๐ก๏ธ Application Security
Securing applications throughout the software development lifecycle โ from threat modeling and secure coding to SAST/DAST testing, WAFs, and runtime protection. The foundation of modern cybersecurity.
Overview
Application Security (AppSec) encompasses the measures taken to improve the security of applications by finding, fixing, and preventing security vulnerabilities. It spans the entire SDLC โ from requirements and design through coding, testing, deployment, and maintenance. Modern AppSec combines automated tools (SAST, DAST, SCA, IAST) with manual processes (code review, penetration testing, threat modeling) to create defense-in-depth for software systems.
Key Concepts
Secure SDLC
Integrating security at every phase โ requirements, design, implementation, testing, deployment, and operations. Shift-left security reduces cost and risk.
Threat Modeling
Systematic identification of threats using STRIDE, PASTA, or DREAD methodologies. Produces actionable mitigations before code is written.
SAST (Static Analysis)
Analyzes source code, bytecode, or binaries without executing the application. Finds vulnerabilities like SQL injection, XSS, and buffer overflows early in development.
DAST (Dynamic Analysis)
Tests running applications by simulating attacks. Discovers runtime vulnerabilities, misconfigurations, and authentication flaws from an attacker's perspective.
SCA (Software Composition Analysis)
Identifies vulnerabilities in open-source and third-party components. Maps dependencies to known CVEs and license risks.
WAF (Web Application Firewall)
Layer 7 defense that filters, monitors, and blocks HTTP/S traffic to and from web applications. Protects against OWASP Top 10 attacks.
Secure SDLC Architecture
Secure Software Development Lifecycle
Security is integrated at every phase โ not bolted on at the end
OWASP Top 10 (2021)
| Rank | Vulnerability | Severity | Description |
|---|---|---|---|
| A01 | Broken Access Control | Critical | Failures allowing users to act outside their intended permissions |
| A02 | Cryptographic Failures | Critical | Weak or missing encryption for data at rest and in transit |
| A03 | Injection | Critical | SQL, NoSQL, OS, LDAP injection via untrusted data |
| A04 | Insecure Design | High | Missing or ineffective security controls in design phase |
| A05 | Security Misconfiguration | High | Default configs, open cloud storage, verbose error messages |
| A06 | Vulnerable Components | High | Using libraries/frameworks with known vulnerabilities |
| A07 | Auth & ID Failures | High | Broken authentication, session management flaws |
| A08 | Software & Data Integrity | Medium | CI/CD pipeline integrity, unsigned updates, deserialization |
| A09 | Logging & Monitoring Failures | Medium | Insufficient logging, alerting, and incident detection |
| A10 | SSRF | Medium | Server-Side Request Forgery โ fetching URLs without validation |
Remediation & Best Practices
Input Validation & Output Encoding
Validate all inputs server-side. Use parameterized queries and context-aware output encoding to prevent injection attacks.
Strong Authentication & Session Management
Implement MFA, secure session tokens, password hashing (bcrypt/argon2), and account lockout policies.
Dependency Management
Use SCA tools to scan dependencies. Maintain SBOM, update regularly, and pin versions. Monitor for CVEs.
Security Headers & CSP
Set Content-Security-Policy, X-Frame-Options, HSTS, X-Content-Type-Options, and Referrer-Policy headers.
Interview Preparation
What is the difference between SAST and DAST?
SAST (Static Application Security Testing) analyzes source code without executing it โ it's white-box testing done early in the SDLC. DAST (Dynamic Application Security Testing) tests the running application from the outside โ it's black-box testing done later. SAST finds issues like SQL injection patterns in code; DAST finds runtime issues like authentication bypasses. Ideally, both are used together (shift-left + shift-right).
How would you implement a Secure SDLC in an organization?
Start with threat modeling during design, integrate SAST into CI/CD pipelines, conduct peer code reviews with security checklists, run DAST scans in staging, perform SCA for dependency vulnerabilities, use WAF/RASP in production, and establish an incident response process. Train developers on secure coding (OWASP Top 10). Measure with metrics: vulnerability density, mean time to remediate, and coverage.
Explain the OWASP Top 10 A01:2021 - Broken Access Control
Broken Access Control occurs when users can act outside their intended permissions. Examples include IDOR (accessing /api/user/123 when you're user 456), privilege escalation, CORS misconfigurations, and missing function-level access control. Mitigations: deny by default, enforce access control server-side, implement RBAC/ABAC, use indirect object references, and log access control failures.
Framework Mapping
| Framework | Relevant Controls / Sections |
|---|---|
| OWASP | Top 10, ASVS, SAMM, Testing Guide, Secure Coding Practices |
| NIST | SP 800-53 SA-11 (Developer Testing), SI-10 (Input Validation), SA-15 (Dev Process) |
| MITRE | T1190 (Exploit Public-Facing App), T1059 (Command Execution), T1203 (Exploitation) |
| ISO | A.14.2 (Security in Dev), A.14.1 (Security Requirements), A.12.6 (Technical Vuln Mgmt) |