- Skills Directory
- Application Security
Application Security
Application security is the practice of protecting your applications from malicious attacks by detecting and fixing security weaknesses in your applications’ code. It includes all activities that introduce a secure software development process to the development teams.
This competency area includes the understanding of OWASP top – 10, Hands-on standard security tools, Attacker Mindset, Cloud Security, Technologies used in application development, Enumeration.
Key Competencies:
-
OWASP Top 10: Knowledge of OWASP Top 10 & threat modeling
-
SDLC: In-depth understanding of secure SDLC and secure SDLC models. Capturing security requirements of an application in development. Defining, maintaining, and enforcing application security best practices. Driving the development of a holistic application security program.
-
Secure coding: Following secure coding standards that are based on industry-accepted best practices such as OWASP Guide, or CERT Secure Coding to address common coding vulnerabilities. Creating a software source code review process that is a part of the development cycles (SDLC, Agile, CI/CD).
-
Tooling: Hands-on with tooling like using OS meant for security tasks (Kali Linux) and Application security scanning technologies such as AppScan, Fortify, WebInspect, static application security testing (SAST), dynamic application security testing (DAST), Interactive application security testing (IAST), single sign-on, and encryption
-
Attacker Mindset: Ability to think like an attacker & find vulnerabilities internally to counteract themselves
-
Cloud Security: A basic understanding of cloud infrastructure tools like Firebase, Azure & AWS. Security management best practices designed to prevent unauthorized access are required to keep data and applications in the cloud secure from current and emerging cybersecurity threats.
-
Enumeration: Hands-on with Enumeration. It is a part of security testing, as it defines the asset and is used to exploit the target. This includes directory enumeration, credentials enumeration, hunting for critical information, asset versions, and implemented technology in the infrastructure.