Manicode AppSec Top Ten 1) Lack of Security Testing 2) Insecure 3rd Party Libs 3) SSRF 4) SQL & Other Forms of Injection 5) Access Control Issues 6) XSS 7) AuthN Issues 8) Lack of AppSec Dev Champions 9) Lack of Secrets Management 10) Poorly configured HTTPS

@manicode I like that list and how it balances tooling with culture. I'd replace (10) with general misconfiguration to also include infrastructure misconfiguration like open S3 buckets, etc.

@manicode For me this is missing weak/missing inventory management... while this doesn't seem appsec on the surface it is a huge issue that affects appsec... XSS and "other forms of injection" are the same. You can't secure what you don't know you have.

@manicode Good list! I’d add “poor or no application maintenance” and (in the extreme) “forgetting that app was even there” to the list, both somewhere near the top. Too many dev teams treat each app as a one-time project instead of as a continuing obligation.

@manicode The list has stuff at different zoom levels. But, I’ll just caution against over reliance on #1 (many AppSec programs are just that):

@manicode #1 - lack of developer training

@manicode To build on 1), even when there is testing, it’s a lack of support to actually fix the problems that are found.

@manicode Nice Jim! Wrt to 2- any advice on dealing with vulns in indirect dependencies? Feels like this problem is particularly painful in node land

@manicode So with node.js there are plenty of 3rd party dependencies, and supply chain vulnerabilities. For me most node.js use is through my app.js and run client side, but i do run a socket.io server for which I use a middleware for validation on the WS. Any suggestions.

@manicode Extra credit: assign a weight to each that adds up to 100. Exercise left to the reader

@manicode