How to Use This Application Security Resource

Application Security Authority is a structured reference directory serving security professionals, software engineers, compliance officers, and procurement specialists operating within the application security sector. This page describes how the directory is organized, what categories of content are available, what falls outside its scope, and how to locate specific topics efficiently. The directory spans topic areas covering tools, standards, frameworks, vulnerability classes, regulatory requirements, and practitioner roles across the application security discipline.

What to look for first

The directory is built around service and topic categories that reflect the operational structure of the application security sector — not a beginner's curriculum. Professionals entering the directory with a specific need should orient first by regulatory or compliance context, then by technical domain.

Three primary reference anchors cover most entry points:

1. Regulatory context — Whether a project falls under PCI DSS Requirement 6.2.4 (cardholder data environments), NIST SP 800-53 Control SA-11 (federal systems and FedRAMP-authorized platforms per NIST SP 800-53 Rev. 5), or OWASP ASVS verification levels determines which testing and assessment categories apply. The directory surfaces these distinctions within topic pages rather than requiring independent cross-referencing.

2. Service category — Application security services divide into two structural branches: assurance services (penetration testing, code review, vulnerability assessment) and program services (SDLC integration, toolchain governance, AppSec program architecture). These branches carry different qualification standards, procurement considerations, and regulatory touch points, and the directory maintains that distinction throughout.

3. Practitioner qualification standards — Credential frameworks including the Offensive Security Web Expert (OSWE), GIAC Web Application Penetration Tester (GWAPT), and Certified Secure Software Lifecycle Professional (CSSLP) from (ISC)² mark real qualification thresholds within the sector. Directory content reflects those standards as reference points for assessing provider qualifications, not as endorsements.

For the broadest orientation to what this directory covers and how it was scoped, the Application Security Directory Purpose and Scope page establishes the structural rationale.

How information is organized

Content is organized into discrete topic pages, each scoped to a functional domain within application security. The taxonomy follows terminology used by NIST, the Open Web Application Security Project (OWASP), and the SANS Institute — standards bodies whose frameworks professionals already use operationally.

The directory's topic architecture follows four functional groupings:

1. Foundational frameworks — Pages addressing the Secure Software Development Lifecycle (SSDLC), threat modeling methodologies (STRIDE, PASTA), and application security program structure. These establish baseline reference points for program maturity assessments.

2. Testing and assurance methodologies — Discrete pages cover static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), and manual penetration testing. SAST and DAST represent the most common contrast point in the directory: SAST operates on source code without execution, while DAST tests running applications from an external perspective. Both are addressed under separate topic pages with distinct tooling and regulatory applicability.

3. Vulnerability classifications — Pages aligned to the OWASP Top 10, CWE/SANS Top 25, and category-specific vulnerability classes (injection, broken access control, business logic flaws). These pages reference the CVE/NVD numbering system maintained by NIST for specific vulnerability instances.

4. Sector and deployment context — Pages covering application security in CI/CD pipelines, cloud-native environments, API security, and mobile application security. These cross-reference applicable standards such as NIST SP 800-218 (Secure Software Development Framework) and relevant industry guidance.

All application security listings maintain consistent topic structure: regulatory applicability, technical scope, practitioner qualification standards, and relevant standards body references appear in defined positions within each page.

Limitations and scope

The directory covers the application security sector as it operates within the United States national market, with cross-reference to international standards (ISO/IEC 27034, OWASP SAMM) where those standards govern US-based compliance programs.

The following fall outside the directory's scope:

• Network security and infrastructure security as independent disciplines, except where they intersect with application-layer controls
• Incident response and forensics beyond the application security perimeter
• Legal or compliance advice — regulatory citations throughout the directory are reference anchors, not legal interpretations
• Vendor-specific product documentation — tooling references describe functional categories, not proprietary implementations

The directory does not adjudicate disputes between competing frameworks. Where OWASP ASVS, NIST SP 800-53, and PCI DSS Requirement 6 overlap on a control category, the directory describes each framework's requirement independently. Practitioners working under multiple regulatory mandates must reconcile those requirements through their own compliance and legal functions.

Content reflects the published versions of named standards at time of page authorship. NIST, OWASP, and PCI SSC publish updates on independent cycles; the current authoritative version of any standard always supersedes directory content.

How to find specific topics

The Application Security Listings index provides the fastest path to specific topic pages. That index organizes all directory content by functional grouping, allowing direct navigation without search.

For professionals working from a specific regulatory requirement, cross-referencing by standard produces the most direct path:

1. PCI DSS Requirement 6 covers secure development requirements for cardholder data environments — directory pages on SAST, DAST, and penetration testing address these thresholds directly.
2. NIST SP 800-53 SA-family controls (SA-11, SA-15, SA-17) address developer security testing, development process controls, and security architecture — directory pages in the foundational frameworks and testing methodology groupings align to these controls.
3. OWASP ASVS Levels 1 through 3 define verification requirements at increasing depth — the directory's testing methodology pages map to these levels where OWASP documentation establishes the correspondence.

For topic areas not immediately located through the listings index, the directory's taxonomy follows OWASP and NIST terminology precisely. Search terms drawn from OWASP's Web Security Testing Guide (WSTG) category codes or NIST SP 800-115 testing phase descriptions will match directory topic page titles and headings.