# Application Security

![Application Security](/files/ptKl0N0YUoWW2T8EDQv7)

## Application Security

> **Section focus:** Application Security.\
> **Best use:** start with the section map below, then move into the deeper pages that match your role or stack.\
> **Design note:** this index was refreshed to act as a cleaner GitBook landing page instead of a plain directory listing.

### Start with these pages

| Page                                                                                                                                                                                                                                       | Why open it first                                                                                             |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------- |
| [SAST Noise Reduction](/application-security-and-secure-sdlc/index-1/sast-noise-reduction.md)                                                                                                                                              | High-value page inside **Application Security**.                                                              |
| [🥋 DefectDojo and ASPM Platforms](/application-security-and-secure-sdlc/index-1/defectdojo-and-aspm-platforms.md)                                                                                                                         | High-value page inside **Application Security**.                                                              |
| [🧭 ASOC and ASPM Orchestration Platforms](/application-security-and-secure-sdlc/index-1/asoc-and-aspm-orchestration-platforms.md)                                                                                                         | High-value page inside **Application Security**.                                                              |
| [🔐 Repository Secret Scanning](/application-security-and-secure-sdlc/index-1/repository-secret-scanning.md)                                                                                                                               | High-value page inside **Application Security**.                                                              |
| [🔎 TruffleHog and Gitleaks Deep Dive](/application-security-and-secure-sdlc/index-1/trufflehog-and-gitleaks.md)                                                                                                                           | High-value page inside **Application Security**.                                                              |
| [GitHub and GitLab Native Secret Scanning Comparison](/application-security-and-secure-sdlc/index-1/github-and-gitlab-native-secret-scanning-comparison.md)                                                                                | High-value page inside **Application Security**.                                                              |
| [📱 Mobile Application Security Testing](/application-security-and-secure-sdlc/index-1/mobile-application-security-testing.md)                                                                                                             | High-value page inside **Application Security**.                                                              |
| [🧱 Secure by Design for AppSec and SDLC](/application-security-and-secure-sdlc/index-1/secure-by-design-for-appsec-and-sdlc.md)                                                                                                           | High-value page inside **Application Security**.                                                              |
| [🏗️ Web Application Security Architecture — Practical Intro](/application-security-and-secure-sdlc/index-1/web-application-security-architecture-intro-and-reference-model.md)                                                            | Architecture-first onboarding page for reviewers who need the component map before the bug list.              |
| [🧠 Business Logic Vulnerabilities and Verification](/application-security-and-secure-sdlc/index-1/business-logic-vulnerabilities-and-verification.md)                                                                                     | Explains application-level workflow flaws, how to verify them, and how to connect them to real product abuse. |
| [🔊 SonarQube Modern Practical Guide — Quality Gates, Security Hotspots, PR Analysis, and Review Workflows](/application-security-and-secure-sdlc/index-1/sonarqube-modern-practical-guide-quality-gates-hotspots-and-review-workflows.md) | Modernizes the 2014 SonarQube mental model into a 2026 AppSec operating guide.                                |
| [🧭 Burp Suite vs OWASP ZAP — Practical Positioning](/application-security-and-secure-sdlc/index-1/burp-suite-vs-owasp-zap-practical-positioning.md)                                                                                       | Helps teams choose between analyst-first Burp workflows and automation-first ZAP workflows.                   |
| [🧪 Mobile Report Analysis and Finding Walkthrough](/application-security-and-secure-sdlc/index-1/mobile-report-analysis-and-finding-walkthrough.md)                                                                                       | High-value page inside **Application Security**.                                                              |

### Related sections

* [Threat Modeling](/application-security-and-secure-sdlc/index.md)
* [API Security](/architecture-api-crypto-and-identity/index.md)

***

> **Intro:** This section stays close to product-facing security work: scanner signal quality, findings management, secret scanning, mobile security testing, and the orchestration layer that helps teams make release decisions without drowning in tool output.
>
> **What this page includes**
>
> * vulnerability orchestration and posture tooling

* modern SonarQube positioning for SAST, hotspots, and review workflows
* practical Burp versus ZAP decision guidance

> - architecture-first onboarding for modern web applications
> - scanner signal quality and secret detection
> - mobile application security testing
> - cross-links into CI/CD quality gates and newer architecture, abuse, and secure-engineering sections

### 🧪 Core pages in this section

* [SAST Noise Reduction](/application-security-and-secure-sdlc/index-1/sast-noise-reduction.md)
* [🥋 DefectDojo and ASPM Platforms](/application-security-and-secure-sdlc/index-1/defectdojo-and-aspm-platforms.md)
* [🧭 ASOC and ASPM Orchestration Platforms](/application-security-and-secure-sdlc/index-1/asoc-and-aspm-orchestration-platforms.md)
* [🔐 Repository Secret Scanning](/application-security-and-secure-sdlc/index-1/repository-secret-scanning.md)
* [🔎 TruffleHog and Gitleaks Deep Dive](/application-security-and-secure-sdlc/index-1/trufflehog-and-gitleaks.md)
* [GitHub and GitLab Native Secret Scanning Comparison](/application-security-and-secure-sdlc/index-1/github-and-gitlab-native-secret-scanning-comparison.md)
* [📱 Mobile Application Security Testing](/application-security-and-secure-sdlc/index-1/mobile-application-security-testing.md)
* [🧪 Mobile Report Analysis and Finding Walkthrough](/application-security-and-secure-sdlc/index-1/mobile-report-analysis-and-finding-walkthrough.md)
* [🧠 Catch It Before Commit: IDE Security Linters and Pre-Commit SAST](/application-security-and-secure-sdlc/index-1/ide-security-linters-and-pre-commit-sast.md)
* [🌐 Web Application Security Testing and Gate Patterns](/application-security-and-secure-sdlc/index-1/webapp-security-testing-and-gate-patterns.md)
* [🏗️ Web Application Security Architecture — Practical Intro](/application-security-and-secure-sdlc/index-1/web-application-security-architecture-intro-and-reference-model.md)
* [🧠 Business Logic Vulnerabilities and Verification](/application-security-and-secure-sdlc/index-1/business-logic-vulnerabilities-and-verification.md)
* [🌐 Web Application Security Review and Architecture Playbook](/application-security-and-secure-sdlc/index-1/web-application-security-review-and-architecture-playbook.md)
* [🌐 SSRF, File Fetch, and Parser Abuse Review Guide](/application-security-and-secure-sdlc/index-1/ssrf-file-fetch-and-parser-abuse.md)
* [🧱 Secure by Design for AppSec and SDLC](/application-security-and-secure-sdlc/index-1/secure-by-design-for-appsec-and-sdlc.md)
* [🔊 SonarQube Modern Practical Guide — Quality Gates, Security Hotspots, PR Analysis, and Review Workflows](/application-security-and-secure-sdlc/index-1/sonarqube-modern-practical-guide-quality-gates-hotspots-and-review-workflows.md)
* [🧭 Burp Suite vs OWASP ZAP — Practical Positioning](/application-security-and-secure-sdlc/index-1/burp-suite-vs-owasp-zap-practical-positioning.md)
* [🔎 Semgrep / CodeQL / SonarQube Positioning](/application-security-and-secure-sdlc/index-1/semgrep-codeql-sonarqube-positioning.md)

### Cross-links

* [🚦 Secret Scanning in Quality Gates](/devsecops-cicd-and-supply-chain/index-1/secret-scanning-quality-gates.md)
* [📱 Mobile Testing Quality Gates and DefectDojo Integration](/devsecops-cicd-and-supply-chain/index-1/mobile-testing-quality-gates-and-defectdojo.md)
* [API Security](/architecture-api-crypto-and-identity/index.md)
* [🎭 Business Logic Abuse and Product Abuse](/application-security-and-secure-sdlc/index-3.md)
* [🧰 Stack-Specific Secure Engineering](/application-security-and-secure-sdlc/index-4.md)

***

*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.product-security.expert/application-security-and-secure-sdlc/index-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.