Schedule a Demo

When starting a career in cybersecurity, the broad resources available can quickly become overwhelming. Which organizations are reputable? What resources will have a tangible impact on my skills? These were some of the questions I encountered as I began my career in application security, so I thought others who are on the same journey would benefit from a roundup of the most helpful resources in AppSec.  

These resources are focused on becoming a blue team/defensive application security (AppSec) engineer, not a web penetration tester/bug bounty hunter. Whenever people ask me how to get into application security, or I’m mentoring junior AppSec engineers, or developers want to be more security-minded, I provide these resources to them as a strong starting point. 

These AppSec resources cover the following areas: 

Security Fundamentals before Starting in AppSec

It is important to have general security concepts down before we focus on the application domain.  Security fundamentals are the foundation which AppSec is based on; this is the framework for describing AppSec vulnerabilities. Knowing these terms and patterns also helps when communicating with other AppSec and security professionals and having a consistent message in general. 

This knowledge will also help when evaluating new features and scenarios in applications, and help judge how effective a fix is (or isn’t). This will lead to better conversations with both developers and leadership when you can explain why something is a vulnerability or why a particular fix did not fully remove the risk to the business. 

Microsoft put together a free course on the basic foundational knowledge of security. It is a good place to start if you are thinking of starting a career in cybersecurity. 

Cybersecurity for Beginners – a curriculum
https://github.com/microsoft/Security-101

Web Application Fundamentals

AppSec involves working primarily with developers in the development lifecycle. While you do not need to come from a development background, it is important to know how to code so you’re speaking the same language as the developers and engineers you’ll work with. 

Coding 

A lot of the foundational concepts, vulnerabilities, and recommendations are going to be at the code, design, and architectural levels. It is also important to know the impact of what is being asked of the developers. 

I suggest knowing one compiled language and one scripting language. 

Suggested languages:

  • Compiled – Java or C# 
  • Scripted – Python or Go

If you are going to be working with web applications (as most AppSec positions do) then you will want to know HTML, CSS, and JavaScript. 

The compiled language will help you when working with most development shops. The scripting language will help when you want to work with results from tools, script out tooling pipelines, and comes in handy around a tech shop. 

Tip: I have found it invaluable when trying to understand some vulnerabilities to create an application that has the vulnerability, exploit it myself, then code the fix and know it worked.  This has allowed me to get a better understanding of the vulnerability and better reason on how effective proposed fixes will be.

For these languages you do not need to be an expert in them, but you do need to know how to read them — understanding the different framework workflows, coding paradigms (idiosyncrasies), and effective ways of looking up documentation.

Top Resources when Starting an AppSec Engineer Career 

This section contains the core foundational materials that will be used to build your knowledge and valuable resources when doing security reviews. 

OWASP Top 10 

https://owasp.org/www-project-top-ten
One of the most well-known lists in AppSec, this top 10 vulnerability list contains information on how to identify and remediate these categories. This list is a good starting point, but it’s important to know not to just focus on this list. While this list contains the most common vulnerabilities (in general), there are other vulnerabilities that need to be fixed as well. And for a specific company, their list might look different because of the different architectural, design, and coding standards they have in their organization.  

See what The NetSPI Agents said about the OWASP API Security Top 10

OWASP Application Security Verification Standard (ASVS) 

https://owasp.org/www-project-application-security-verification-standard
This document contains different controls that should be in an application, which is useful when talking about the design and architecture of an application and design requirements for developers. This is also a good list to use when reviewing code to see if any of these controls are missing or incomplete. 

OWASP Proactive Controls 

https://owasp.org/www-project-proactive-controls
This project provides areas of focus when looking at preventative controls that can help reduce or eliminate potential unknown future risks. It provides a helpful framework for creating best practices and secure coding guidelines for your organization. 

IEEE Avoiding the Top 10 Software Security Design Flaws 

https://cybersecurity.ieee.org/blog/2015/11/13/avoiding-the-top-10-security-flaws/ 
While there are a lot of resources out there when there is a code level mistake, this is specifically at the design/architecture level, making it especially useful for identifying common design flaws so software architects have a place to learn from others’ mistakes. 

Honorable Mention: OWASP Cheat Sheet Series 

https://owasp.org/www-project-cheat-sheets
This is a great resource for refreshing on a topic for yourself, or having a reference on hand to give to developers. 

Web Information 

Unless you already have a specific domain knowledge or an active interest in a different application type (e.g., embedded programming, thick client, etc.) it would be best to understand how the web works. This is the focus of most AppSec jobs today. 

Mozilla has a good overview guide to HTTP: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP 

Hands-On Activities to Help You Advance as an AppSec Engineer 

The following projects provide training platforms where source code is presented, vulnerabilities identified, and remediations implemented. 

OWASP Secure Code Dojo 

The OWASP Secure Coding Dojo is an educational platform designed to teach secure coding practices to developers. This is a project that can be stood up locally. It comes with material already in it looking at vulnerabilities from the code perspective. 

SecDim 

SecDim is a platform offering “Dev-Native Attack & Defence Wargames” to test and improve the security of software code in a controlled environment. You are provided with code/configuration files and need to identify the vulnerabilities and fix them. They are then run against unit tests to see if they meet the acceptance (security and non-security/functional tests).
https://secdim.com

Continuing Education in AppSec 

Here are some interesting newsletters and podcasts to keep up with the latest security news and trends for both AppSec and general computer security topics. 

Newsletters 

AppSec Specific 

tl;dr sec
https://tldrsec.com
This is a great curated list of articles, tools, and presentations on application security-related topics. 

General Computer Security 

This section contains some additional newsletters that have broader security topics than just AppSec.  These focus on general (computer) security problems and company/nation policy and geopolitical level conversations. These would be valuable after you are comfortable with AppSec specific information. 

Risky Business Newsletter
https://news.risky.biz
Three times a week newsletter that curates computer security news and does analysis on security events for the last several days. (There is also a podcast feed that provides a highlight of this newsletter.) 

CRYPTO-GRAM
https://www.schneier.com/crypto-gram/
A monthly newsletter that focuses on general security/computer security topics. 

Podcasts 

AppSec Specific 

Absolute Security
https://absoluteappsec.com
Two friends chatting about AppSec news and occasionally interview guests. They talk about application security specifically, some of the daily problems they have. At its core these are two friends that get together and talk about AppSec because they love it. 

Application Security Podcast
https://appsec.buzzsprout.com
Another valuable resource that covers application security comes from people who have done a successful job (or lessons learned) when working in and on application security programs. 

The Secure Developer
https://www.heavybit.com/library/podcasts/the-secure-developer
A developer-focused podcast on the intersection between development and security. 

Generic Computer Security 

These are podcasts that focus on either general computer security knowledge and/or companywide policies/leadership perspectives on topics. 

Risky Business
https://risky.biz
Great weekly rundown of the week’s security news. Good commentary. The sponsored parts of the episodes are worth listening to. The hosts have them talk on a particular security area and let them pitch their product right at the end, it is really done well, and I do not skip those sections. 

Defense in Depth
https://cisoseries.com/subscribe-podcast
This takes a particular IT topic from a CISO (Chief Information Security Officer) perspective.

Professional Organizations 

It is a good idea to get involved in the AppSec community because you can stay up-to-date on the latest techniques for securing applications, new vulnerabilities and how to detect and defend against them, and increase your professional network. This is a small field, so getting your network of other AppSec individuals can help out when you want to learn a particular area or need advice on a problem you are facing. The above podcasts have Discord servers that you can join. There is also the OWASP Discord server and local chapters: 

Local Chapters: https://owasp.org/chapters/ 

Final Thoughts 

I consider this information to be foundational as the type of information I look for and expect of any level of AppSec engineer. This will help when doing the diverse activities inside of an AppSec team: manual code review, automated code review, handling bug bounty submissions, and all the other activities. 

Keep learning by reading NetSPI’s Checklist for Application Security Program Maturity 

Authors:

Headshot of Stephen Burris

Stephen Burris

Principal Security Consultant

Explore more blog posts

Proactive Security

CTEM Defined: The Fundamentals of Continuous Threat Exposure Management

December 19, 2024

Learn how continuous threat exposure management (CTEM) boosts cybersecurity with proactive strategies to assess, manage, and reduce risks.

Learn More
AI/ML Pentesting

Balancing Security and Usability of Large Language Models: An LLM Benchmarking Framework

December 16, 2024

Explore the integration of Large Language Models (LLMs) in critical systems and the balance between security and usability with a new LLM benchmarking framework.

Learn More
Web Application Pentesting

From Informational to Critical: Chaining & Elevating Web Vulnerabilities

December 10, 2024

Learn about administrative access and Remote Code Execution (RCE) exploitation from a recent Web Application Pentest.

Learn More