Regularly people ask me how to get into application security. That's why I though it would be a good idea to write down an overview of resources where I can refer interested people to in the future.
How I rolled into application security
I have a development background. I started with developing desktop applications, in my early professional career C++, then made the switch to C# development (Winforms and WPF applications) and later web development (ASP.NET MVC, ASP.NET web API,…).
With the shift to web applications the need for security increased and it was one of the things that really interested me. But the real trigger to make the switch to application security was the Hack Yourself First workshop from Troy Hunt that I followed several years ago. Not only the content of the course but also the knowledge and passion of Troy really inspired me. From then on it has been Appsec all the way :)
If you’re active in the application security domain, I really advice you to not limit yourself to reading and learning about Appsec. I know Information Security is very broad, but at least try to have a good overview of what’s going on in other domains, certainly the ones that touch Appsec.
That said, here are some things that work for me:
- Twitter is often my starting point (follow me there), because it’s the medium where in my opinion the most Infosec people are sharing a lot of knowledge, best practices and resources. Don’t limit yourself by following Infosec people only, it will narrow your view. Follow people that help you become better at AppSec. As an example, consider following some UX experts and learn about what good user experience is about. The next time you have to take security measures you can do so with usability best practices in the back of your mind. I recently also created a Mastodon account. Not very active on it yet, but seems promising. It’s a free, open source, decentralized micro-blogging network, comparable with Twitter but without all the ads and more privacy friendly in general. Check it out!
- Read security news. This often starts with clicking links on twitter. But I have several online security news sites I look at in the morning and at night and read what’s interesting me.
- Read blogs. Blogs are a great way to learn. While there certainly are news articles that give good insights, blogs are mostly more detailed. See appendix A for blogs that I often read. I plan to update the appendices with resources regularly.
- Write blogs: It doesn’t matter in which stage of your career you are. When you researched or implemented something, or just have particular insights about a certain topic, write about it. By doing so, you’ll notice that you’ll give more thought about the topic you’re covering, because you want to get your facts right. You’ll also expose yourself to feedback, people will tell you when you got something wrong. As far as I experienced, most people are constructive and their comments helped me to improve. So no need to fear. The first click on the ‘publish’ button is the hardest, afterwards it becomes natural.
- Chime in to posts from other people, not to show others “how good” you are at something, but give honest and constructive feedback. And again by doing so you’ll get discussions and feedback you’d otherwise wouldn’t get.
- Go to conferences, user groups, events,… Not only beneficial for the technical knowledge but certainly to get in touch with people in the same (and possibly other) domain(s). They can give you very valuable insights and often face the same challenges as you. Keep in mind that strong connections bring you a lot further in your career. If you don’t have enough money for the bigger conferences, local events like Bsides conferences or OWASP meetups are ideal because they’re inexpensive (or even free). See Appendix E.
- Watch conference talks online. On the sites of security conferences or on youtube you find heaps of good conference videos. See appendix F
- Watch screencasts, online training. See appendix B
- Exercise: To be a good defender you must know the weaknesses that can exist in applications and how to exploit them. There are sites specially developed for this. One I regularly use is Hack Yourself First, but there are many others (see appendix C).
- Listen to podcasts. See appendix D.
- Subscribe to security newsletters. See appendix G.
- Join online communities like The Many Hats Club or the OWASP slack channel.
Appendix A: List of blogs
Troy Hunt: https://www.troyhunt.com
Graham Cluley: https://www.grahamcluley.com
Tanya Janca: https://medium.com/@shehackspurple. Certainly check this one about Appsec resources
Scott Helme: https://scotthelme.co.uk
Sean Wright: https://blog.sean-wright.com
Mike Thompson: https://appsecbloke.com
Kevin Beaumont: https://doublepulsar.com and https://medium.com/@GossiTheDog
Lesley Carhart: https://tisiphone.net
Bruce Schneier: https://www.schneier.com
Robert Baptiste aka Elliot Alderson: https://medium.com/@fs0c131y
Bram Patelski: https://github.com/brampat/security
Francesco Cipollone: https://medium.com/@FrankSEC42
Audrey Bentley: https://www.bentleybiosec.com
Zoë Rose: https://www.rosesec.com/blog
Alyssa Miller: https://alyssasec.com
Daniel Miessler: https://danielmiessler.com
Michal Spacek: https://www.michalspacek.com
Xavier Mertens: https://blog.rootshell.be
Troy Mursch: https://badpackets.net
Chad Calease: https://chad.ch
Gary Williams: https://www.gdwnet.com
Random Robbie: https://medium.com/@Random_Robbie
The AntiSocial Engineer: https://theantisocialengineer.com/blog
Infosec Sherpa: https://medium.com/@InfoSecSherpa
Lisa Forte: https://red-goat.com/news
F-Secure blog: https://blog.f-secure.com
Read resources from trusted organizations like OWASP, NIST, NCSC UK
Appendix B: Online training
Pluralsight: www.pluralsight.com. Note: if you have a MSDN subscription you might be eligible for some free months Pluralsight access. Check it here.
Youtube: contains a lot of good Appsec training material.
Philippe Deryck’s website: you can find a lot of really good training material there. He often updates with slides from the web application security training he gives and videos of his talks.
PortSwigger offers a lot of free web application security training content on its Web Security Academy.
Hopper's Roppers offers free security training on their website.
Appendix C: Train your hacking skills
Hack Yourself First by Troy Hunt
Here you can find an overview of sites where you can legally practice your hacking skills.
Appendix D: Podcasts
The Unsupervised Learning Podcast by Daniel Miessler
Smashing Security Podcast by Graham Cluley and Carole Theriault
Weekly overview by Troy Hunt (both available as podcast or in video)
Sans Daily Stormcast: daily overview of Infosec actuality, max 10 minutes
Risky Business by Patrick Gray
Reply All Podcast by PJ Vogt and Alex Goldman
Defensive Security Podcast by Jerry Bell
Darknet Diaries by Jack Rhysider
The Human Factor Podcast by Jenny Radcliffe
Purple Squad Security by John Svazic
A collection of security podcasts on InfoCon hacking conference audio and video archive
Appendix E: conferences
Hack In The Box 2018: Review day 1 and day 2
Summary of 44 Owasp Appsec Cali 2019 talks by Clint Gibler
Appendix F: conference videos
https://administraitor.video by Ministraitor
https://www.irongeek.com by Irongeek
https://infocon.org/cons hacking conference audio and video archive.
Appendix G: Security newsletters
My own weekly newsletter: John's security newsletter
Pentester Land: The 5 Hacking NewsLetter
Unsupervised learning by Daniel Miessler
InfoSecSherpa's newsletter by InfoSecSherpa
This week in security by Zack Whittaker
tl;dr sec Newsletter by Clint Gibler