Application Security (AppSec) and OWASP Top 10

What is Application Security?

Application Security (AppSec) encompasses all measures to make applications more secure against threats. It ranges from secure design, development with secure coding practices, security testing, all the way to deployment and continuous maintenance.

OWASP Top 10 (2021)

A01 - Broken Access Control

Risk: Users access unauthorized resources

Examples: IDOR, privilege escalation, forced browsing

Mitigation: Implement access control at every layer, deny by default

A02 - Cryptographic Failures

Risk: Exposure of sensitive data due to inadequate cryptography

Examples: Plain text passwords, weak algorithms, HTTP without TLS

Mitigation: TLS everywhere, bcrypt/Argon2 for passwords, AES-256 for data

A03 - Injection

Risk: SQL, NoSQL, OS command injection, LDAP, XPath

Examples: ' OR '1'='1, shell command injection

Mitigation: Prepared statements, ORMs, input validation, WAF

A04 - Insecure Design

Risk: Architectural and threat modeling flaws

Examples: Lack of rate limiting, no threat modeling

Mitigation: Secure by design, threat modeling, secure design patterns

A05 - Security Misconfiguration

Risk: Insecure or default configurations

Examples: Default credentials, exposed stack traces, CORS misconfiguration

Mitigation: Hardening guides, automated configuration scanning

A06 - Vulnerable and Outdated Components

Risk: Use of libraries with known vulnerabilities

Examples: Log4Shell (CVE-2021-44228), Struts2 RCE

Mitigation: Dependabot, Snyk, OWASP Dependency-Check, SCA tools

A07 - Identification and Authentication Failures

Risk: Authentication and session flaws

Examples: Credential stuffing, session fixation, weak passwords

Mitigation: MFA, rate limiting, secure session management, breach detection

A08 - Software and Data Integrity Failures

Risk: CI/CD without integrity verification, insecure deserialization

Examples: Unsigned updates, insecure deserialization (Java, .NET)

Mitigation: Code signing, integrity checks, secure serialization libraries

A09 - Security Logging and Monitoring Failures

Risk: Lack of visibility into attacks and breaches

Examples: Insufficient logs, no alerts, unprotected logs

Mitigation: Centralized logging, SIEM integration, real-time alerting

A10 - Server-Side Request Forgery (SSRF)

Risk: Server makes malicious requests to internal resources

Examples: Cloud metadata API access, internal port scanning

Mitigation: URL whitelisting, network segmentation, disable unnecessary protocols

AppSec Tools

SAST (Static Application Security Testing)

  • SonarQube: Code quality and security vulnerabilities
  • Checkmarx: Enterprise SAST platform
  • Semgrep: Lightweight static analysis, customizable rules
  • Bandit (Python), Brakeman (Ruby): Language-specific scanners

DAST (Dynamic Application Security Testing)

  • OWASP ZAP: Open-source web app scanner
  • Burp Suite: Manual + automated testing
  • Acunetix, Netsparker: Enterprise DAST solutions
  • Black-box testing in the runtime environment

IAST & RASP

  • IAST: Code instrumentation for hybrid analysis
  • RASP: Runtime Application Self-Protection - detection in production
  • Contrast Security, Sqreen: IAST/RASP platforms

SCA (Software Composition Analysis)

  • Snyk, WhiteSource, Mend: Dependency vulnerability scanning
  • OWASP Dependency-Check: Open-source SCA
  • Detects vulnerabilities in third-party libraries

Secure Coding Practices

  • [OK] Input validation: whitelist over blacklist
  • [OK] Output encoding: context-aware (HTML, JS, URL, CSS)
  • [OK] Parameterized queries: always use prepared statements
  • [OK] Least privilege: applications running with the minimum necessary
  • [OK] Defense in depth: multiple layers of protection
  • [OK] Fail securely: errors must not reveal sensitive information
  • [OK] Security by design: consider security from the architecture onward
  • [OK] Keep it simple: complexity increases risks

Web Application Firewall (WAF)

  • ModSecurity: Open-source WAF engine
  • Cloudflare WAF: Cloud-based protection
  • AWS WAF, Azure WAF: Cloud-native options
  • Imperva, F5: Enterprise WAF appliances
  • Protection against OWASP Top 10, bot management, rate limiting
  • Virtual patching for critical vulnerabilities

Integration into the SDLC

Shift-Left Security: Integrate security as early as possible in the cycle

  • Design Phase: Threat modeling, secure architecture review
  • Development: IDE plugins (Snyk Code, SonarLint), secure coding training
  • CI/CD: SAST, SCA, container scanning, pre-commit hooks
  • Testing: DAST, penetration testing, security regression tests
  • Deployment: IAST, infrastructure scanning, compliance checks
  • Production: RASP, WAF, monitoring, incident response