AN

Andrew-Hardiman/appsec-lab

AppSec engineering portfolio: OWASP Top 10 case studies in PHP & Python (repro → fix → tests) plus Secure SDLC & AWS security notes.

application-sec broken-access-control devsecops idor owasp-top-10 php python secure-by-design security-misconfiguration security-testing slim-framework

AppSec Engineering Portfolio — Andrew

Backend engineer (PHP/PYTHON/AWS) with a focus on application security and secure-by-design engineering.

This is a proof-of-work hub: small, reproducible case studies that show
threat → repro → impact → fix → prevention (tests + SDLC controls).

How to use this repo

main contains the remediated implementation and regression tests.
Vulnerable baselines are preserved on vuln/<case> branches for safe, local reproduction.

OWASP Top 10 case studies

OWASP mapping: Numbering follows OWASP Top 10 (2025).

PHP

A01 Broken Access Control
- php/A01-broken-access-control/idor-rest-api-slim/ — IDOR in a REST API (authz model + tests)
A02 Security Misconfiguration
- php/A02-security-misconfiguration/exposed-diagnostics-slim/ — Exposed diagnostics endpoints (/debug/phpinfo, /debug/routes)

Python

(planned)

Secure SDLC & AWS notes (practical)

IAM least privilege review + example policies
Logging/alerting checklist (CloudWatch + app logs)
CI security gates (secret scanning + dependency scanning + SAST)

Standards

Minimal demos, no proprietary code
Each case study includes: threat → repro → impact → fix → prevention
Code is intentionally small and readable

On this page

Languages

PHP100.0%

Contributors

Created February 14, 2026

Updated March 21, 2026