What can we help you with?
AppSec Engineer — IAM Security Specialist
AppSec Engineer — IAM Security Specialist
Role Overview
This engineer owns the security of who can do what in every application and service. They prevent authentication bypasses, authorization flaws, and identity federation attacks that are responsible for the majority of high-severity breaches.
① SHARED CORE COMPETENCIES (1/3)
These competencies are identical across all five AppSec engineer roles.
1.1 Threat Modeling (STRIDE / PASTA)
- Facilitate threat modeling sessions against architecture diagrams and data-flow diagrams
- Map assets → trust boundaries → threats using STRIDE categories:
- Spoofing · Tampering · Repudiation · Information Disclosure · DoS · Elevation
- Produce threat model artifacts: DFD, threat register, mitigations table
- PASTA for risk-quantified models
- Output: ranked threat list with likelihood × impact scores
1.2 Secure Code Review
- Review PRs for OWASP Top 10 and CWE Top 25 violations
- Identify: injection flaws, insecure deserialization, broken auth, sensitive data exposure
- Provide remediation guidance with corrected code snippets
- Distinguish false positives from true findings; assign severity (Critical/High/Med/Low)
- Tools: manual review + semgrep rules, CodeQL queries
1.3 Vulnerability Assessment & CVSS Scoring
- Triage CVEs from scanner output; calculate CVSS v3.1 Base + Environmental scores
- Prioritize using EPSS alongside CVSS
- Map findings to business risk; generate executive-ready vuln summary reports
- Track remediation SLAs: Critical ≤24h, High ≤7d, Medium ≤30d, Low ≤90d
② SPECIALIST DOMAIN — IAM Security (2/3)
2.1 OAuth 2.0 & OIDC Security
- Review OAuth flows for: open redirect, CSRF on callback, token leakage in referrer/logs
- Enforce: PKCE for all public clients, state parameter validation, nonce binding
- Detect: authorization code interception, token substitution, mix-up attacks
- OIDC hardening: validate iss/aud/exp claims, require HTTPS, pin JWKS endpoint
- Common attack patterns:
• Missing state → CSRF on authorization endpoint
• Missing PKCE → authorization code interception on mobile
• Implicit flow → token in fragment/URL history (deprecated, block usage)
• Lax redirect_uri matching → open redirect to attacker domain
• JWT none algorithm → signature bypass
2.2 JWT Security
- Validate: algorithm confusion (RS256→HS256 with public key), none algorithm, alg:none
- Check: proper signature verification library usage; reject unsigned tokens
- Assess: claim validation completeness (exp, nbf, iss, aud, sub all checked)
- Token storage security: httpOnly cookie > localStorage (XSS risk)
- Short-lived access tokens (≤15 min) + refresh token rotation with family invalidation
2.3 Authorization Model Design & Review
- RBAC: role explosion prevention, role inheritance review, least-privilege audit
- ABAC: policy engine selection (OPA/Casbin), policy-as-code review, attribute trust
- ReBAC (Zanzibar-style): relationship graph integrity, indirect permission paths
- Enforce: server-side authorization checks (never client-side only)
- Detect: IDOR (Insecure Direct Object Reference), mass assignment, forced browsing
- Authorization matrix: produce subject × object × action grids for review
2.4 Privilege Escalation Analysis
- Map all privilege elevation paths in an application (sudo patterns, role assignment APIs)
- Identify: user-controlled role parameters, missing ownership checks, API admin endpoints
- Service account review: identify over-privileged service identities
- Lateral movement paths: shared secrets, token forwarding, SSRF-to-metadata-service
2.5 SSO Federation Security
- SAML: XML signature wrapping, entity ID confusion, assertion replay, XXE in SAML parsers
- OIDC federation: client_secret exposure, jwks_uri poisoning, RP-initiated logout
- Just-in-time provisioning risks: account takeover via email claim manipulation
- IdP-initiated SSO risks: missing RelayState validation
2.6 Session Management & MFA
- Session fixation, session riding (CSRF), concurrent session controls
- Cookie hardening: Secure + HttpOnly + SameSite=Lax/Strict + __Host- prefix
- MFA enforcement: bypass via account recovery flows, “remember device” abuse
- Phishing-resistant MFA: WebAuthn/FIDO2 preferred over TOTP for high-value flows
- Step-up authentication triggers: transaction signing, privilege escalation
③ TEST SUITES
Unit Tests
Isolated checks on auth logic and token handling functions.
unit_tests:
- id: UT-IAM-001
name: "JWT Algorithm Confusion — HS256 with Public Key Rejected"
description: >
A token signed with HS256 using the RS256 public key as HMAC secret must be
rejected by the token validation function.
input:
token_type: "algorithm_confusion"
algorithm_used: "HS256"
key_material: "rsa_public_key_pem"
assertions:
- validation_result: "rejected"
- error_type: "AlgorithmMismatch"
- no_claims_returned: true
- id: UT-IAM-002
name: "PKCE Code Verifier / Challenge Binding"
description: >
Exchange an authorization code with a mismatched code_verifier;
assert token endpoint returns error=invalid_grant.
input:
code_challenge_method: "S256"
correct_verifier: "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
submitted_verifier: "tampered_verifier_string_xyz"
assertions:
- token_issued: false
- error_response: "invalid_grant"
- http_status: 400
- id: UT-IAM-003
name: "IDOR — User Cannot Access Another User's Resource"
description: >
Authenticated as user_A, attempt to fetch /api/orders/{order_id_owned_by_user_B};
assert 403 or 404 returned, not the resource.
input:
authenticated_user: "user_A"
target_resource_owner: "user_B"
endpoint: "/api/orders/9f3a1b2c"
assertions:
- http_status_in: [403, 404]
- response_body_excludes: ["user_B", "order_id"]
- id: UT-IAM-004
name: "Expired Token Rejected"
description: >
Present a JWT with exp claim set 60 seconds in the past; assert rejection.
input:
exp_offset_seconds: -60
valid_signature: true
assertions:
- validation_result: "rejected"
- error_type: "TokenExpired"
Integration Tests
Cross-system auth flow verification.
integration_tests:
- id: IT-IAM-001
name: "Full OAuth PKCE Flow End-to-End"
description: >
Complete browser-based OAuth flow with PKCE against test IdP; assert
access token received, refresh token stored in httpOnly cookie,
and no tokens appear in browser history or localStorage.
steps:
- initiate_auth_request: {response_type: "code", code_challenge: true}
- authenticate_at_idp: "test_user_credentials"
- handle_callback: true
- assert_token_storage: "httpOnly-cookie-only"
- assert_localStorage_empty_of_tokens: true
- assert_access_token_lifetime_lte: 900 # seconds
environment: "oauth-integration-sandbox"
- id: IT-IAM-002
name: "SAML XML Signature Wrapping Attack Blocked"
description: >
Submit a manipulated SAML assertion with valid signature on a wrapper element
but malicious content in the assertion body; assert SP rejects and logs the attempt.
steps:
- craft_xsw_payload: "XSW-1-variant"
- submit_to_sp_acs_endpoint: true
assertions:
- authentication_succeeds: false
- security_event_logged: true
- log_contains: ["signature_wrapping", "invalid_assertion"]
- id: IT-IAM-003
name: "Privilege Escalation via Role Assignment API Blocked"
description: >
As a standard user, call PUT /api/users/{self}/roles with body {"role":"admin"};
assert server rejects the self-promotion.
steps:
- authenticate_as: "standard_user"
- call_endpoint: "PUT /api/users/self/roles"
- request_body: '{"role": "admin"}'
assertions:
- http_status: 403
- role_unchanged: true
- audit_log_entry: true
- id: IT-IAM-004
name: "MFA Bypass via Account Recovery Blocked"
description: >
Initiate password reset for MFA-enrolled account; assert that after reset,
MFA is still required on next login (not silently disabled).
steps:
- trigger_password_reset: "mfa_enrolled_user@test.com"
- complete_password_reset: true
- attempt_login_without_mfa: true
assertions:
- login_succeeds_without_mfa: false
- mfa_prompt_shown: true
Smoke Tests
Fast verification that auth controls are live in each environment.
smoke_tests:
- id: ST-IAM-001
name: "JWKS Endpoint Returns Valid Keys"
description: "/.well-known/jwks.json returns 200 with at least one RSA key."
command: >
curl -sf https://${AUTH_DOMAIN}/.well-known/jwks.json |
jq '.keys | length > 0'
expected_output: "true"
timeout_seconds: 10
- id: ST-IAM-002
name: "Unauthenticated Request to Protected Route Returns 401"
description: "API gateway returns 401 (not 200/403/500) for missing auth header."
command: >
curl -o /dev/null -sw "%{http_code}" https://${API_BASE}/api/protected
expected_output: "401"
timeout_seconds: 10
- id: ST-IAM-003
name: "Session Cookie Has Secure Flags"
description: "Login response Set-Cookie header includes Secure, HttpOnly, SameSite."
command: >
curl -sI -X POST https://${APP_BASE}/login -d 'user=smoke&pass=smoke' |
grep -i set-cookie | grep -qi "secure.*httponly.*samesite"
expected_exit_code: 0
timeout_seconds: 10
- id: ST-IAM-004
name: "None Algorithm Token Rejected"
description: "A JWT with alg:none submitted to the token introspection endpoint is rejected."
command: >
TOKEN=$(python3 -c "import base64,json; h=base64.urlsafe_b64encode(json.dumps({'alg':'none','typ':'JWT'}).encode()).rstrip(b'=').decode(); p=base64.urlsafe_b64encode(json.dumps({'sub':'attacker'}).encode()).rstrip(b'=').decode(); print(f'{h}.{p}.')"); \
STATUS=$(curl -o /dev/null -sw "%{http_code}" -H "Authorization: Bearer $TOKEN" https://${API_BASE}/api/protected); \
[ "$STATUS" = "401" ]
expected_exit_code: 0
timeout_seconds: 15
