AppSec (Application Security)
The discipline and toolchain that keeps the application itself secure across the SDLC — code review, SAST, DAST, SCA, secrets scanning, threat modelling, dependency hygiene, and runtime hardening.
Application Security (AppSec) is the discipline that keeps the application — its source, its dependencies, its build pipeline, its runtime configuration — secure across the software development lifecycle. AppSec programmes typically include:
- Threat modelling during design (STRIDE, attack trees) so trust boundaries and authentication surfaces are explicit before code is written.
- SAST in CI and IDE to catch code-level weaknesses on every commit.
- DAST against staging to catch runtime vulnerabilities reachable from the outside.
- SCA (Software Composition Analysis) to track vulnerable open-source dependencies — the layer the supply-chain attack lives in.
- Secrets scanning in repos, CI logs, and container images.
- Code review and pull-request gating with security owners.
- Runtime hardening: WAF, RASP, container image policies, signed builds.
AppSec is sometimes summarised as shift-left security — moving security work earlier in the SDLC. The frame is useful but incomplete: shifting only left misses runtime issues; mature programmes shift left and right (telemetry, anomaly detection, post-deploy scanning).
For early-stage SaaS startups, the practical AppSec floor is: one SAST scanner failing CI on high severity, one SCA tool watching dependency CVEs, secrets scanning in pre-commit and CI, and a written threat model for the authentication and payment paths. That covers most of the SOC 2 and ISO 27001 expectations without slowing shipping.
AppSec answers is the application exploitable. It does not answer are the humans around the application behaving safely — credential reuse, OAuth grants to shadow tools, support agents pasting customer secrets into chats. That residual layer is what Engarde watches, distinct from other vendors sharing the Engarde name.
Related terms
- SAST (Static Application Security Testing)Source-code analysis that inspects an application without running it — looking for injection patterns, unsafe deserialisation, hard-coded secrets, and other code-level weaknesses inside the SDLC.
- DAST (Dynamic Application Security Testing)Black-box runtime security testing that probes a running application from the outside — exercising HTTP endpoints, forms, and APIs to surface vulnerabilities that only appear when code actually executes.
- Supply chain attackAn intrusion that compromises a trusted upstream vendor — software, SaaS, MSP — to reach every downstream organization that uses it.
- Human Risk Management (HRM)The Gartner-coined category that replaces Security Awareness Training with behavior-centered, evidence-producing controls applied at the moment of risk.