Curriculum
AppSec, Privacy & License Compliance
Introduction to AppSec
0/2
Dependencies AppSec
0/5
Code AppSec
0/2
Runtime AppSec
0/2
Dependencies License Compliance
0/2
Privacy
0/2
Quiz
0/1
Bonus
0/3
Introduction to Security & Compliance Testing
The course is technical, but this lesson isn’t! Just bear with us.
Five buildings, five stories. The greatest inspector is taking care of unveiling the biggest failures of his life (Yes, we are talking real buildings).
Building 1: Collapsed after a fire. The blueprints were perfect, the architecture stunning, but cheap wiring ignited the blaze. It was a supply chain weakness – a single bad component brought everything down. Inspecting all components was the only solution.
Building 2: The Building had thinner walls than needed. Who needs walls anyway? Well, everyone! This was a design flaw – a weakness present before construction even began, easily caught with proper design checks (here, designs and blueprints represent the written code even before the deployment is completed)
Building 3: Used top-tier materials and a flawless design, but collapsed during a minor earthquake. The builders neglected the soil analysis, a critical infrastructure oversight. Security requires a strong foundation, not just secure walls. A complete real-world testing simulation would have caught this weakness.
Building 4: Stood tall and strong for years, but remains empty. Why? The building walls were too transparent – even the bathrooms were transparent. This represents a privacy violation – strong security doesn’t matter if you fail to protect sensitive data.
Building 5: Secure, private, and perfectly built… until government officials seized it on opening day. The builders used unlicensed materials and unlawfully obtained land. This is a Compliance Failure – even the best security is worthless if you break the rules.
Taking these scenarios in the Software world, a weakness is called a vulnerability, using this vulnerability to cause harm or collapse a building is called “Exploit”.
The first building collapsed due to a problem in a component. Testing components in the software world is called Software Composition Analysis. A field of AppSec that detects if any dependency is vulnerable. And this isn’t an intrusive test, a list of all components or dependencies is more than enough to complete the analysis. And just like one faulty wire can take the building down, one vulnerable component can get an app hacked.
The second building had design issues; the Engineer designing it didn’t use enough walls. To detect that, a look at the designs even before the building was enough to know the risks. Such a test in the software world is called Static Application Security Testing (SAST). Another non-intrusive test that needs only code to assess, even before deploying the building/the software.
The third building was never tested in a simulation environment, so it collapsed due to a minor earthquake. A real-world intrusive or semi-intrusive test where testers get into the building and try to see if there is a security risk somewhere is called Dynamic Application Security Testing (DAST), which is more intrusive than the other types, as it requires a complete building or a simulation building to assess. DAST deals with apps as black box, simulating attacks to see if it is strong enough or not.
The fourth building was fine, from a technical standpoint, it’s strong, but from a legal standpoint, it makes private information either more available than it should or by not allowing users to control and even delete their data. This kind of weakness isn’t a security vulnerability, as it won’t cause the building to fully or partially collapse. In the software world, compliance to privacy laws like GDPR, HIPAA, CCPA, ePrivacy, and others is as important as security testing.
The 5th building represents a software that used unlicensed software, pirated components, and non-compliant open-source dependencies to build the final software. Another huge mistake usually seen in the software world. A License Assessment would have detected and fixed this issue. Although this doesn’t affect users directly, nor the security of the building, but it’s worse as it represents a ticking legal and reputational time bomb. The consequences could range from hefty fines and lawsuits to irreparable damage to the company’s brand and loss of customer trust.
Each failure represents one type of security or compliance risk, compiled in the table below:
| Building | Construction Issue | Security/Compliance Risk Represented |
|---|---|---|
| Building 1 | Collapse due to the use of bad raw materials, causing a fire | Software Composition Analysis (SCA): This is about using vulnerable dependencies or components in your software. It checks if the libraries, frameworks, and other software modules your application uses have any known vulnerabilities. Like the bad brand of wires, it all seems fine until a vulnerability gets exploited. |
| Building 2 | Collapse due to missing all pillars as per the blueprints | Static Application Security Testing (SAST): This is like analyzing the blueprints (source code) of an application for programming errors that could lead to security vulnerabilities, before the code is executed. Just like the design flaw in the building could have been caught before construction, SAST can identify issues before deployment. |
| Building 3 | Collapse due to poor soil condition in spite of good materials and design |
Dynamic Application Security Testing (DAST): This tests the application in its running state, looking for vulnerabilities an attacker could exploit. It’s like checking the constructed building rather than the blueprints, much like how the soil condition would only impact the standing building and not its design. |
| Building 4 | Abandoned due to a lack of privacy (transparent building) | Privacy Risk Assessment: Just like tenants need privacy in a building, users need privacy in software. Privacy risks occur when applications do not properly secure personal data, leading to potential data breaches. |
| Building 5 | Taken by government officials due to use of unlicensed materials and uninhabited land | Compliance and License Risk Assessment: This represents the risk of not adhering to laws, regulations, standards, or ethical practices. Like the fifth building using unlicensed materials and unbought land, using unlicensed software or data can lead to legal consequences or reputational damage. |
In the remainder of this course, we will take each assessment type, dive deeper into what it represents, and how to perform the test and fix any findings.