AppSec Expectations
Shift Left
Security testing must happen early in the SDLC. SAST (Static Analysis) is required for every pull request, and DAST (Dynamic Analysis) must run in staging environments before release.
Dependency Management
All third-party libraries must be scanned for known vulnerabilities (SCA). Critical and High severity vulnerabilities must be remediated within 30 days of discovery.
Secure by Design
Threat modeling is mandatory for new features involving PII, payments, or authentication changes. Security Architects must sign off on major architectural shifts.
AppSec Guidance
OWASP Top 10 Prevention
-
A01
Broken Access Control Enforce least privilege. Verify permissions on every request, not just at login.
-
A03
Injection Use parameterized queries (Prepared Statements) for all SQL. Avoid `eval()`.
-
A07
Identification & Auth Failures Implement MFA, stronger password policies, and rate limiting on login endpoints.
Golden Rules
Input Validation
Never trust client-side data. Validate type, length, and format on the server.
Output Encoding
Context-aware encoding is crucial to prevent XSS. Use framework template engines (React, Vue, Jinja2) which auto-escape.
Secrets Management
Never commit API keys or credentials to Git. Use environment variables or a Secrets Manager (Vault, AWS Secrets Manager).
Application Vulnerabilities
| Application | Finding Type | Severity | Time Open | Status |
|---|---|---|---|---|
| Billing-Service-API | Log4 Shell (CVE-2021-44228) | CRITICAL | 2 Days | In Progress |
| Customer-Portal-UI | Cross-Site Scripting (Reflected) | HIGH | 15 Days | Assigned |
| Inventory-DB | Unencrypted Database Connection | MEDIUM | 45 Days | Risk Accepted |