Applications are designed to provide access to valuable organizational data and system resources; this very function also makes them a target for hackers and malicious actors. Application security controls are technology-independent collections of policies, procedures, and standards to secure software, devices, users, network, and data. While developers are key to embedding security into the code, it is a shared responsibility that spans the entire organization from IT to operations.
How do organizations design their security controls when requirements vary by project? OWASP suggests using threat modeling, beginning with analyzing risks in the environment. MITRE ATT&CK helps identify high-risk attack techniques and adversary behaviors, which can inform threat modeling efforts. Combining it with structured threat modeling frameworks such as STRIDE or PASTA can provide a complete and systematic approach to assessing application threats. Then, security controls are designed while addressing the questions of who, what, when, where, why, and how of the control.
The State of Code Security Report [2025]
The State of Code Security Report 2025 reveals that 61% of organizations have secrets exposed in public repositories, putting application security at serious risk. AppSec isn’t just about testing vulnerabilities—it’s about securing the entire development pipeline.
Download report
NIST’s Cybersecurity Framework (NIST CSF 2.0), organizes security controls into five core functions:
Identify: Asset inventory, risk assessment, and governance.
Protect: IAM, encryption, network segmentation, secure configurations.
Detect: Continuous monitoring, anomaly detection, and security logging.
Respond: Incident response planning, and containment strategies.
Recover: Backup strategies, business continuity, disaster recovery.
In each area, these controls are designed to mitigate risks, including vulnerabilities, exploits, and data breaches in three major ways:
Evaluating the current and desired cybersecurity posture, identify gaps, and track progress.
Organizing and ranking actions to manage risks in line with mission requirements and regulatory standards.
Establishing a unified framework for discussing cybersecurity risks, capabilities, and needs both internally and externally.
Types of Application Security Controls
Designing application security controls can be an exhaustive process. To simplify the process, it's important to understand the various classifications of these controls. NIST IR 8286 categorizes application security controls into five groups based on how each control functions.
Preventive controls: Stop vulnerabilities from being exploited before an incident occurs.
Deterrent controls: Discourage attackers by making consequences visible.
Detective controls: Identify and alert when a security breach or suspicious activity occurs.
Corrective controls: Restore systems and reduce impact after an incident.
Compensating controls: Provide an alternative means to manage risk when primary controls fall short
Preventive controls like enforcing strong password policies, updating software regularly, and using encryption are key because they prevent vulnerabilities from the start. If a threat slips through, detective measures can spot it, and corrective controls can then handle it. It's crucial to shorten the time between detection and correction to minimize damage since the exploit might already occurred. In addition to these three main types, deterrent and compensating controls can be implemented throughout the application lifecycle.
Deterrent controls aim to discourage unauthorized or harmful behavior. For example, applying strict penalties such as firing or legal action against those who break security rules is a common approach. Compensating controls, meanwhile, act as a backup when primary security measures aren't feasible. For example, if an application cannot enforce strict MFA due to legacy system constraints, a compensating control could be to enforce strict network access controls or monitor login patterns with anomaly detection.
Additionally, application security controls can also be categorized by asset type (e.g., software, devices, data, network), level of automation (e.g., manual, automated), and focus area (e.g., testing controls, log controls, access controls). However, even with all controls in place, some residual risks may still exist. This residual risk can be measured using the same techniques as those applied in the overall risk assessment. If the residual risk falls outside the acceptable limits, the risk owner must determine whether additional measures can bring it within an acceptable threshold.
Frameworks for Application Security Controls
Applications evolve, and so does their risk profile. This makes it challenging to manage and maintain application security controls. Organizations have developed standard guidelines based on widely accepted and well-tested methods to address this. Here are three of the most well-known application security control frameworks:
NIST Cybersecurity Framework: This guides organizations in developing their application security controls. It's not telling you exactly what to do but rather helping you figure out the best cybersecurity practices that fit your specific needs.
CIS Critical Controls: Devsecops framework to secure IT systems and data. It comprises various controls to manage enterprise assets, from securing configurations to enhancing email and web browser protections. This framework emphasizes asset inventory, application security, and incident management, among others, guiding organizations in protecting their networks and information effectively.
OWASP Proactive Controls: Cheat-sheat aimed at helping developers secure their applications by focusing on the most critical areas of application security.
CNAPP to the left
With so many frameworks available, organizations should layer security controls to effectively achieve security by design. However, developers often take on multiple roles beyond their primary duties. Therefore, it's crucial to integrate application security controls into areas like identity and access management (IAM), networking, physical infrastructure, and data management without hindering developer productivity. Automation can be the key to balancing these demands.
Depending on the application's security control function there is a range of tools available for automation,
Preventive controls: Open source tools like OWASP ZAP (Zed Attack Proxy) and OWASP ModSecurity are designed to check your web applications for vulnerabilities and monitor HTTP traffic to help prevent exploits.
Deterrent controls: Alerts and warning signs can be automated using tools like Portspoof, which confuses and discourages attackers by making it appear that every port on a system is open and active.
Detective automation: This is likely the most hyped category, as there are hundreds of tools available for automated detection. Tools such as Snort are renowned for network intrusion detection, while Wiz, Wazuh, and Falco are more focused on cloud-native applications.
Corrective automation: Although there are many tools for detecting vulnerabilities, few support immediate remediation, such as Wiz Code, and Rundeck.
Compensating automation: There are no tools specifically designed for compensating controls; however, administrative tools such as iptables can serve as compensating controls when primary network controls cannot be implemented.
Automation is great for managing a bunch of controls at once. But as we've seen, different control functions lean on different automation tools, which can create security silos and unnecessary complications orchestrating between them. Unified solutions like Wiz Code simplify this by offering end-to-end solutions that cover preventive, detective, and corrective controls all on one platform. This strategy effectively moves security earlier in the application timeline, covering more ground from the start.
Want to deploy applications on the cloud? You're still covered. Wiz delivers on the full promise of a cloud-native application protection platform (CNAPP) by integrating multiple security technologies—ASPM, CSPM, CIEM, CWPP, and runtime protection—to provide end-to-end security from code to cloud.. This includes cloud application security controls, integrating security into the early stages of the software development lifecycle (SDLC), automation, and more.
Summary
Application security controls naturally overlap and often serve more than one purpose. This flexibility mirrors the evolving threat landscape, where attackers constantly look for new angles to exploit. No single framework or control covers it all, so mixing and matching solutions (like NIST CSF, CIS Critical Controls, and OWASP Proactive Controls) often makes the most sense.
A good starting point is to map out where your biggest risks lie. Then, pick or adapt the controls that align best with your environment and workflows by tailoring controls from frameworks such as NIST CSF, CIS Critical Controls, or OWASP Proactive Controls. Watch out for “tool sprawl,” where too many specialized solutions create more complexity than they solve. To avoid this, organizations should:
Use unified platforms that consolidate multiple security controls.
Prioritize integration by choosing tools that fit into existing workflows.
Evaluate security ROI to ensure each tool provides clear value without excessive overhead.
Ultimately, security is a shared effort spanning developers, IT, and security teams. Having a shift-left mindset and catching vulnerabilities early helps maintain efficiency while safeguarding your applications from evolving threats.
Secure your cloud from code to production
Learn why CISOs at the fastest growing companies trust Wiz to accelerate secure cloud development.
