Application Security: Binary & API Fortification
AppSec dives into SonarQube AST walks—e.g., tainting eval($_GET['x']) (A03:2021). OWASP ZAP injects document.location=evil.com for DOM XSS; WAF rules (SecRule ARGS "@rx <script" drop) block it. JWT HMAC-SHA512 gets audited—e.g., alg: none rejected via JOSE libs. Trivy scans OCI images, purging log4j-core-2.14.1.jar (CVE-2021-44228). Consult flags OWASP Top 10; paid ops enforce ASVS 4.0, hardening CI/CD with Snyk vuln diffs.

