Competencies: Security > Application Security

Application Security

Body of Knowledge

Topic	Description	Relevance	Career Tracks
OWASP Top 10	Critical web application security risks: injection, broken auth, sensitive data exposure, XXE, access control, misconfig, XSS, deserialization, components, logging.	Critical	Application Security Engineer, Software Developer
Secure Coding Practices	Input validation, output encoding, parameterized queries, secure auth patterns, session management, error handling, least privilege.	Critical	Application Security Engineer, Software Developer, DevSecOps
SAST (Static Analysis)	Source code scanning, SonarQube, Semgrep, CodeQL, IDE integration, false positive management, CI/CD integration.	High	Application Security Engineer, DevSecOps, Developer
DAST (Dynamic Analysis)	Runtime testing, OWASP ZAP, Burp Suite, authenticated scanning, API scanning, crawling, CI/CD integration.	High	Application Security Engineer, Penetration Tester
SCA (Software Composition Analysis)	Dependency scanning, CVE identification, Snyk, Dependabot, SBOM generation, license compliance, remediation guidance.	High	DevSecOps, Application Security Engineer
Threat Modeling	STRIDE, PASTA, Attack Trees, data flow diagrams, trust boundaries, threat enumeration, risk prioritization.	High	Security Architect, Application Security Engineer
API Security	OWASP API Top 10, authentication (OAuth, API keys), rate limiting, input validation, OpenAPI security, GraphQL security.	High	Application Security Engineer, Backend Developer
Container Security	Image scanning, Trivy, base image selection, runtime security, secrets management, vulnerability remediation.	High	DevSecOps, Container Security Engineer
Secrets Management in Code	Hardcoded secrets detection, gitleaks, truffleHog, git-secrets, pre-commit hooks, secrets rotation.	Critical	DevSecOps, Application Security Engineer
Security Headers	CSP, HSTS, X-Frame-Options, X-Content-Type-Options, CORS, referrer policy, cookie security attributes.	High	Application Security Engineer, Web Developer
Authentication Security	Password storage (bcrypt, Argon2), session management, JWT security, OAuth implementation, MFA integration.	Critical	Application Security Engineer, Backend Developer

Topic

Description

Relevance

Career Tracks

OWASP Top 10

Critical web application security risks: injection, broken auth, sensitive data exposure, XXE, access control, misconfig, XSS, deserialization, components, logging.

Critical

Application Security Engineer, Software Developer

Secure Coding Practices

Input validation, output encoding, parameterized queries, secure auth patterns, session management, error handling, least privilege.

Critical

Application Security Engineer, Software Developer, DevSecOps

SAST (Static Analysis)

Source code scanning, SonarQube, Semgrep, CodeQL, IDE integration, false positive management, CI/CD integration.

High

Application Security Engineer, DevSecOps, Developer

DAST (Dynamic Analysis)

Runtime testing, OWASP ZAP, Burp Suite, authenticated scanning, API scanning, crawling, CI/CD integration.

High

Application Security Engineer, Penetration Tester

SCA (Software Composition Analysis)

Dependency scanning, CVE identification, Snyk, Dependabot, SBOM generation, license compliance, remediation guidance.

High

DevSecOps, Application Security Engineer

Threat Modeling

STRIDE, PASTA, Attack Trees, data flow diagrams, trust boundaries, threat enumeration, risk prioritization.

High

Security Architect, Application Security Engineer

API Security

OWASP API Top 10, authentication (OAuth, API keys), rate limiting, input validation, OpenAPI security, GraphQL security.

High

Application Security Engineer, Backend Developer

Container Security

Image scanning, Trivy, base image selection, runtime security, secrets management, vulnerability remediation.

High

DevSecOps, Container Security Engineer

Secrets Management in Code

Hardcoded secrets detection, gitleaks, truffleHog, git-secrets, pre-commit hooks, secrets rotation.

Critical

DevSecOps, Application Security Engineer

Security Headers

CSP, HSTS, X-Frame-Options, X-Content-Type-Options, CORS, referrer policy, cookie security attributes.

High

Application Security Engineer, Web Developer

Authentication Security

Password storage (bcrypt, Argon2), session management, JWT security, OAuth implementation, MFA integration.

Critical

Application Security Engineer, Backend Developer

Personal Status

Topic	Level	Evidence	Active Projects	Gaps
Secure Coding Practices	Intermediate	Input validation via Pydantic, no SQL injection surface (no database), path traversal prevention in domus-api; CISSP secure SDLC knowledge	domus-api, CISSP Study Guide	No OWASP Top 10 systematic remediation, no threat modeling methodology
OWASP Top 10	Awareness	Conceptual understanding from CISSP study; aware of common vulnerability classes	CISSP Study Guide	No systematic OWASP assessment or remediation experience
Threat Modeling	—	—	—	No STRIDE/PASTA/Attack Tree methodology applied
Security Testing (SAST/DAST/IAST)	—	—	—	No SAST/DAST tooling implementation

Topic

Level

Evidence

Active Projects

Gaps

Secure Coding Practices

Intermediate

Input validation via Pydantic, no SQL injection surface (no database), path traversal prevention in domus-api; CISSP secure SDLC knowledge

domus-api, CISSP Study Guide

No OWASP Top 10 systematic remediation, no threat modeling methodology

OWASP Top 10

Awareness

Conceptual understanding from CISSP study; aware of common vulnerability classes

CISSP Study Guide

No systematic OWASP assessment or remediation experience

Threat Modeling

—

No STRIDE/PASTA/Attack Tree methodology applied

Security Testing (SAST/DAST/IAST)

—

No SAST/DAST tooling implementation