The vast majority of applications ship to production with many serious security vulnerabilities, such as SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and other OWASP Top 10 risks. Often, design flaws such as broken authentication are also overlooked. The selection of content under the following three sections will help you to upgrade your application security knowledge including the best practices regarding vulnerability assessment, application protection, and adding security automation to your SDLC.
Learn the various approaches used by organizations as they attempt to find and eliminate vulnerabilities in their software.
Learn all about how to detect, block, and mitigate attacks immediately, protecting applications as they run in real time.
Learn how to integrate security directly into development processes and build secure applications, at speed.
Application Security Testing, also known as Vulnerability Assessment, is a broad category of software tools that find security vulnerabilities in the source code of the applications. This Knowledge Center section will cover legacy tools such as SAST code analyzers and DAST web scanners, as well as modern Vulnerability Assessment approaches such as IAST (Interactive Application Security Testing).
Application Protection is about stopping malicious attacks on production applications. In this collection of articles, we will review the WAF (Web Application Firewall) technology, which is the mainstream application protection approach. This section will review the RASP approach as well, because the WAF technology is mature, and the security industry is moving away from it.
As software development teams increasingly adopt DevOps methodologies to accelerate the deployments and provide scalability to their pipeline, the classic security approach does not work anymore. In this section of the application security Knowledge Center, we will review its limitations, and provide a blueprint to add security to all the phases of your DevOps pipeline, also known as DevSecOps.