Skip to content

Application Security Study Plan

This page is updated based on jassics/security-study-plan/application-security-study-plan

This study plan is based on milestones. Check how much you can cover within the timeline - the more topics you cover, the better a candidate you are for the job role. Also, I assume you have already checked and are comfortable with the Common Security Skills study plan.

Application Security is different from Web Security, and different from what most people think of as offensive security or pentesting. Though it needs some pentester-aligned concepts, it's a different skill set altogether.

It leans more toward shift-left security - Threat Modeling, Secure Code Review, Secure Code Design, training developers, owning the overall SDL process, and of course the OWASP Top 10 for Web and API security. There's a separate "API Security Study Plan" because that skill needs dedicated time too.

In Short

  1. AppSec is not Pentesting or Web Security Testing (people often use the terms interchangeably).
  2. Think more "combination of developer and attacker" than pure attacker.
  3. Talking to developers, training them, or reading their code should not scare you.
  4. Arguably tougher than pentesting (a topic of debate for another day).
  5. You should be comfortable writing code for a PoC, exploit, or demo.
  6. API security should be an area of interest - see the API Security guide on this site.
  7. A good understanding of Identity and Access Management (IAM) helps with auth-related design and reviews.

It usually takes 6-12 months of consistent study to be job-ready at the entry level.

ToC

  1. Web Application Concepts - 6 weeks
  2. Threat Modeling - 2-3 weeks
  3. Secure Code Review - 6-8 weeks
  4. Cryptography - 3 weeks
  5. Security Development Lifecycle (SDL) - 4 weeks
  6. Books
  7. Videos
  8. Courses - complete at least 1-2 courses (1-2 months)
  9. Certifications - optional, based on your goals
  10. Interview Questions
  11. AppSec Tools
  12. Whom to Follow on Twitter

Web Application Concepts

Duration: 6 weeks

This overlaps with pentesting concepts, but think more like a defender than an offender. Go at your own pace, but make sure you deeply understand HTTP security response headers, bruteforce, CSRF, injection, JWT, cryptography, hashing, and encoding.

Week 1-2: Basics

  1. Understand various HTTP methods - PUT vs POST, UPDATE vs PATCH, leveraging OPTIONS
  2. Understand response status codes:
  3. What does a 200 mean when you tried something malicious?
  4. What can you infer from a 403?
  5. What does a 500 reveal, and why?
  6. Understand every status code a pentester would love to see.
  7. Understand HTTP headers well, especially response headers
  8. TCP three-way handshake
  9. How SSL/TLS works
  10. Basics of security terminologies
  11. Essential security concepts

Week 3-4: Security Concepts

Most of these concepts are covered at the OWASP Cheat Sheet Series. For each one, understand what it is, how it can be vulnerable, and how to exploit or mitigate it.

  1. How proper AuthN/AuthZ implementation contributes to robust security, what an attacker can exploit, and how to mitigate it
  2. How sessions and cookies work, and how they can be vulnerable, bypassed, or exploited
  3. Session management hardening
  4. In-depth XSS - both exploitation and mitigation
  5. REST concepts like CRUD
  6. Injection types, especially SQLi, RFI, LFI, RCE
  7. Mass assignment
  8. Rate limiting, bruteforce, replay attacks, MITM, session fixation, session hijacking, credential stuffing
  9. CORS
  10. SSRF prevention
  11. JWT tokens in depth
  12. Encoding, decoding, hashing basics
  13. Cryptography and its implementation in applications - see this site's Cryptography guide
  14. SAST vs SCA

Week 5-6: Advanced Application Security Skills

  1. Master OWASP Top 10 for Web (2021) and OWASP API Security Top 10
  2. Work through the OWASP Code Review Guide - what to verify and how
  3. Master OWASP ASVS - it's your job to make developers aware of it and use it during development
  4. Go through OWASP SAMM if you're aiming for a security architect role
  5. Understand what causes BOLA and BFLA, and get good at testing for them
  6. Weak cipher suites - how to test, and how to make developers aware
  7. Authentication and Authorization cheat sheets
  8. Advanced SQL injection
  9. XML injection, JSON injection
  10. SAML and LDAP injection
  11. NoSQL injection
  12. GraphQL injection
  13. XXE attacks
  14. Server-side template injection
  15. Deserialization
  16. Content Security Policy (CSP)

Threat Modeling

Read this site's Threat Modeling guide, or the deeper Threat Modeling Study Plan.

Secure Code Review

Read this site's Secure Code Review guide, or the Secure Code Review Study Plan.

Cryptography

Read this site's Cryptography guide, or the Cryptography Study Plan.

Security Development Lifecycle (SDL)

Read the Secure Software Development Lifecycle Study Plan.

Mobile Application Security

If you work with mobile apps (Android/iOS), also check the Mobile Application Security Study Plan.

Books

  1. Agile Application Security
  2. Application Security Program Handbook
  3. Writing Secure Code
  4. The Tangled Web: A Guide to Securing Modern Web Applications
  5. Alice and Bob Learn Application Security
  6. OWASP Code Review Guide

Videos

  1. Introduction to Application Security
  2. Scaling your AppSec Program with Semgrep
  3. Building an AppSec Program from the Ground Up by Snyk
  4. Application Security - Understanding, Exploiting and Defending Against Top Web Vulnerabilities by Cerner
  5. Securing Web Applications
  6. Web Application Security: 10 Things Developers Need to Know
  7. Application Security from SANS Institute

Courses

  1. Software Security on Coursera
  2. Cloud Application Security
  3. Application Security Guide - Udemy
  4. SEC522: Application Security - Securing Web Apps, APIs, and Microservices (SANS) - excellent but costly
  5. Free OWASP Top 10 practice from Kontra Security

Certifications

  1. CSSLP: Certified Secure Software Lifecycle Professional - Recommended
  2. CASE: Certified Application Security Engineer - Java and .NET tracks
  3. GWEB: GIAC Certified Web Application Defender

Interview Questions

Application Security interview questions are also maintained on GitHub as security-interview-questions, kept aligned with the wider cybersecurity-roadmap.

AppSec Tools

  1. Checkmarx or HCL AppScan (previously IBM AppScan) for SAST
  2. Snyk Code (SAST) and Snyk Open Source (SCA)
  3. git-secrets, gitleaks, or trufflehog for secret scanning
  4. Chef InSpec
  5. OWASP Dependency-Check for SCA
  6. Bandit for Python code
  7. SonarQube for SAST, with plugins like FindSecBugs
  8. RetireJS for JS libraries
  9. Contrast for IAST
  10. Coverity from Synopsys
  11. Burp Suite Pro - a must
  12. Veracode
  13. InsightAppSec from Rapid7

Whom to Follow on Twitter

Security professionals are very active on Twitter/X, sharing great content often:

  1. Jim Manico
  2. Gyan Chawdhary
  3. Abhay Bhargav
  4. Inon Shkedy
  5. Chris Romeo
  6. Tanya Janca
  7. Anant Shrivastava
  8. Sanjeev Jaiswal
  9. Defcon
  10. Nullcon
  11. OWASP

Practice next: jassics/security-study-plan for the latest updates to this plan, and jassics/security-interview-questions to test yourself before an interview.