Edition 4: Application Security Study Plan
Sanjeev Kumar Jaiswal
+9k | Security Architecture | Application Security | Threat Modeling | Secure Coding | Secure Design
This study plan is based on milestones. So, check how much you can cover within the timeline. The more you cover the topics, the better candidate you are for the job role. Also, I assume you have already checked and are comfortable with?Common Security Skills study plan.
Just to make sure that everyone understands what you need to learn to be an Application Security Engineer. Application Security is different from Web Security or commonly people think of it as offensive security or pentesting. Though it needs some concepts aligned with pentester it's altogether a totally different skill set.
It is more towards shift left security including Threat Modeling, Secure Code Review, Secure Code Design, Training Developers, taking care of the overall SDL process, and of course OWASP Top 10 web and API security. I have another page specifically for?"API Security Study Plan"?because that skill also needs a good time to learn.
In short:
- AppSec is not Pentesting (Penetration Testing) or Web Security (people use it generically).
- Think more of a combination of developer and attacker
- Talking to developers, giving training to them, or going through the code should not scare you.
- Tougher than Pentesting (Topic of debate for another day)
- Can write code for PoC, Exploit, or demo with comfort
- API security should be your area of interest.
Usually, it will take you 6-12 months to be good at the Application Security fundamentals to get a job at entry level.
ToC:
- Web Application Concepts?- 6 weeks
- Threat Modeling?- 2-3 weeks
- Secure Code Review?- 6-8 weeks
- Cryptography?- 3 weeks
- Security Development Lifecycle (SDL)?- 4 weeks
- Books
- Videos
- Courses?- Try to complete at least 1-2 courses (1-2 months)
- Certifications?- on your bandwidth and wish
- Interview Questions
- Networking Matters
- Whom to follow on Twitter
Web Application Concepts
This topic will overlap with the concepts required for Pentesting, but you have to now think more of a defender than an offender. Go with your pace, but make sure you understand the basic web security concepts very well like HTTP Security Response headers, Bruteforce, CSRF, Injection, JWT, Cryptography, Hashing, Encoding, etc.
Basics
- Understanding of?various HTTP methods, PUT vs POST, UPDATE vs PATCH, leverage OPTIONS method
- Ability to?understand response status codes.
- what if you got 200 when you tried something malicious
- what can we do if we get 403
- let's try to get a 500 status code, and why so? What will it reveal?
- Try to understand each status code which as a pentester you would love to see.
- Understand?HTTP headers very well, especially response headers. You would need it more often while doing pentest.
- TCP 3-way handshake
- How SSL works
- Basics of security terminologies
- Essentials Security Concepts
Security Concepts
You can find the majority of the security concepts at?OWASP Cheatsheet
Understand the fundamental concepts of what it is, how it can be vulnerable, and how you can either exploit it or mitigate it.
- Understanding how proper implementation of AuthN and AuthZ contribute to robust security. What can an attacker do to exploit it and how to mitigate/defend it
- How sessions and cookies work and how they can be vulnerable, bypassed, or even exploited
- Understand how?session management?can be more secured
- In-depth understanding of XSS from both perspectives exploit and mitigation
- REST concepts like CRUD.
- Different types of injections specially SQLi, RFI, LFI, RCE
- Mass Assignment
- Concepts like rate limit, brute force, replay attack, MITM, session fixation, session hijack, credential stuffing
- CORS concepts
- How can you prevent SSRF attacks
- JWT Tokens in depth
- Basic encoding, decoding, hashing
- Good understanding of Cryptography and its implementation in an application
- SAST vs SCA
Advance Level of application security skill sets
- Very good at?OWASP Top 10 for Web 2021?and?OWASP Top 10 for API: 2019
- Go through?OWASP Secure Code Review Guide, understand what to verify, and how to use this guide.
- Very good at?OWASP ASVS?(Application Security Verification Standard), it's your job to make every developer aware of it and must use it while development.
- Go through?OWASP Software Assurance Maturity Model?(OSAMM), if you aim for a security architect role.
- Understand what causes?BOLA?and?BFLA?and try to be good at testing these vulnerabilities.
- Various weak cipher suites, how to test, how to make developers aware of it
- Authentication?and?Authorization
- Advanced SQL Injection
- XML Injection, JSON Injection
- Understand?SAML?and LDAP Injection
- NoSQL Injection
- GraphQL Injection
- XXE Attacks
- Server-side Template Injection
- Deserialization
- CSP: Content Security Policy
领英推荐
Books
Videos
- Introduction to Application Security
- Scaling your AppSec Program with semgrep
- Building an AppSec Program from the ground up by Snyk
- Application Security - Understanding, Exploiting and Defending against Top Web Vulnerabilities by Cerner
- Securing Web Application
- Web Application Security: 10 things developers need to know
- Application Security from SANS Institute
Courses
Certifications
- CSSLP: Certified Secure Software Lifecycle Professional?Recommended
- CASE: Certified Application Security Engineer?for Java and .NET professionals
- GWEB: GIAC Certified Web Application Defender
Interview Questions
Possible Application Security interview questions?are shared at different GitHub repo to keep it aligned with?the career roadmap guide.
AppSec Tools
- Checkmarx for SAST or HCL AppScan (Previously it was IBM AppScan)
- Snyk Code for SAST and Snyk Open Source for SCA
- git-secrets?or?gitleaks?or?trufflehog?to find out secrets
- Chef Inspec
- OWASP Dependency Check?is for SCA
- Bandit for python code
- Sonarqube for SAST?with a few plugins like?findsecbugs
- RetireJS for JS libraries
- Contrast for IAST solution
- Coverity from Snyopsys
- You must not ignore?Burp Suite Pro
- Veracode
- InSight from Rapid7
Networking matters
Once you are on track and now understand the heat, it's time to:
- Make some good LinkedIn contacts from the application security domain.
- Find a mentor or follow someone who shares blogs, tutorials, and talks on these topics.
- Make connections through various security conferences online/offline
- Publish some good appsec articles, which may be basic concepts, but you must publish them. Choose medium.com or something of your choice.
- Join webinars, conferences, and newsletters.
- Help someone who is still a beginner or struggling to understand appsec concepts. You will even learn better while guiding/helping others.
By the time you cover all these checklists, you will be already on your way to having a good start in the web security job role. All the best!
Whom to follow on Twitter
Why Twitter? Because you will see lots of security professionals very active here and sharing cool stuff often.
Follow me on LinkedIn Sanjeev Kumar Jaiswal and more details on the security study plan are listed on GitHub
Security Manager I at McKinsey & Company
9 个月This is epic , very nice and well structured approach to learn AppSec. Thank you Sanjeev Kumar Jaiswal! I have plan to start the AppSec and you gave me the complete path to start with ??
working towards an enjoyable career/job
1 年Michael Thai
Simplifying AWS IAM, Founder k9security.io, Author: Effective IAM for AWS, Docker in Action, AWS Community Builder
1 年Sanjeev - thanks for this introduction to AppSec. Where does developing secure IaC libraries for use by development teams fall? Asking because I saw lots of vulnerability identification tasks+tools, but much less on the 'solution' side.
Security Engineer at Confluent | Ex- PingSafe(SentinelOne)| Detection Engineering
1 年This is epic, well structured ??