Web application security protects web apps from attacks. Layers: secure development (SAST, secure coding), testing (DAST, pen testing), runtime protection (WAF, RASP), and monitoring (logging, anomaly detection).
Web app vulns cause more breaches than network vulns. OWASP Top 10 is the baseline. Defense in depth: secure code + WAF + DLP + monitoring. No single layer is sufficient. Start security in the SDLC, not just at deployment.