Catalog
concept#Security#Architecture#Software Engineering

Web Security

Core concept for protecting web applications, APIs and infrastructure against attacks, data loss and misuse.

Web security covers measures to protect web applications, APIs and underlying infrastructure from attacks, misuse and data breaches.
Established
High

Classification

  • High
  • Technical
  • Architectural
  • Intermediate

Technical context

Identity provider (OAuth2/OpenID Connect)Web Application Firewall (WAF)CI/CD toolchain (security scanning)

Principles & goals

Least Privilege: Grant access only as needed.Defense in Depth: Build multiple independent layers of protection.Secure by Design: Consider security early in design and development.
Build
Enterprise, Domain, Team

Use cases & scenarios

Compromises

  • Misprioritization may leave critical gaps open.
  • Excessive complexity can introduce errors.
  • Insufficient monitoring delays incident detection.
  • Use parameterized queries and vetted libraries.
  • Run regular automated security scans.
  • Segment networks and minimize privileges.

I/O & resources

  • Existing source code and architecture diagrams
  • Threat model and privacy requirements
  • CI/CD access and monitoring streams
  • Security requirements and hardening measures
  • Incident response playbooks
  • Monitoring and alerting configurations

Description

Web security covers measures to protect web applications, APIs and underlying infrastructure from attacks, misuse and data breaches. It includes authentication, authorization, network protections, secure development practices and monitoring. Effective web security reduces risk, protects users and preserves business continuity. Organizations must embed security across the development lifecycle.

  • Reduction of security incidents and data loss.
  • Increased trust from customers and partners.
  • Meeting regulatory requirements and compliance.

  • Absolute security is unattainable; residual risk remains.
  • Increased effort and ongoing maintenance required.
  • Legacy systems may hinder hardening efforts.

  • Number of discovered vulnerabilities

    Count of identified security vulnerabilities per period.

  • Time to Patch

    Time between discovery of a vulnerability and successful deployment of the fix.

  • Share of HTTPS-protected endpoints

    Proportion of production endpoints correctly using TLS.

OWASP Top Ten as evaluation baseline

Organization uses OWASP Top Ten to prioritize vulnerabilities and adapt the SDLC.

HTTPS migration of an e-commerce platform

Staged TLS rollout, monitoring and CORS policy adjustments to secure customer connections.

API protection with OAuth2

Introduction of OAuth2 for service-to-service authentication and fine-grained authorization.

1

Conduct threat modeling for all critical paths.

2

Prioritize vulnerabilities based on risk and impact.

3

Automate security scans in the CI/CD pipeline.

4

Roll out hardening measures incrementally and measure effects.

5

Implement monitoring, alerting and incident playbooks.

6

Train teams in secure coding and response procedures.

⚠️ Technical debt & bottlenecks

  • Unpatched libraries with known vulnerabilities.
  • Monolithic components without clear security boundaries.
  • Missing automation for security tests in CI/CD.
Legacy infrastructureLack of security specialistsIncomplete telemetry
  • Only periodic manual tests instead of continuous assurance.
  • Omitting security tests in the release pipeline for performance reasons.
  • Uncoordinated patching without regression tests in production.
  • Focusing on compliance rather than real threat reduction.
  • Ignoring misconfigurations in favor of feature release goals.
  • Lack of metrics to assess security impact.
Secure coding and input validationThreat modeling and risk analysisIncident response and basic forensics
Confidentiality of sensitive dataIntegrity of transactions and APIsAvailability of critical services
  • Limited budget for security tools
  • Compliance requirements and deadlines
  • Dependencies on third-party providers