Skip to content

Application Security Resources

This page distills the highlights

For the full, continuously updated list, see jassics/awesome-appsec-learning-resources and awesome-api-security-learning-resources on GitHub.

Use this page as the "go deeper" reference for the whole Application Security section - organized so you can jump straight to standards, papers, tools, or hands-on practice depending on what you need right now.

Standards & Verification Frameworks

Framework What It Covers
OWASP Top 10 (2025) The canonical web application risk taxonomy - see OWASP Top 10 for the full deep dive
OWASP API Security Top 10 API-specific risk taxonomy - see API Security
OWASP ASVS (Application Security Verification Standard) Verifiable security requirements by risk level (L1/L2/L3) - see Secure Application Architecture
OWASP SAMM (Software Assurance Maturity Model) Organization-level AppSec program maturity assessment, the counterpart to ASVS's per-system focus
OWASP Proactive Controls Top defensive techniques for developers, ordered by importance
CWE Top 25 Most Dangerous Software Weaknesses MITRE's data-driven ranking of the most impactful weakness classes
NIST SP 800-204 series Microservices and API security guidance

Books

Book Notes
Agile Application Security Highly recommended - practical AppSec program building
The Web Application Hacker's Handbook The classic reference for web exploitation
Threat Modeling: Designing for Security - Adam Shostack The foundational threat modeling text - see Threat Modeling
Hacking APIs - Corey J. Ball Widely regarded as the best starter book for API pentesting
API Security in Action - Neil Madden Defensive, developer-focused: OAuth2, JWT, mTLS, gateways, rate limiting - see Authentication Security
Advanced API Security: OAuth 2.0 and Beyond - Prabath Siriwardena Deep dive into OAuth2/OIDC/SCIM
The Tangled Web Browser security model deep dive - see XSS & Client-Side Security
Application Security Program Handbook For engineers/leads building a program, not just writing code

Videos & Talks

Courses & Certifications

Course / Cert Provider
PortSwigger Web Security Academy Free - the gold standard for structured, hands-on web vuln labs
APIsec University Free - full curriculum including API Security Fundamentals and Pentesting
OWASP Juice Shop Companion Guide Free walkthrough for OWASP's flagship vulnerable app
SANS SEC522: Defending Web Applications Security Essentials Paid
SANS SEC540 / SEC542 / SEC642 Paid, offensive-operations focused
Practical DevSecOps - Certified Application Security Practitioner Paid, practitioner-level
AppSec Engineer - We Hack Purple / Tanya Janca Paid
CASA - Certified API Security Analyst Offensive, API-specific
CSSLP, ISSAP, CISSP ISC2 - broader security architecture/lifecycle certs

Tools

Deep dives on SAST and SCA tooling already live on this site - see SAST and SCA. Highlights and adjacent categories below.

Secrets Scanning

Tool Notes
gitleaks Fast, widely used, easy CI integration
TruffleHog Verifies many secret types live against the provider API
detect-secrets (Yelp) Baseline-driven, good for large existing repos
git-secrets (AWS) AWS-focused pattern set
GitGuardian Commercial, org-wide scanning

Threat Modeling Tools

See Threat Modeling for the methodology - these are the tools that operationalize it:

API-Specific Tools

Tool Purpose
Kiterunner Content discovery built specifically for API endpoints
Postman The most-used tool for API exploration and scripted testing
Burp Suite + extensions Pair with JWT Editor, Autorize (BOLA/BFLA detection), InQL (GraphQL), Param Miner
Schemathesis Property-based fuzzing of OpenAPI/GraphQL schemas
RESTler (Microsoft) Stateful REST API fuzzer
OWASP ZAP Free, scriptable, with OpenAPI/GraphQL add-ons
Open Policy Agent (OPA) Fine-grained authorization for APIs/microservices - see Authorization Security

Hands-On Labs & CTFs

See AppSec Red Teaming & Practice Labs for methodology - here's the full practice-target list:

Lab / CTF Focus
PortSwigger Web Security Academy Free, browser-based, comprehensive - start here
OWASP Juice Shop Most popular intentionally vulnerable web app
WebGoat OWASP's legacy but still useful Java learning app
DVWA - Damn Vulnerable Web App Classic, configurable difficulty levels
Google Gruyere Small, guided, good for absolute beginners
OWASP Security Shepherd Mobile + web CTF platform
PentesterLab Hands-on exercises, free and paid tiers
crAPI Intentionally vulnerable API covering the full OWASP API Top 10
VAmPI Flask-based vulnerable REST API with vulnerable/secure modes
DVGA - Damn Vulnerable GraphQL Application Essential for GraphQL-specific attacks
vAPI Self-hosted API lab mapped to OWASP API Top 10
HackTheBox: Intro to API Pentesting Paid academy path

Blogs, Newsletters & Communities

This Site's Own AppSec Toolkit

jassics/awesome-claude-security is a Claude Code plugin marketplace with dedicated AppSec plugins you can install directly into a Claude Code session:

  • web-app-security - OWASP Web Top 10, access control, injection testing
  • api-security - OWASP API Top 10, BOLA/BFLA-focused review
  • sast-sca - static analysis + dependency/SBOM review
  • threat-modeling - STRIDE/PASTA-driven design review

Install with /plugin marketplace add jassics/awesome-claude-security inside a Claude Code session, then /plugin install web-app-security@awesome-claude-security (or any plugin above).

Where to Go Next on This Site

Credits/References

  1. jassics/awesome-appsec-learning-resources - the full, continuously updated source this page distills
  2. jassics/awesome-api-security-learning-resources
  3. jassics/awesome-claude-security - Claude Code plugin marketplace for security work
  4. OWASP Foundation