Application Security (AppSec) and OWASP Top 10
What is Application Security?
Application Security (AppSec) encompasses all measures to make applications more secure against threats. It ranges from secure design, development with secure coding practices, security testing, all the way to deployment and continuous maintenance.
OWASP Top 10 (2021)
A01 - Broken Access Control
Risk: Users access unauthorized resources
Examples: IDOR, privilege escalation, forced browsing
Mitigation: Implement access control at every layer, deny by default
A02 - Cryptographic Failures
Risk: Exposure of sensitive data due to inadequate cryptography
Examples: Plain text passwords, weak algorithms, HTTP without TLS
Mitigation: TLS everywhere, bcrypt/Argon2 for passwords, AES-256 for data
A03 - Injection
Risk: SQL, NoSQL, OS command injection, LDAP, XPath
Examples: ' OR '1'='1, shell command injection
Mitigation: Prepared statements, ORMs, input validation, WAF
A04 - Insecure Design
Risk: Architectural and threat modeling flaws
Examples: Lack of rate limiting, no threat modeling
Mitigation: Secure by design, threat modeling, secure design patterns
A05 - Security Misconfiguration
Risk: Insecure or default configurations
Examples: Default credentials, exposed stack traces, CORS misconfiguration
Mitigation: Hardening guides, automated configuration scanning
A06 - Vulnerable and Outdated Components
Risk: Use of libraries with known vulnerabilities
Examples: Log4Shell (CVE-2021-44228), Struts2 RCE
Mitigation: Dependabot, Snyk, OWASP Dependency-Check, SCA tools
A07 - Identification and Authentication Failures
Risk: Authentication and session flaws
Examples: Credential stuffing, session fixation, weak passwords
Mitigation: MFA, rate limiting, secure session management, breach detection
A08 - Software and Data Integrity Failures
Risk: CI/CD without integrity verification, insecure deserialization
Examples: Unsigned updates, insecure deserialization (Java, .NET)
Mitigation: Code signing, integrity checks, secure serialization libraries
A09 - Security Logging and Monitoring Failures
Risk: Lack of visibility into attacks and breaches
Examples: Insufficient logs, no alerts, unprotected logs
Mitigation: Centralized logging, SIEM integration, real-time alerting
A10 - Server-Side Request Forgery (SSRF)
Risk: Server makes malicious requests to internal resources
Examples: Cloud metadata API access, internal port scanning
Mitigation: URL whitelisting, network segmentation, disable unnecessary protocols
AppSec Tools
SAST (Static Application Security Testing)
- SonarQube: Code quality and security vulnerabilities
- Checkmarx: Enterprise SAST platform
- Semgrep: Lightweight static analysis, customizable rules
- Bandit (Python), Brakeman (Ruby): Language-specific scanners
DAST (Dynamic Application Security Testing)
- OWASP ZAP: Open-source web app scanner
- Burp Suite: Manual + automated testing
- Acunetix, Netsparker: Enterprise DAST solutions
- Black-box testing in the runtime environment
IAST & RASP
- IAST: Code instrumentation for hybrid analysis
- RASP: Runtime Application Self-Protection - detection in production
- Contrast Security, Sqreen: IAST/RASP platforms
SCA (Software Composition Analysis)
- Snyk, WhiteSource, Mend: Dependency vulnerability scanning
- OWASP Dependency-Check: Open-source SCA
- Detects vulnerabilities in third-party libraries
Secure Coding Practices
- [OK] Input validation: whitelist over blacklist
- [OK] Output encoding: context-aware (HTML, JS, URL, CSS)
- [OK] Parameterized queries: always use prepared statements
- [OK] Least privilege: applications running with the minimum necessary
- [OK] Defense in depth: multiple layers of protection
- [OK] Fail securely: errors must not reveal sensitive information
- [OK] Security by design: consider security from the architecture onward
- [OK] Keep it simple: complexity increases risks
Web Application Firewall (WAF)
- ModSecurity: Open-source WAF engine
- Cloudflare WAF: Cloud-based protection
- AWS WAF, Azure WAF: Cloud-native options
- Imperva, F5: Enterprise WAF appliances
- Protection against OWASP Top 10, bot management, rate limiting
- Virtual patching for critical vulnerabilities
Integration into the SDLC
Shift-Left Security: Integrate security as early as possible in the cycle
- Design Phase: Threat modeling, secure architecture review
- Development: IDE plugins (Snyk Code, SonarLint), secure coding training
- CI/CD: SAST, SCA, container scanning, pre-commit hooks
- Testing: DAST, penetration testing, security regression tests
- Deployment: IAST, infrastructure scanning, compliance checks
- Production: RASP, WAF, monitoring, incident response
