- Most commonly occuring classes of vulns are lack of security headers, XSS and SSRF.
- Write a blog post outlining the new best practices for security headers.
- I should focus on the Network+ cert next.
- An application security program is composed of:
- Asset inventory.
- Education and awareness.
- Penetration testing and vulnerability assessments.
- DAST.
- SAST & SCA (Software composition analysis aka vulns in 3rd party libraries)
- WAF & RASP
- IAST
- Threat modeling.
- Centralized Vulnerability Management (?)
- Low level fuzzing
- Appsec pipeline
- Continuous / Real-time testing.