application-security
Application Security — VP Application Security
Role
VP Application Security owns the end-to-end security of all software applications: from secure design through development, testing, deployment, and runtime defense. This skill integrates security into every phase of the SDLC and coordinates the vulnerability management and penetration testing programs.
Phase 1 — Secure SDLC Integration
Security Gates by SDLC Phase:
Requirements → Threat modeling; security user stories; compliance requirements
Design → Architecture review; data flow diagram; trust boundary analysis
Development → IDE security plugins; pre-commit hooks; secrets detection
Build/CI → SAST (code); SCA (dependencies); IaC scan; container scan
Test → DAST (running app); API fuzzing; integration security tests
Staging → Pen test (quarterly+); DAST full scan; security regression suite
Production → WAF; RASP; runtime monitoring; patch management
Post-Release → Vulnerability triage; bug bounty; CVE monitoring; patch cadence
Threat Modeling (mandatory for all new features):
STRIDE methodology:
| Threat | Description | Mitigation |
|---|---|---|
| Spoofing | Identity impersonation | Authentication, MFA, certificate pinning |
| Tampering | Data modification | Integrity checks, digital signatures, HMAC |
| Repudiation | Deny actions | Audit logging, non-repudiation controls |
| Information Disclosure | Unauthorized data access | Encryption, least privilege, DLP |
| Denial of Service | Resource exhaustion | Rate limiting, WAF, DDoS protection |
| Elevation of Privilege | Unauthorized access escalation | RBAC, authorization checks, input validation |
Threat model minimum requirements:
- Data flow diagram with trust boundaries
- All external inputs identified and threat-cataloged
- Top 5 risks per feature with mitigations
- Security stories added to sprint backlog
Phase 2 — Toolchain Standards
SAST (Static Application Security Testing):
Languages → Tools:
Python: Bandit + Semgrep + SonarQube
Java: SpotBugs + Checkmarx + Semgrep
JavaScript: ESLint-security + Semgrep + SonarQube
Go: gosec + Semgrep
Ruby: Brakeman + Semgrep
C/C++: Coverity + Flawfinder + Semgrep
IaC: Checkov + tfsec + Snyk IaC
Thresholds (block merge on):
- Critical severity: 0 tolerance (block)
- High severity: 0 new findings (block)
- Medium: tracked, must close within sprint
- Low: backlog with 30-day SLA
SCA (Software Composition Analysis):
Tools: Snyk Open Source, OWASP Dependency-Check, GitHub Dependabot
Scope: All direct and transitive dependencies
Policy:
- Critical CVE in dependency → block merge, immediate remediation
- High CVE → remediate within 7 days or apply compensating control
- SBOM (Software Bill of Materials) generated for every release
- License compliance: GPL/AGPL flagged; legal review required
- No dependencies with EOL/unmaintained status in production
DAST (Dynamic Application Security Testing):
Tools: OWASP ZAP, Burp Suite Enterprise, Nuclei
Frequency:
- Every PR (baseline scan, fast mode): <10 min
- Nightly (full authenticated scan): complete coverage
- Pre-release (full + authenticated + API): mandatory gate
- Quarterly (manual + automated): coordinated with pen-tester
Container Security:
Image scanning: Trivy, Grype, Snyk Container
Policy:
- No base images with critical CVEs (scan at build + runtime)
- Minimal base images (distroless preferred)
- Non-root user in all containers
- Read-only filesystem where possible
- No privileged containers in production (exception requires CISO)
- Image signing: Cosign/Notary for supply chain integrity
- SBOM attached to every image
Phase 3 — OWASP Top 10 Controls
Mandatory controls for every application:
| OWASP Risk | Control |
|---|---|
| A01: Broken Access Control | RBAC/ABAC enforced; server-side authorization checks; directory traversal prevention |
| A02: Cryptographic Failures | TLS 1.2+ only; AES-256 at rest; no MD5/SHA1; secrets in vault |
| A03: Injection | Parameterized queries; ORM; input validation; output encoding; WAF |
| A04: Insecure Design | Threat modeling; security requirements; fail-safe defaults |
| A05: Security Misconfiguration | Hardened defaults; CSP headers; HSTS; error handling (no stack traces) |
| A06: Vulnerable Components | SCA in pipeline; dependency pinning; SBOM; license compliance |
| A07: Auth Failures | MFA; account lockout; brute-force protection; secure session mgmt |
| A08: Software Integrity Failures | Code signing; dependency pinning; CI/CD pipeline integrity |
| A09: Logging Failures | Centralized logging; security events logged; alerts on anomalies |
| A10: SSRF | URL allowlisting; network egress controls; metadata endpoint blocking |
Phase 4 — API Security
API security requirements (enforce on all APIs):
Authentication:
- OAuth 2.0 + OIDC for user-delegated access
- API keys for service-to-service (rotated, scoped, stored in vault)
- mTLS for internal service mesh
- No API keys in URLs, logs, or error messages
Authorization:
- Resource-level authorization checks (not just endpoint-level)
- RBAC/ABAC for API endpoints
- Scope-based access tokens (claim validation on every request)
- No "admin=true" patterns; always check permissions server-side
Input Validation:
- Schema validation on all inputs (OpenAPI spec enforced)
- Max payload size enforced (prevent DoS via large payloads)
- Content-type validation; reject unexpected types
- Rate limiting: per-user, per-IP, per-endpoint
API Inventory:
- All APIs documented in API gateway catalog
- Undocumented/shadow APIs identified via traffic analysis
- Deprecated APIs decommissioned within 90 days of replacement
- API versioning policy: support N-1 versions; communicate deprecation 180 days in advance
Phase 5 — Vulnerability Management
Vulnerability lifecycle:
Discovery → Triage → Prioritization → Remediation → Verification → Closure
Prioritization model (CVSS + asset criticality + exploitability):
| Severity | CVSS Range | Remediation SLA |
|---|---|---|
| Critical | 9.0–10.0 | 24 hours (production); 72h (staging) |
| High | 7.0–8.9 | 7 days |
| Medium | 4.0–6.9 | 30 days |
| Low | 0.1–3.9 | 90 days |
| Informational | N/A | Best effort |
EPSS (Exploit Prediction Scoring System) integration:
- CVSS High with EPSS >0.7 → treat as Critical (upgrade SLA)
- CISA KEV (Known Exploited Vulnerabilities) → emergency patch within 24h regardless of CVSS
Vulnerability tracking requirements:
- All findings tracked in centralized vulnerability management platform
- Owner assigned within 24h of triage
- Weekly vulnerability burn-down report to CISO
- No vulnerability exceeds SLA without documented risk acceptance (CISO sign-off)
Delegate pen test execution to penetration-tester.
Phase 6 — Penetration Testing Program
Pen test types and cadence:
| Type | Frequency | Scope | Provider |
|---|---|---|---|
| External network | Annual minimum | Internet-facing perimeter | Third-party |
| Web application | Annual + post major release | All production web apps | Third-party or internal |
| API security | Annual + post major release | All public/partner APIs | Third-party or internal |
| Internal network | Annual | Internal segments, AD | Third-party |
| Social engineering | Annual | Phishing, vishing, physical | Third-party |
| Cloud configuration | Semi-annual | Cloud environments | Third-party or CSPM |
| Red team | Bi-annual (mature orgs) | Full kill chain simulation | Specialized third-party |
Pen test rules of engagement (non-negotiable):
- Written scope document signed before testing begins
- Emergency contact chain: CISO + security-operations on standby
- No production data exfiltration (use canary tokens, synthetic data)
- Daily status check-in from tester
- All critical findings reported same-day (no waiting for final report)
- Final report within 10 business days of engagement close
- Retest within 30 days of remediation for critical/high findings
Phase 7 — Security Code Review
Code review security checklist:
Authentication & Authorization:
□ All endpoints have authorization checks
□ No hardcoded credentials or secrets
□ Session management follows security standards
□ Password storage uses bcrypt/Argon2 (no MD5/SHA1)
Input Handling:
□ All inputs validated against allowlist
□ SQL queries use parameterized statements/ORM
□ Output encoded for context (HTML, JS, URL, SQL)
□ File uploads: type validation, size limits, malware scan
Error Handling:
□ No stack traces or internal paths in error responses
□ Generic error messages to users; details logged internally
□ All exceptions caught and logged
Cryptography:
□ No custom cryptography implementations
□ Approved algorithms only (AES-256, RSA-2048+, ECDSA P-256+)
□ Secrets loaded from vault, not config files
Logging:
□ Security events logged (auth, access denied, data export)
□ No PII/secrets in logs
□ Structured logging format for SIEM ingestion
Non-Negotiable AppSec Rules
- Security is a merge gate — SAST critical findings block merge; no bypass without CISO sign-off
- No secrets in code — enforced via pre-commit hooks, SAST, and periodic repo scanning
- Every release has a security sign-off — checklist completed and signed by AppSec
- SBOM generated for every production release — supply chain visibility mandatory
- All critical vulnerabilities patched within SLA — no exceptions without risk acceptance
- Pen tests are mandatory — not optional; finding-free is the goal, not the reality
- Security training before code commit — developers must complete secure coding training annually
More from aviskaar/open-org
cfo-finance
Use this skill when a CFO, VP Finance, Controller, or Head of Finance needs to orchestrate the full financial operations of a company — from strategic financial planning and investor reporting to day-to-day control of accounts payable, accounts receivable, payroll, tax compliance, and revenue operations. This is the top-level financial orchestrator that commissions all finance sub-skills, maintains the single source of truth for all company numbers, drives budget allocation, manages cash flow, ensures regulatory compliance, and produces board-ready financial reports. Trigger this skill when anyone needs a comprehensive view of company finances, a board pack, a fundraising data room, or needs to coordinate across invoicing, payroll, commissions, procurement, taxes, and expenses simultaneously.
47payroll-compensation
Use this skill when a VP Payroll, Head of People Operations, or Payroll Manager needs to manage all employee and contractor compensation flows — including payroll runs, salary administration, statutory deductions, benefits administration, equity grants and vesting, variable pay bonuses, contractor invoice processing, and full payroll compliance across jurisdictions. This skill orchestrates the salary management sub-skill. Trigger when running payroll, onboarding employees with compensation packages, processing salary changes, calculating bonuses, managing equity schedules, processing contractor payments, handling payroll tax filings, or producing total compensation reports for People and Finance leadership.
25accounts-payable
Use this skill when a VP Accounts Payable, AP Manager, Controller, or Finance Operations Manager needs to manage all outgoing payment flows — including vendor invoice processing, purchase order generation and three-way matching, vendor onboarding and management, employee expense reimbursements, and payment scheduling. This skill orchestrates purchase order management and expense management sub-skills. Trigger when processing vendor bills, approving purchase orders, managing vendor master data, running payment batches, processing employee reimbursements, or producing AP aging and cash disbursement reports.
5tax-compliance
Use this skill when a VP Tax, Tax Manager, Controller, or Finance Director needs to manage all tax obligations of a company — including corporate income tax, GST/VAT/Sales Tax, payroll taxes, transfer pricing, R&D tax credits, and multi-jurisdictional tax compliance. Trigger when computing tax provisions, preparing tax filings, responding to tax authority notices, evaluating tax implications of business decisions (new geographies, M&A, restructuring), managing indirect taxes on invoices, or producing the tax compliance calendar with all deadlines for the CFO and board.
4invoice-management
Use this skill when an AR specialist, billing analyst, revenue operations manager, or finance team member needs to generate, dispatch, track, and collect on customer invoices. Covers the full invoice lifecycle: creation from contract/PO/delivery data, formatting and dispatch, payment tracking, AR aging management, collections follow-up, credit notes, and invoice reconciliation. Trigger when creating a new invoice, checking payment status, managing overdue accounts, issuing credit memos, or producing AR aging reports.
4account-intelligence
Use this skill when a product firm, consulting firm, system integrator, or federal contractor needs to research a target company or government agency and produce an executive-grade Account Intelligence Report as a formatted .docx file. Handles any industry vertical — Life Sciences, Financial Services, Healthcare, Manufacturing, Energy, Retail, Technology, Federal/Government, and more. Fully automates the pursuit research and document generation process. Includes AI Agentic Solutions vision, IP and Research Opportunity mapping, and high-definition charts and visual dashboards.
3