As you may know, applications are links between the data and the user (or another application).
When a user wants to conduct a complex analysis on a patient’s medical information, for example, it can be performed easily by an application to avoid complex, time-consuming manual calculations. Similarly, an online bank transaction is performed through web-based applications or mobile apps, and non-public financial data is processed, transmitted, and stored in this process.
Software doesn’t recognize sensitivity or confidentiality of data that it is processing or transmitting over the Internet. Thus, software needs to be designed and developed based on the sensitivity of the data it is processing. If data is classified as “public,” then it can be accessed without requiring the user to authenticate. One example is information found within a website’s contact page or policy page. However, if the software performs user administration, then a multi-factor authentication method is expected to be in place to access this information. Based on classification of the data being processed by the application, suitable authentication, authorization, and protection of data in storage or transit should be designed for the application in addition to carrying out secure coding.
To protect the software and related sensitive data, a measurement should be taken during each phase of the SDLC. This measurement broadly divides issues into pre and post-deployment phases of development. Again, software security deals with the pre-deployment issues, and application security takes care of post-deployment issues.