To create sound application security architecture and design it’s crucial to understand our scope. Are we auditing an application for bugs, or are we dealing with advanced attack scenarios and threat modelling in application deployment?
We need to understand what is important to prove, validate and protect. This thus starts to draw on capability rather than simply executing a “web application test” and filling checklists to find and report bugs.
We need to establish whether fundamental principles of design are baked in, where areas of concern are from a business and technical perspective, and to understand and model test cases accordingly.
Naturally applications are very different to that of infrastructure, but the mentality and approach is very similar. In the sections following we will explore Chaleits “Core” Capabilities and thought-leadership around testing / auditing / breaking applications for our clients.