Viewing Application Security Through the Lens of Realist Theory

Realist theory is a major theory in international relations that explains how countries behave in world politics. it argues that actors operate in an environment without a central authority, where survival depends on self-interest and power. This theory can be effectively applied to the field of application security by viewing organisations as independent actors and attackers as competing adversaries.

The application security ecosystem is largely anarchic. There is no single authority that can fully protect applications on the internet. While regulations, security standards, and compliance frameworks exist, they do not guarantee protection. Each organisation is responsible for securing its own applications, infrastructure, and data. As a result, Application security operates as a self-help system, where security outcomes depend on internal capabilities rather than external enforcement.

Organisations make security decisions based on risk management and business priorities. Limited budgets and development timelines require trade-offs between security, cost, and functionality. Instead of aiming for perfect security, teams focus on reducing the most critical risks. This aligns with realist assumptions that actors prioritise survival and stability over ideal outcomes.

In application security, power can be defined as technical capability. This includes secure system design, strong authentication and authorisation controls, regular patching, code review, automated testing, monitoring, and incident response readiness. Organisations with stronger security capabilities are harder to compromise and recover faster from attacks. Security investment therefore functions as a form of deterrence by increasing the cost and effort required to exploit a system.

Attackers generally behave as rational adversaries. They scan for known vulnerabilities, misconfigurations, and weak access controls, and they prefer targets that offer the highest return with the lowest effort. From a realist AppSec perspective, defence focuses on raising the attacker’s cost through layered controls, secure defaults, and rapid detection rather than attempting to eliminate all threats.

Application security also reflects a security dilemma. When defenders improve security through new controls or tooling, attackers adapt by developing new techniques or targeting weaker systems. As a result, security is a continuous process rather than a final state. Improvements in one organisation often shift attack activity to less mature environments rather than removing threats entirely.

Finally, cooperation in application security is limited by self-interest. While vulnerability disclosure programs and information-sharing communities exist, organisations often restrict what they share due to legal risk, reputation concerns, and competitive pressure. This mirrors realist expectations that cooperation is constrained in competitive environments.

In summary, applying realist theory to application security highlights the importance of pragmatism, technical capability, and resilience. Application security is best understood as an ongoing competition between defenders and attackers in an environment without guaranteed protection, where organisations must rely on their own security strength to manage risk.