How to cybersecurity: Pain in the *AST

What’s the difference between IT security and application security? And what do all those acronyms mean? Learn more in our quick cyber security primer.

In many organizations, software security responsibility is divided between IT security and application security.

At the most fundamental level, IT security is about buying software, while application security is about building software.

The core mission of both groups is bringing risk down to an acceptable level for the organization.

IT security

IT security is part of the information technology group, which is generally responsible for supplying the computing infrastructure for an organization. This includes network equipment and configuration, laptops, servers, printers, and mobile devices. IT is usually responsible for software applications as well, including directory services, single sign-on solutions, and multifactor authentication, not to mention applications such as Microsoft Office and whatever else employees use to get their jobs done.

Application security

Also known as product security, the application security team is responsible for the security of software produced by the organization.

The adaptation of existing development processes into a secure software development life cycle (SSDLC) is the primary mechanism for minimizing risk in application security. Organizations using an SSDLC are always thinking about security, from the design phase through implementation and maintenance.

IT security is mainly reactive

A firewall is a classic example of a reactive solution; it reduces exposure to known external threats. Antivirus software is a classic reactive security technology, as it defends (to some degree) against known malware but is powerless when faced with new, unknown malware.

Application security is mainly proactive

Application security, by contrast, is almost entirely proactive. Application security is focused on locating and fixing as many weaknesses as possible before releasing a product into the big, bad world.

The centerpiece of application security is the adoption of an SSDLC, which uses a proactive approach to minimize risk at every phase.

The implementation and testing phases of the SSDLC are fertile ground for acronyms, sprouting a variety of terms to describe different kinds of software security testing:

Don’t let your dreams be dreams

The most important thing is to keep sight of the overall goal, despite the tangle of acronyms. The overall goal is minimizing risk. In application development, this means adopting an SSDLC, which includes a variety of security testing that is automated and integrated with your existing development processes.

To learn more, read the full article.

Patrick Carey, Director, Product Marketing, Synopsys

Synopsys Software Integrity Group helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle. Learn more at

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.