Application Security Resources
This page distills the highlights
For the full, continuously updated list, see jassics/awesome-appsec-learning-resources and awesome-api-security-learning-resources on GitHub.
Use this page as the "go deeper" reference for the whole Application Security section - organized so you can jump straight to standards, papers, tools, or hands-on practice depending on what you need right now.
Standards & Verification Frameworks
| Framework | What It Covers |
|---|---|
| OWASP Top 10 (2025) | The canonical web application risk taxonomy - see OWASP Top 10 for the full deep dive |
| OWASP API Security Top 10 | API-specific risk taxonomy - see API Security |
| OWASP ASVS (Application Security Verification Standard) | Verifiable security requirements by risk level (L1/L2/L3) - see Secure Application Architecture |
| OWASP SAMM (Software Assurance Maturity Model) | Organization-level AppSec program maturity assessment, the counterpart to ASVS's per-system focus |
| OWASP Proactive Controls | Top defensive techniques for developers, ordered by importance |
| CWE Top 25 Most Dangerous Software Weaknesses | MITRE's data-driven ranking of the most impactful weakness classes |
| NIST SP 800-204 series | Microservices and API security guidance |
Books
| Book | Notes |
|---|---|
| Agile Application Security | Highly recommended - practical AppSec program building |
| The Web Application Hacker's Handbook | The classic reference for web exploitation |
| Threat Modeling: Designing for Security - Adam Shostack | The foundational threat modeling text - see Threat Modeling |
| Hacking APIs - Corey J. Ball | Widely regarded as the best starter book for API pentesting |
| API Security in Action - Neil Madden | Defensive, developer-focused: OAuth2, JWT, mTLS, gateways, rate limiting - see Authentication Security |
| Advanced API Security: OAuth 2.0 and Beyond - Prabath Siriwardena | Deep dive into OAuth2/OIDC/SCIM |
| The Tangled Web | Browser security model deep dive - see XSS & Client-Side Security |
| Application Security Program Handbook | For engineers/leads building a program, not just writing code |
Videos & Talks
- OWASP Global AppSec conference talks
- LocoMoco Security Conference - AppSec deep dives
- LiveOverflow - web/binary exploitation
- PwnFunction - web vulnerability concepts, including JWT attacks explained
- IppSec - HackTheBox walkthroughs
- OWASP API Security Top 10 - official walkthrough
- GraphQL Security - PortSwigger Research
- Scaling AppSec with Semgrep's taint mode - see SAST
Courses & Certifications
| Course / Cert | Provider |
|---|---|
| PortSwigger Web Security Academy | Free - the gold standard for structured, hands-on web vuln labs |
| APIsec University | Free - full curriculum including API Security Fundamentals and Pentesting |
| OWASP Juice Shop Companion Guide | Free walkthrough for OWASP's flagship vulnerable app |
| SANS SEC522: Defending Web Applications Security Essentials | Paid |
| SANS SEC540 / SEC542 / SEC642 | Paid, offensive-operations focused |
| Practical DevSecOps - Certified Application Security Practitioner | Paid, practitioner-level |
| AppSec Engineer - We Hack Purple / Tanya Janca | Paid |
| CASA - Certified API Security Analyst | Offensive, API-specific |
| CSSLP, ISSAP, CISSP | ISC2 - broader security architecture/lifecycle certs |
Tools
Deep dives on SAST and SCA tooling already live on this site - see SAST and SCA. Highlights and adjacent categories below.
Secrets Scanning
| Tool | Notes |
|---|---|
| gitleaks | Fast, widely used, easy CI integration |
| TruffleHog | Verifies many secret types live against the provider API |
| detect-secrets (Yelp) | Baseline-driven, good for large existing repos |
| git-secrets (AWS) | AWS-focused pattern set |
| GitGuardian | Commercial, org-wide scanning |
Threat Modeling Tools
See Threat Modeling for the methodology - these are the tools that operationalize it:
- OWASP Threat Dragon - free, DFD-based
- PyTM - threat modeling as code (Python)
- STRIDE GPT - LLM-assisted STRIDE generation
- Microsoft Threat Modeling Tool
API-Specific Tools
| Tool | Purpose |
|---|---|
| Kiterunner | Content discovery built specifically for API endpoints |
| Postman | The most-used tool for API exploration and scripted testing |
| Burp Suite + extensions | Pair with JWT Editor, Autorize (BOLA/BFLA detection), InQL (GraphQL), Param Miner |
| Schemathesis | Property-based fuzzing of OpenAPI/GraphQL schemas |
| RESTler (Microsoft) | Stateful REST API fuzzer |
| OWASP ZAP | Free, scriptable, with OpenAPI/GraphQL add-ons |
| Open Policy Agent (OPA) | Fine-grained authorization for APIs/microservices - see Authorization Security |
Hands-On Labs & CTFs
See AppSec Red Teaming & Practice Labs for methodology - here's the full practice-target list:
| Lab / CTF | Focus |
|---|---|
| PortSwigger Web Security Academy | Free, browser-based, comprehensive - start here |
| OWASP Juice Shop | Most popular intentionally vulnerable web app |
| WebGoat | OWASP's legacy but still useful Java learning app |
| DVWA - Damn Vulnerable Web App | Classic, configurable difficulty levels |
| Google Gruyere | Small, guided, good for absolute beginners |
| OWASP Security Shepherd | Mobile + web CTF platform |
| PentesterLab | Hands-on exercises, free and paid tiers |
| crAPI | Intentionally vulnerable API covering the full OWASP API Top 10 |
| VAmPI | Flask-based vulnerable REST API with vulnerable/secure modes |
| DVGA - Damn Vulnerable GraphQL Application | Essential for GraphQL-specific attacks |
| vAPI | Self-hosted API lab mapped to OWASP API Top 10 |
| HackTheBox: Intro to API Pentesting | Paid academy path |
Blogs, Newsletters & Communities
- OWASP Cheat Sheet Series - the single best ongoing reference for "how do I actually implement this control"
- tl;dr sec newsletter - Clint Gibler's weekly AppSec digest
- We Hack Purple - Tanya Janca's AppSec community and podcast
- APISecurity.io newsletter - weekly API security digest by 42Crunch
- PortSwigger Research - the source of most modern web cache deception, request smuggling, and API attack research
- BOLA - why it's the #1 API vulnerability
- 31 Days of API Security Tips (Inon Shkedy)
- API Security Checklist (Shieldfy) - a classic, widely-referenced reference (some entries have aged, but the framework holds up)
This Site's Own AppSec Toolkit
jassics/awesome-claude-security is a Claude Code plugin marketplace with dedicated AppSec plugins you can install directly into a Claude Code session:
web-app-security- OWASP Web Top 10, access control, injection testingapi-security- OWASP API Top 10, BOLA/BFLA-focused reviewsast-sca- static analysis + dependency/SBOM reviewthreat-modeling- STRIDE/PASTA-driven design review
Install with /plugin marketplace add jassics/awesome-claude-security inside a Claude Code session, then /plugin install web-app-security@awesome-claude-security (or any plugin above).
Where to Go Next on This Site
- Start from zero: AppSec Preliminary Concepts
- Core coding practice: Secure Coding, Secure Code Review, Cryptography
- Deep dives: Authentication Security, Authorization Security, Injection Security, XSS & Client-Side Security, Business Logic Security
- Architecture & design: Secure Application Architecture, Threat Modeling
- Tooling: API Security, SAST, SCA
- Practice: AppSec Red Teaming & Practice Labs
- Learn from the past: AppSec Real-World Incidents
Credits/References
- jassics/awesome-appsec-learning-resources - the full, continuously updated source this page distills
- jassics/awesome-api-security-learning-resources
- jassics/awesome-claude-security - Claude Code plugin marketplace for security work
- OWASP Foundation