Some useful application security resources

Regularly people ask me how to get into application security. That's why I though it would be a good idea to write down an overview of resources where I can refer interested people to in the future.

How I rolled into application security

I have a development background. I started with developing desktop applications, in my early professional career C++, then made the switch to C# development (Winforms and WPF applications) and later web development (ASP.NET MVC, ASP.NET web API,…).

With the shift to web applications the need for security increased and it was one of the things that really interested me. But the real trigger to make the switch to application security was the Hack Yourself First workshop from Troy Hunt that I followed several years ago. Not only the content of the course but also the knowledge and passion of Troy really inspired me. From then on it has been Appsec all the way :)


If you’re active in the application security domain, I really advice you to not limit yourself to reading and learning about Appsec. I know Information Security is very broad, but at least try to have a good overview of what’s going on in other domains, certainly the ones that touch Appsec.

That said, here are some things that work for me:

  • Twitter is often my starting point (follow me there), because it’s the medium where in my opinion the most Infosec people are sharing a lot of knowledge, best practices and resources. Don’t limit yourself by following Infosec people only, it will narrow your view. Follow people that help you become better at AppSec. As an example, consider following some UX experts and learn about what good user experience is about. The next time you have to take security measures you can do so with usability best practices in the back of your mind. I recently also created a Mastodon account. Not very active on it yet, but seems promising. It’s a free, open source, decentralized micro-blogging network, comparable with Twitter but without all the ads and more privacy friendly in general. Check it out!
  • Read security news. This often starts with clicking links on twitter. But I have several online security news sites I look at in the morning and at night and read what’s interesting me.
  • Read blogs. Blogs are a great way to learn. While there certainly are news articles that give good insights, blogs are mostly more detailed. See appendix A for blogs that I often read. I plan to update the appendices with resources regularly.
  • Write blogs: It doesn’t matter in which stage of your career you are. When you researched or implemented something, or just have particular insights about a certain topic, write about it. By doing so, you’ll notice that you’ll give more thought about the topic you’re covering, because you want to get your facts right. You’ll also expose yourself to feedback, people will tell you when you got something wrong. As far as I experienced, most people are constructive and their comments helped me to improve. So no need to fear. The first click on the ‘publish’ button is the hardest, afterwards it becomes natural.
  • Chime in to posts from other people, not to show others “how good” you are at something, but give honest and constructive feedback. And again by doing so you’ll get discussions and feedback you’d otherwise wouldn’t get.
  • Go to conferences, user groups, events,… Not only beneficial for the technical knowledge but certainly to get in touch with people in the same (and possibly other) domain(s). They can give you very valuable insights and often face the same challenges as you. Keep in mind that strong connections bring you a lot further in your career. If you don’t have enough money for the bigger conferences, local events like Bsides conferences or OWASP meetups are ideal because they’re inexpensive (or even free). See Appendix E.
  • Watch conference talks online. On the sites of security conferences or on youtube you find heaps of good conference videos. See appendix F
  • Watch screencasts, online training. See appendix B
  • Exercise: To be a good defender you must know the weaknesses that can exist in applications and how to exploit them. There are sites specially developed for this. One I regularly use is Hack Yourself First, but there are many others (see appendix C).
  • Listen to podcasts. See appendix D.
  • Subscribe to security newsletters. See appendix G.
  • Join online communities like The Many Hats Club or the OWASP slack channel.

Appendix A: List of blogs

Troy Hunt:

Graham Cluley:

Tanya Janca: Certainly check this one about Appsec resources

Scott Helme:

Sean Wright:

Mike Thompson:

Kevin Beaumont: and

Lesley Carhart:

Bruce Schneier:

Robert Baptiste aka Elliot Alderson:

Bram Patelski:

Francesco Cipollone:

Audrey Bentley:

Zoë Rose:

Alyssa Miller:

Daniel Miessler:

Michal Spacek:

Xavier Mertens:

Troy Mursch:

Chad Calease:

Gary Williams:

Random Robbie:

The AntiSocial Engineer:

Infosec Sherpa:

Lisa Forte:

F-Secure blog:


Read resources from trusted organizations like OWASP, NIST, NCSC UK

Appendix B: Online training

Pluralsight: Note: if you have a MSDN subscription you might be eligible for some free months Pluralsight access. Check it here.

Youtube: contains a lot of good Appsec training material.

Philippe Deryck’s website: you can find a lot of really good training material there. He often updates with slides from the web application security training he gives and videos of his talks.

PortSwigger offers a lot of free web application security training content on its Web Security Academy.

Hopper's Roppers offers free security training on their website.

Appendix C: Train your hacking skills

Hack Yourself First by Troy Hunt

Here you can find an overview of sites where you can legally practice your hacking skills.

Appendix D: Podcasts

The Unsupervised Learning Podcast by Daniel Miessler

Smashing Security Podcast by Graham Cluley and Carole Theriault

Weekly overview by Troy Hunt (both available as podcast or in video)

Sans Daily Stormcast: daily overview of Infosec actuality, max 10 minutes

Risky Business by Patrick Gray

Reply All Podcast by PJ Vogt and Alex Goldman

Defensive Security Podcast by Jerry Bell

Darknet Diaries by Jack Rhysider

The Many Hats Club Podcast

The Human Factor Podcast by Jenny Radcliffe

Purple Squad Security by John Svazic

A collection of security podcasts on InfoCon hacking conference audio and video archive

Appendix E: conferences

Bsides Manchester 2019

Bsides London 2019

SecAppdev 2019

Hack In The Box 2018: Review day 1 and day 2

Summary of 44 Owasp Appsec Cali 2019 talks by Clint Gibler

Appendix F: conference videos by Ministraitor by Irongeek hacking conference audio and video archive.

Appendix G: Security newsletters

My own weekly newsletter: John's security newsletter

Pentester Land: The 5 Hacking NewsLetter

Unsupervised learning by Daniel Miessler

InfoSecSherpa's newsletter by InfoSecSherpa

This week in security by Zack Whittaker

tl;dr sec Newsletter by Clint Gibler

Tanya Janca's Nerdy Mailing List by Tanya Janca

John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life