Regularly people ask me how to get into application security. That's why I though it would be a good idea to write down an overview of resources where I can refer interested people to in the future.
How I rolled into Appsec
I have a development background. I started with developing desktop applications, in my early professional career C++, then made the switch to C# development (Winforms and WPF applications) and later web development (ASP.NET MVC, ASP.NET web API,…).
With the shift to web applications the need for security increased and it was one of the things that really interested me. But the real trigger to make the switch to application security was the Hack Yourself First workshop from Troy Hunt that I followed several years ago. Not only the content of the course but also the knowledge and passion of Troy really inspired me. From then on it has been Appsec all the way :)
If you’re active in the application security domain, I really advice you to not limit yourself to reading and learning about Appsec. I know Information Security is very broad, but at least try to have a good overview of what’s going on in other domains, certainly the ones that touch Appsec.
That said, here are some things that work for me:
- Twitter is often my starting point (follow me there), because it’s the medium where in my opinion the most Infosec people are sharing a lot of knowledge, best practices and resources. Don’t limit yourself by following Infosec people only, it will narrow your view. Follow people that help you become better at AppSec. As an example, consider following some UX experts and learn about what good user experience is about. The next time you have to take security measures you can do so with usability best practices in the back of your mind. I recently also created a Mastodon account. Not very active on it yet, but seems promising. It’s a free, open source, decentralized micro-blogging network, comparable with Twitter but without all the ads and more privacy friendly in general. Check it out!
- Read security news. This often starts with clicking links on twitter. But I have several online security news sites I look at in the morning and at night and read what’s interesting me.
- Read blogs. Blogs are a great way to learn. While there certainly are news articles that give good insights, blogs are mostly more detailed. See appendix A for blogs that I often read. I plan to update the appendices with resources regularly.
- Write blogs: It doesn’t matter in which stage of your career you are. When you researched or implemented something, or just have particular insights about a certain topic, write about it. By doing so, you’ll notice that you’ll give more thought about the topic you’re covering, because you want to get your facts right. You’ll also expose yourself to feedback, people will tell you when you got something wrong. As far as I experienced, most people are constructive and their comments helped me to improve. So no need to fear. The first click on the ‘publish’ button is the hardest, afterwards it becomes natural.
I have still some blogs on Medium - that are not yet migrated to my website - and you can find some articles on Peerlyst as well.
- Chime in to posts from other people, not to show others “how good” you are at something, but give honest and constructive feedback. And again by doing so you’ll get discussions and feedback you’d otherwise wouldn’t get.
- Go to conferences, user groups, events,… Not only beneficial for the technical knowledge but certainly to get in touch with people in the same (and possibly other) domain(s). They can give you very valuable insights and often face the same challenges as you. Keep in mind that strong connections bring you a lot further in your career. If you don’t have enough money for the bigger conferences, local events like Bsides conferences or OWASP meetups are ideal because they’re inexpensive (or even free). See Appendix E.
- Watch conference talks online. On the sites of security conferences or on youtube you find heaps of good conference videos. See appendix F
- Watch screencasts, online training. See appendix B
- Exercise: To be a good defender you must know the weaknesses that can exist in applications and how to exploit them. There are sites specially developed for this. One I regularly use is Hack Yourself First, but there are many others (see appendix C).
- Listen to podcasts (see appendix D)
- Join online communities like Peerlyst or The Many Hats Club or the OWASP slack channel.
Appendix A: List of blogs
Troy Hunt: https://www.troyhunt.com
Graham Cluley: https://www.grahamcluley.com/
Scott Helme: https://scotthelme.co.uk/
Sean Wright: https://blog.sean-wright.com/
Mike Thompson: https://appsecbloke.com/
Lesley Carhart: https://tisiphone.net/
Bruce Schneier: https://www.schneier.com/
Bram Patelski: https://github.com/brampat/security
Francesco Cipollone: https://medium.com/@FrankSEC42
Audrey Bentley: https://www.bentleybiosec.com/
Daniel Miessler: https://danielmiessler.com (Also subscribe for his free newsletter “unsupervised learning” it’s really good)
Michal Spacek: https://www.michalspacek.com/
Xavier Mertens: https://blog.rootshell.be/
Troy Mursch: https://badpackets.net/
Chad Calease: https://chad.ch
Andy Gill: https://blog.zsec.uk/
Gary Williams: https://www.gdwnet.com/
Kim Crawley: Writes for different Infosec related sites. https://twitter.com/kim_crawley
Random Robbie: https://medium.com/@Random_Robbie
The AntiSocial Engineer: https://theantisocialengineer.com/blog/
Infosec Sherpa: https://medium.com/@InfoSecSherpa
Lisa Forte: https://red-goat.com/news/
F-Secure blog: https://blog.f-secure.com/
Appendix B: Online training
Youtube: contains a lot of good Appsec training material.
Philippe Deryck’s site: you can find a lot of really good training material there. He often updates with slides from the web application security training he gives and videos of his talks.
Appendix C: Train your hacking skills
Here you can find an overview of sites where you can legally practice your hacking skills.
Appendix D: Podcasts
Sans Daily Stormcast: daily overview of Infosec actuality, max 10 minutes
Appendix E: conferences
SecAppdev: Review 2019