Application security includes the measures located within a computer software program that are designed to determine which specific resources within the application an individual user is allowed to access. These measures are determined by the security and data policies implemented in the specific application. Specific types of application security include input validation, authentication, authorization, configuration management, session management, exception management and audit and logging.
As a computer software program or application is being developed, the rights granted to individual users and pieces of data are identified. These rights and limitations are then implemented within the application as application security. Depending on the number of business processes supported by the specific application, the security might be minor or extensive.
Application security addresses the valid input of information within a program. This keeps a user from putting information that is known to be bad into the system. These types of validations might include checking a specific number against a set of valid numbers. It might include allowing a user to select from a specific list of data points rather than giving the user the opportunity to insert any item.
Authentication is the process of validating a user and how a user can access the application. Some applications might allow a user to access the program from anywhere in the world, as long as such user inserts the correct security access information. Other applications might have time and location authentication checks set within them. These restrictions determine when and where an individual user can access the system. If a user is attempting to access the system outside of these parameters, he or she will not be granted access to the system.
Authorization is how the program works with different levels of user privileges within an application. There might be different levels of permissions for users of a program. A data entry person might have permission to insert data into the system but not permission to make changes. The next level of permission grants such a user the ability to make changes. The number of levels of permission depends on the business policies implemented within the program.
Configuration management, session management and exception management are more detailed management processes that incorporate the other aspects of application security to support specific processes within the application. Configuration management deals predominantly with access to administration of the application. Session management addresses each individual session of application usage. Exception management provides information to key system administrators when an unauthorized access to the system is attempted.
Audit and logging aspects of application security are set within the system to document who did what and when they did it. This allows system administrators to know when a specific user was on the system and what that user did while on the system. This information is imperative for reporting purposes.