Application Security Study Plan
This page is updated based on jassics/security-study-plan/application-security-study-plan
This study plan is based on milestones. Check how much you can cover within the timeline - the more topics you cover, the better a candidate you are for the job role. Also, I assume you have already checked and are comfortable with the Common Security Skills study plan.
Application Security is different from Web Security, and different from what most people think of as offensive security or pentesting. Though it needs some pentester-aligned concepts, it's a different skill set altogether.
It leans more toward shift-left security - Threat Modeling, Secure Code Review, Secure Code Design, training developers, owning the overall SDL process, and of course the OWASP Top 10 for Web and API security. There's a separate "API Security Study Plan" because that skill needs dedicated time too.
In Short
- AppSec is not Pentesting or Web Security Testing (people often use the terms interchangeably).
- Think more "combination of developer and attacker" than pure attacker.
- Talking to developers, training them, or reading their code should not scare you.
- Arguably tougher than pentesting (a topic of debate for another day).
- You should be comfortable writing code for a PoC, exploit, or demo.
- API security should be an area of interest - see the API Security guide on this site.
- A good understanding of Identity and Access Management (IAM) helps with auth-related design and reviews.
It usually takes 6-12 months of consistent study to be job-ready at the entry level.
ToC
- Web Application Concepts - 6 weeks
- Threat Modeling - 2-3 weeks
- Secure Code Review - 6-8 weeks
- Cryptography - 3 weeks
- Security Development Lifecycle (SDL) - 4 weeks
- Books
- Videos
- Courses - complete at least 1-2 courses (1-2 months)
- Certifications - optional, based on your goals
- Interview Questions
- AppSec Tools
- Whom to Follow on Twitter
Web Application Concepts
Duration: 6 weeks
This overlaps with pentesting concepts, but think more like a defender than an offender. Go at your own pace, but make sure you deeply understand HTTP security response headers, bruteforce, CSRF, injection, JWT, cryptography, hashing, and encoding.
Week 1-2: Basics
- Understand various HTTP methods - PUT vs POST, UPDATE vs PATCH, leveraging OPTIONS
- Understand response status codes:
- What does a 200 mean when you tried something malicious?
- What can you infer from a 403?
- What does a 500 reveal, and why?
- Understand every status code a pentester would love to see.
- Understand HTTP headers well, especially response headers
- TCP three-way handshake
- How SSL/TLS works
- Basics of security terminologies
- Essential security concepts
Week 3-4: Security Concepts
Most of these concepts are covered at the OWASP Cheat Sheet Series. For each one, understand what it is, how it can be vulnerable, and how to exploit or mitigate it.
- How proper AuthN/AuthZ implementation contributes to robust security, what an attacker can exploit, and how to mitigate it
- How sessions and cookies work, and how they can be vulnerable, bypassed, or exploited
- Session management hardening
- In-depth XSS - both exploitation and mitigation
- REST concepts like CRUD
- Injection types, especially SQLi, RFI, LFI, RCE
- Mass assignment
- Rate limiting, bruteforce, replay attacks, MITM, session fixation, session hijacking, credential stuffing
- CORS
- SSRF prevention
- JWT tokens in depth
- Encoding, decoding, hashing basics
- Cryptography and its implementation in applications - see this site's Cryptography guide
- SAST vs SCA
Week 5-6: Advanced Application Security Skills
- Master OWASP Top 10 for Web (2021) and OWASP API Security Top 10
- Work through the OWASP Code Review Guide - what to verify and how
- Master OWASP ASVS - it's your job to make developers aware of it and use it during development
- Go through OWASP SAMM if you're aiming for a security architect role
- Understand what causes BOLA and BFLA, and get good at testing for them
- Weak cipher suites - how to test, and how to make developers aware
- Authentication and Authorization cheat sheets
- Advanced SQL injection
- XML injection, JSON injection
- SAML and LDAP injection
- NoSQL injection
- GraphQL injection
- XXE attacks
- Server-side template injection
- Deserialization
- Content Security Policy (CSP)
Threat Modeling
Read this site's Threat Modeling guide, or the deeper Threat Modeling Study Plan.
Secure Code Review
Read this site's Secure Code Review guide, or the Secure Code Review Study Plan.
Cryptography
Read this site's Cryptography guide, or the Cryptography Study Plan.
Security Development Lifecycle (SDL)
Read the Secure Software Development Lifecycle Study Plan.
Mobile Application Security
If you work with mobile apps (Android/iOS), also check the Mobile Application Security Study Plan.
Books
- Agile Application Security
- Application Security Program Handbook
- Writing Secure Code
- The Tangled Web: A Guide to Securing Modern Web Applications
- Alice and Bob Learn Application Security
- OWASP Code Review Guide
Videos
- Introduction to Application Security
- Scaling your AppSec Program with Semgrep
- Building an AppSec Program from the Ground Up by Snyk
- Application Security - Understanding, Exploiting and Defending Against Top Web Vulnerabilities by Cerner
- Securing Web Applications
- Web Application Security: 10 Things Developers Need to Know
- Application Security from SANS Institute
Courses
- Software Security on Coursera
- Cloud Application Security
- Application Security Guide - Udemy
- SEC522: Application Security - Securing Web Apps, APIs, and Microservices (SANS) - excellent but costly
- Free OWASP Top 10 practice from Kontra Security
Certifications
- CSSLP: Certified Secure Software Lifecycle Professional - Recommended
- CASE: Certified Application Security Engineer - Java and .NET tracks
- GWEB: GIAC Certified Web Application Defender
Interview Questions
Application Security interview questions are also maintained on GitHub as security-interview-questions, kept aligned with the wider cybersecurity-roadmap.
AppSec Tools
- Checkmarx or HCL AppScan (previously IBM AppScan) for SAST
- Snyk Code (SAST) and Snyk Open Source (SCA)
- git-secrets, gitleaks, or trufflehog for secret scanning
- Chef InSpec
- OWASP Dependency-Check for SCA
- Bandit for Python code
- SonarQube for SAST, with plugins like FindSecBugs
- RetireJS for JS libraries
- Contrast for IAST
- Coverity from Synopsys
- Burp Suite Pro - a must
- Veracode
- InsightAppSec from Rapid7
Whom to Follow on Twitter
Security professionals are very active on Twitter/X, sharing great content often:
- Jim Manico
- Gyan Chawdhary
- Abhay Bhargav
- Inon Shkedy
- Chris Romeo
- Tanya Janca
- Anant Shrivastava
- Sanjeev Jaiswal
- Defcon
- Nullcon
- OWASP
Practice next: jassics/security-study-plan for the latest updates to this plan, and jassics/security-interview-questions to test yourself before an interview.