Edition 4: Application Security Study Plan

This study plan is based on milestones. So, check how much you can cover within the timeline. The more you cover the topics, the better candidate you are for the job role. Also, I assume you have already checked and are comfortable with?Common Security Skills study plan.

Just to make sure that everyone understands what you need to learn to be an Application Security Engineer. Application Security is different from Web Security or commonly people think of it as offensive security or pentesting. Though it needs some concepts aligned with pentester it's altogether a totally different skill set.

It is more towards shift left security including Threat Modeling, Secure Code Review, Secure Code Design, Training Developers, taking care of the overall SDL process, and of course OWASP Top 10 web and API security. I have another page specifically for?"API Security Study Plan"?because that skill also needs a good time to learn.

In short:

1. AppSec is not Pentesting (Penetration Testing) or Web Security (people use it generically).
2. Think more of a combination of developer and attacker
3. Talking to developers, giving training to them, or going through the code should not scare you.
4. Tougher than Pentesting (Topic of debate for another day)
5. Can write code for PoC, Exploit, or demo with comfort
6. API security should be your area of interest.

Usually, it will take you 6-12 months to be good at the Application Security fundamentals to get a job at entry level.

ToC:

1. Web Application Concepts?- 6 weeks
2. Threat Modeling?- 2-3 weeks
3. Secure Code Review?- 6-8 weeks
4. Cryptography?- 3 weeks
5. Security Development Lifecycle (SDL)?- 4 weeks
6. Books
7. Videos
8. Courses?- Try to complete at least 1-2 courses (1-2 months)
9. Certifications?- on your bandwidth and wish
10. Interview Questions
11. Networking Matters
12. Whom to follow on Twitter

Web Application Concepts

This topic will overlap with the concepts required for Pentesting, but you have to now think more of a defender than an offender. Go with your pace, but make sure you understand the basic web security concepts very well like HTTP Security Response headers, Bruteforce, CSRF, Injection, JWT, Cryptography, Hashing, Encoding, etc.

Basics

1. Understanding of?various HTTP methods, PUT vs POST, UPDATE vs PATCH, leverage OPTIONS method
2. Ability to?understand response status codes.
3. what if you got 200 when you tried something malicious
4. what can we do if we get 403
5. let's try to get a 500 status code, and why so? What will it reveal?
6. Try to understand each status code which as a pentester you would love to see.
7. Understand?HTTP headers very well, especially response headers. You would need it more often while doing pentest.
8. TCP 3-way handshake
9. How SSL works
10. Basics of security terminologies
11. Essentials Security Concepts

Security Concepts

You can find the majority of the security concepts at?OWASP Cheatsheet

Understand the fundamental concepts of what it is, how it can be vulnerable, and how you can either exploit it or mitigate it.

1. Understanding how proper implementation of AuthN and AuthZ contribute to robust security. What can an attacker do to exploit it and how to mitigate/defend it
2. How sessions and cookies work and how they can be vulnerable, bypassed, or even exploited
3. Understand how?session management?can be more secured
4. In-depth understanding of XSS from both perspectives exploit and mitigation
5. REST concepts like CRUD.
6. Different types of injections specially SQLi, RFI, LFI, RCE
7. Mass Assignment
8. Concepts like rate limit, brute force, replay attack, MITM, session fixation, session hijack, credential stuffing
9. CORS concepts
10. How can you prevent SSRF attacks
11. JWT Tokens in depth
12. Basic encoding, decoding, hashing
13. Good understanding of Cryptography and its implementation in an application
14. SAST vs SCA

Advance Level of application security skill sets

1. Very good at?OWASP Top 10 for Web 2021?and?OWASP Top 10 for API: 2019
2. Go through?OWASP Secure Code Review Guide, understand what to verify, and how to use this guide.
3. Very good at?OWASP ASVS?(Application Security Verification Standard), it's your job to make every developer aware of it and must use it while development.
4. Go through?OWASP Software Assurance Maturity Model?(OSAMM), if you aim for a security architect role.
5. Understand what causes?BOLA?and?BFLA?and try to be good at testing these vulnerabilities.
6. Various weak cipher suites, how to test, how to make developers aware of it
7. Authentication?and?Authorization
8. Advanced SQL Injection
9. XML Injection, JSON Injection
10. Understand?SAML?and LDAP Injection
11. NoSQL Injection
12. GraphQL Injection
13. XXE Attacks
14. Server-side Template Injection
15. Deserialization
16. CSP: Content Security Policy

Books

1. Agile Application Security
2. Application Security Program Handbook
3. Writing Secure Code
4. The Tangled Web: A Guide to Securing Modern Web Applications
5. Alice and Bob Learn Application Security
6. OWASP Code Review Guide

Videos

1. Introduction to Application Security
2. Scaling your AppSec Program with semgrep
3. Building an AppSec Program from the ground up by Snyk
4. Application Security - Understanding, Exploiting and Defending against Top Web Vulnerabilities by Cerner
5. Securing Web Application
6. Web Application Security: 10 things developers need to know
7. Application Security from SANS Institute

Courses

1. Software Security on Coursera
2. Cloud Application Security
3. Application Security Guide - Udemy
4. Sec522: Application Security: Securing Web Apps, APIs, and Microservices from SANS?Really nice one but costly.
5. Free OWASP Top 10 practice from Kontra Security

Certifications

1. CSSLP: Certified Secure Software Lifecycle Professional?Recommended
2. CASE: Certified Application Security Engineer?for Java and .NET professionals
3. GWEB: GIAC Certified Web Application Defender

Interview Questions

Possible Application Security interview questions?are shared at different GitHub repo to keep it aligned with?the career roadmap guide.

AppSec Tools

1. Checkmarx for SAST or HCL AppScan (Previously it was IBM AppScan)
2. Snyk Code for SAST and Snyk Open Source for SCA
3. git-secrets?or?gitleaks?or?trufflehog?to find out secrets
4. Chef Inspec
5. OWASP Dependency Check?is for SCA
6. Bandit for python code
7. Sonarqube for SAST?with a few plugins like?findsecbugs
8. RetireJS for JS libraries
9. Contrast for IAST solution
10. Coverity from Snyopsys
11. You must not ignore?Burp Suite Pro
12. Veracode
13. InSight from Rapid7

Networking matters

Once you are on track and now understand the heat, it's time to:

1. Make some good LinkedIn contacts from the application security domain.
2. Find a mentor or follow someone who shares blogs, tutorials, and talks on these topics.
3. Make connections through various security conferences online/offline
4. Publish some good appsec articles, which may be basic concepts, but you must publish them. Choose medium.com or something of your choice.
5. Join webinars, conferences, and newsletters.
6. Help someone who is still a beginner or struggling to understand appsec concepts. You will even learn better while guiding/helping others.

By the time you cover all these checklists, you will be already on your way to having a good start in the web security job role. All the best!

Whom to follow on Twitter

Why Twitter? Because you will see lots of security professionals very active here and sharing cool stuff often.

1. Jim Manico
2. Gyan Chawdhary
3. Abhay Bhargav
4. Inon Shkedy
5. Chris Romeo
6. Tanya Janca
7. Anant Shrivastava
8. Sanjeev Jaiswal
9. Defcon
10. Nullcon
11. OWASP

Follow me on LinkedIn Sanjeev Kumar Jaiswal and more details on the security study plan are listed on GitHub