A list of key resources for learning about Application Security (AppSec). Each section should not be treated as a comprehensive list, but rather a jumping off point for you to explore.
The various vulnerabilities spanning the misc OWASP Top 10 lists that pertain to your role should be a fundamental pillar of your knowledge. Also if you are expanding into a new area, this is a good place to start.
- OWASP Top 10
- OWASP Top 10 API
- OWASP Top 10 Mobile
- OWASP Top 10 CI/CD
- OWASP Top 10 LLM
- etc. There are other Top 10 lists, and surely more will be produced.
Learn offensive security in a safe/legal environment.
- PortSwigger Web Security Academy
- PortSwigger, the creator behind the popular penetration testing tool Burp Suite, has over 250 free labs on their Web Security Academy. They often share bleeding edge research and their researchers often speak at conferences such as DEF CON.
- Open-source intentionally vulnerable projects
- Damn Vulnerable Web Application (DVWA)
- OWASP Juice Shop
- Vulnerable Adversely Programmed Interface (vAPI)
- Damn Vulnerable API (DVAPI)
- etc. There are other intentionally vulnerable applications, some of which are no longer maintained but may still be relevant.
- CloudFoxable
- HackTheBox, TryHackMe, etc
These resources are key for implementing automation and processes into your software development lifecycle (SDLC).
- OWASP DevSecOps Guideline
- A great place to start when learning about DevSecOps. Start at the left, learn about a particular step, what its goals are, some common tools to accomplish it, and try them out yourself.
- Ex. for Secret scanning, learn what it is, how software developers should manage secrets, and then pick a tool such as TruffleHog and scan some repositories.
- A great place to start when learning about DevSecOps. Start at the left, learn about a particular step, what its goals are, some common tools to accomplish it, and try them out yourself.
- OWASP SAMM
- OWASP DSOMM
- Video: Strategic use of OWASP SAMM and OWASP DSOMM
Reputable conferences and meetups. It's worth noting that conference talks are often recorded and can frequently be found on YouTube.
- Local OWASP Chapter meetups
- BSides conferences
- OWASP conferences (LASCON, OWASP Global AppSec, etc)
- DEF CON
- fwd:cloudsec
- Find other conferences and meetups:
- Practical DevSecOps
- DevSecOps and AppSec related certifications
- CloudBreach
- Offensive security certifications for cloud
- Burp Suite Certified Practitioner
- APISec University
- TCM Security
- A variety of offensive security certifications including some related to mobile and web
- Cloud vendor-specific (ex. AWS Certified Security Speciality)
- Other offensive security (GIAC, OffSec, etc)
- The Boring AppSec Podcast
- Absolute AppSec
- 404 Security Not Found
- Application Paranoia
- Where Warlocks Stay Up Late
- Cloud Security Podcast
- Darknet Diaries
COMING SOON
There are many regional and global online communities (Slack, Discord, etc) for various frameworks, programming languages, cybersecurity focuses, etc. These can be good places to network, talk shop, learn new ideas, and so on.
- OWASP
- Cloud Security Forum
- OWASP chapters
- BSides communities
- etc
- awesome repositories are curated lists of resources pertaining to a specific topic. When learning about a new topic sometimes it is useful to find an awesome repository on the subject. Example: search "awesome cloud security" or "awesome mobile security" on GitHub
- Ultime DevSecOps library
- Alice and Bob Learn Application Security
- Misc cybersecurity books that I have enjoyed:
- The Code Book by Simon Singh
- The Cuckoo's Egg by Clifford Stoll
- Becoming an Ethical Hacker by Gary Rivlin