Web Security
Web security is the governance and operation of controls that protect public-facing applications, APIs, endpoints, identity flows, cloud edge services, and exposed infrastructure. In CloudSignals+RiskOps, web security is approached through asset context, exposure findings, control requirements, evidence, risk treatment, and remediation workflows — not limited to application vulnerability testing.
- Application security analysts
- Cloud security analysts
- Web platform owners
- DevSecOps engineers
- RiskOps teams
- Compliance managers
- Basic understanding of web applications, APIs, and internet exposure
- Familiarity with security findings and remediation workflows
- Access to Surface, Findings, RiskOps, and Governance & Assurance views
What you will be able to do
- Explain web security as an asset, control, and risk governance discipline — not just application vulnerability testing.
- Identify public exposure and web-facing assets using Surface and Cloud Resources views.
- Prioritize web findings using risk context including business function, data sensitivity, and owner accountability.
- Map web security gaps to UCB controls and evidence expectations.
- Route web security remediation through RiskOps projects with owner, SLA, and verification criteria.
- Use Vision to draft web risk narratives — with required human review and attestation.
Web Security Governance
15 min • Control Library • Explain web controls, governance scope, and why they exist
Web security governance is broader than application vulnerability testing
Web security is not limited to finding SQL injection or XSS vulnerabilities in application code. It includes governance over: public endpoints (authentication, API access controls, exposed management interfaces), authorization and session handling (token validity, session timeout, privilege escalation paths), TLS and transport security (protocol versions, cipher suites, certificate validity), DNS governance (subdomain takeover exposure, DNSSEC configuration), WAF and edge controls (web application firewall configuration, DDoS protection, rate limiting), API exposure (authentication, CORS, authorization checks, rate limiting), secrets handling (API keys, credentials, certificates not stored in code or public storage), logging and monitoring (access logs, anomaly detection, audit trails for sensitive operations), and secure change governance (change review for web-facing components).
CloudSignals+RiskOps helps learners connect these web security risks to assets, findings, controls, evidence, and remediation — creating a governance chain from exposure detection through to verified closure.
Web-Facing Asset Discovery
20 min • Assets, Cloud Resources • Build a complete web exposure inventory
Ten categories of web-facing assets
Web-facing assets are those that are directly reachable from the public internet or indirectly exposed through integrations with internet-facing systems. A complete web exposure inventory covers ten asset categories:
Direct internet-accessible services with open ports or public IP addresses
Internet-facing ingress points routing to backend services
HTTP/HTTPS services serving user-facing interfaces
REST, GraphQL, or SOAP endpoints with external access
Buckets or blob containers accessible without authentication
Edge caches that may expose origin URLs or sensitive content
Subdomains and records that may expose internal services or be taken over
Login pages, SSO redirects, OAuth flows accessible to users
Compute instances with public IPs and open management or service ports
Third-party platforms with OAuth tokens or API access to your systems
For each web-facing asset, governance requires determining: ownership, business function, data sensitivity, and exposure scope (intentional vs. accidental public access). Unintentional public exposure is your highest-priority finding — an asset that should not be public but is creates direct exploitation opportunity with no exploitation barrier.
Web Findings & Exposure
25 min • Findings • Analyze web-related findings and prioritize by business context
Nine common web security finding categories
CloudSignals+RiskOps surfaces web security findings from cloud resource configurations — these are configuration-state findings, not runtime application vulnerability findings. Configuration-state findings are persistently present, continuously monitorable, and scanner-verifiable after remediation — which makes them more governable than runtime findings that require manual testing to detect and verify. The nine most common web security finding categories are:
| Finding category | What it indicates | Typical severity |
|---|---|---|
| Public exposure | Storage, endpoints, or services accessible to anyone without authentication | Critical |
| Weak TLS / insecure transport | TLS 1.0/1.1 in use, expired certificates, or HTTP accepted on sensitive services | High |
| Missing logging | Access logs, audit trails, or activity monitoring disabled on web-facing services | Medium–High |
| Overly permissive network access | Security groups or NSGs allowing broad inbound access on web or management ports | High |
| Weak identity controls | MFA not enforced on admin consoles, excessive session token validity | High |
| Misconfigured storage | Public read/write enabled on buckets containing application or customer data | Critical |
| Exposed management ports | SSH, RDP, or database ports open to the internet on production systems | Critical |
| Missing WAF / edge protections | No WAF configured on internet-facing applications or APIs | Medium |
| Unreviewed third-party integrations | OAuth tokens, API connections, or webhooks to external systems without access review | Medium |
Evidence & Controls
20 min • Evidence Fabric, Control Library • Define proof for web security governance
Web security evidence types
Web security evidence must prove that controls are configured, operate as intended, and have been reviewed by a named person with knowledge of the system. Scanner results alone satisfy the "configured" dimension — they do not satisfy "operates as intended" or "reviewed." A complete web security evidence package includes multiple artifact types linked to specific UCB controls and Assessment Objectives in the Evidence Fabric:
- Secure architecture diagrams: showing web traffic flow, trust boundaries, authentication checkpoints, and WAF/CDN topology — linked to network and identity controls
- Web configuration exports: TLS version and cipher configuration, storage access policies, security header settings from cloud console exports
- TLS configuration reports: scan output confirming TLS 1.2+ enforced, valid certificates, no deprecated protocols
- WAF policy screenshots or exports: confirming rule sets, rate limiting, and OWASP protection coverage
- Penetration test reports: testing runtime application behavior (injection, authentication bypass, authorization flaws) that CSPM cannot detect
- Secure code review records: documented review sign-offs for web-facing components with security findings and resolution tracking
- CI/CD security gate results: SAST, DAST, or dependency scan results from pipeline runs before production deployment
- Access review records: periodic confirmation that web-facing service accounts and admin access is scoped to authorized users only
- Incident response records: any security event on a web-facing asset and the response taken — governance evidence of the control's ability to detect and respond
RiskOps Remediation
25 min • Projects, Risk Treatments • Coordinate accountable web security remediation
Web security remediation often spans multiple teams
Web security remediation often spans engineering (application code), cloud operations (infrastructure configuration), identity teams (authentication and session controls), and vendor owners (third-party WAF, CDN, or SaaS platform configurations). RiskOps helps coordinate accountable work across these stakeholders — setting SLA expectations, tracking evidence requirements, and providing executive visibility without requiring manual status collection from each team.
The key governance difference between a Jira ticket and a RiskOps treatment: a RiskOps treatment has a UCB control linkage, an evidence requirement, a defined verification step, and an SLA policy timer that escalates if the finding ages past the threshold. When all four are present, web security remediation is tracked from detection to verified closure with full governance accountability.
Reporting & Vision
15 min • Reports, Vision • Produce governance-ready web risk summaries
Executive reporting: exposure, impact, status, residual risk
Web security reporting should avoid raw technical detail overload. Executive summaries should explain four things in business language: exposure (which internet-facing assets have open security gaps), business impact (what a successful exploitation would mean for the organization — customer data, regulatory liability, operational disruption), remediation status (what is being done, by whom, by when), and residual risk (what risk remains after compensating controls are in place and what the timeline to full remediation is). Vision can accelerate the drafting of this narrative from platform data — but requires human review before distribution.
Certification: AiVRIC Web Security Practitioner
Completing all six modules makes you eligible for the Web Security Practitioner certification exam.
| Exam domain | Weight |
|---|---|
| Web security governance | 20% |
| Web-facing asset discovery | 20% |
| Findings and exposure analysis | 25% |
| Evidence and controls | 20% |
| Remediation and reporting | 15% |
Capstone practical scenario
A tenant has several public endpoints, one exposed storage service containing customer data, missing logging on a web workload, and unclear ownership for an API gateway. Your task:
- Identify web-facing assets across all ten asset categories present in the tenant environment.
- Prioritize findings using business context — explain why the priority order differs from severity-only ranking.
- Map the top three findings to UCB controls and define the required evidence for each.
- Recommend RiskOps remediation for the highest-priority finding — including compensating controls where full remediation is deferred.
- Draft an executive web risk summary using Vision, validate it, and attest it — including AI disclaimer and organizational context.