Skip to content

Latest commit

 

History

History
114 lines (101 loc) · 4.91 KB

awesome-appsec-learning-resources.md

File metadata and controls

114 lines (101 loc) · 4.91 KB

Awesome Application Security Learning Resources

Awesome AppSec Learning Resources

AppSec is all about protecting your application from the adversaries such as SAST, SCA, Secure Code Review, Security Architecture etc. Attacking an app can fall under web or app pentest

ToC

  1. Books
  2. Videos
  3. Free/Paid Courses
  4. Free/Paid Labs
  5. Security Tools
  6. Certifications
  7. Blogs/Articles

Books

  1. Agile Application Security - Highly Recommended
  2. The Web Application Hacker's Handbook
  3. Threat Modeling: Designing for Security or
  4. Threat Modeling: A practical guide for development teams
  5. The Tangled Web
  6. Web Security for Developers: Real Threats, Practical Defense
  7. Web Application Security: Exploitation and Countermeasures for Modern Web Applications
  8. Application Security Program Handbook: A Guide for Software Engineers and Team Leaders
  9. Enterprise Security Architect

Videos

  1. Youtube video on semgrep’s taint mode

Free/Paid Courses

  1. PortSwigger Web Security Academy

Free/Paid Labs

  1. https://application.security/ Try its free gamified challenges on API, Web, Cloud, front-end.
  2. Secure Code Warrior
  3. HackEDU
  4. OWASP Juice Shop
  5. Pentester Lab
  6. Github Security Lab
  7. Google Gruyere
  8. Django.nv
  9. DVWA

Security tools

It will include tools for SAST, SCA, OAST, Threat Modeling, Secure Code Review, secrets management etc

SAST

Open source

  1. Sonarqube
  2. Bandit
  3. Brakeman
  4. FindSecBugs
  5. Semgrep
  6. CodeQL

Paid 7. Checkmarx 8. Veracode 9. Snyk 10. Coverity

SCA

  1. OWASP Dependency Check
  2. Retire.js
  3. CycloneDX
  4. Snyk
  5. CheckMarx CxSCA
  6. JFrog XRay

Secrets

  1. GitLeaks
  2. TruffleHog
  3. Talisman
  4. Shhgit
  5. Repo-supervisor
  6. Hashicorp Vault
  7. Cyberark Conjur

Threat Modeling

  1. OWASP ThreatDragon
  2. SDElements
  3. IriusRisk
  4. Threagile
  5. ThreatModeler
  6. Microsoft Threat Modeling tool
  7. STRIDE GPT
  8. ThreatSpec
  9. PyTM

Certifications

  1. CISSP - Certified Information Systems Security Professional
  2. CSSLP Certified Secure Software Lifecycle Professional
  3. ISSAP – Information Systems Security Architecture Professional
  4. CASE (Certified Application Security Engineer) Java or CASE .Net
  5. CompTIA CASP+ (Application Security Professionals Plus)

Blogs/Articles

  1. Scaling your AppSec Program with semgrep
  2. TOP 10 THINGS TO KNOW ABOUT SECURITY AS A SOFTWARE ARCHITECT
  3. System Design for Security
  4. Top 25 software security errors
  5. Security prioritization
  6. CWE top 25 2023 list
  7. Open Policy Agent (OPA) documentation
  8. semgrep documentation
  9. MITRE ATT&CK and Defender (MAD) Program
  10. A dive into web application authentication
  11. Taint Analysis or Taint Checking
  12. log4j vulnerability walkthrough
  13. Zero day exploitation of confluence
  14. Cryptography Module in Python
  15. Secure Coding with Python
  16. Security concerns in modules and function - github owasp
  17. Hacking Python Application
  18. Secure Design Principles