AppSec Engineers work directly with developers to make sure the code they ship is secure. This isn't about running a scanner and handing over a report. It's about understanding the application, identifying what could go wrong, and helping the team fix it before it reaches production.

The project starts with threat modeling a sample web application. Threat modeling is a structured way of asking "what could an attacker do to this app?", mapping out the data flows, identifying trust boundaries, and listing potential threats using a framework like STRIDE. This is one of the most valuable skills in AppSec because it requires understanding the application's architecture, not just its code.

Next comes the automated security pipeline built with GitHub Actions. Semgrep handles SAST (Static Application Security Testing), scanning the source code for patterns that indicate vulnerabilities like SQL injection, XSS, or insecure deserialization. Trivy runs SCA (Software Composition Analysis), checking every dependency for known CVEs. OWASP ZAP performs DAST (Dynamic Application Security Testing), attacking the running application from the outside to find issues that only appear at runtime.

The most important part is what happens after the scanners find something. Each finding is triaged: is it a real vulnerability or a false positive? What's the actual risk? Then the vulnerability is fixed in the code, with a clear explanation of why the original code was insecure and why the fix works. This demonstrates the human judgment that makes AppSec hard to automate.

Finally, the project includes a documented secure code review checklist, a practical guide for reviewing pull requests with security in mind. This is what AppSec Engineers create for development teams: not just "here's what's broken" but "here's how to build it right."

How to threat model an application using STRIDE or similar frameworks. How SAST, DAST, and SCA tools work and how to integrate them into CI/CD. How to triage scanner findings, distinguishing real vulnerabilities from false positives. How to fix common web vulnerabilities (OWASP Top 10) in actual code. How to create secure code review processes that help developers ship safer code.

AppSec Engineers sit at the intersection of security and development. AI can run scanners, but it can't understand why a business chose a particular architecture, whether a "vulnerability" actually matters in context, or how to convince a development team to change their workflow. This role requires deep code understanding, human communication, and contextual judgment, which is why it has strong long-term stability and good work-life balance compared to operations-heavy security roles.

GitHub Actions • Semgrep • OWASP ZAP • Trivy • Gitleaks • Docker • STRIDE • OWASP Top 10