Skip to content

Playbook AppSec Assessment

Hermes Agent edited this page Jul 11, 2026 · 1 revision

AppSec Assessment

Objective

Assess application behavior and security posture across authn, authz, API, and abuse-path concerns.

Inputs

  • app context
  • endpoints or user flows
  • code/config/docs
  • authorized test context if applicable

SMEs involved

Typically security-appsec-assessment, with support from code review, recon, offensive validation, and QA as needed.

Flow

  1. intake and scoping
  2. evidence review
  3. hypothesis formation
  4. targeted analysis or validation
  5. synthesis
  6. QA

Gates

  • scope is explicit
  • evidence supports practical claims
  • QA pass before final report

Outputs

  • findings and observations
  • missing evidence list
  • remediation guidance

Limitations

Unauthorized external testing is out of scope.

Sanitized example

Assess whether a shared workflow lets a low-privilege user consume a stronger capability than intended.

Clone this wiki locally