as a
threat. A threat is any code or person that can exploit a vulnerability
when it has access to an asset and can control or damage the asset.
Vulnerability: A vulnerability is a weakness or gap in protection
efforts. It can be exploited by threats to gain unauthorized access to an
asset.
Risk: Risk is the intersection of assets, threats, and vulnerabilities.
Certain risks can potentially compensate for loss, damage, or
destruction of an asset as a result of a threat exploiting a vulnerability.
Threats can always exist, but if vulnerabilities don’t exist, then there is
little or no risk. Similarly, you can have a weakness, but if you have no
threat, then you have little or no risk.Common Threats and Mitigations
In this section, we examine the most common threats.
Table 14-2 describes some of the dangers to application
and some mitigation tips for each one of them.
Table 14-2 Threats and Sample Mitigation Options