Skip to content

Latest commit

 

History

History
161 lines (137 loc) · 11.6 KB

application-security-study-plan.md

File metadata and controls

161 lines (137 loc) · 11.6 KB
Raw

Application Security Study Plan

This study plan is based on milestones. So, check how much you can cover within the timeline. The more you cover the topics, the better candidate you are for the job role. Also, I assume you have already checked and are comfortable with Common Security Skills study plan.

Just to make sure that everyone understands what you need to learn to be an Application Security Engineer. Application Security is different from Web Security or commonly people think it as offensive security or pentesting. Though it needs some concepts aligned with pentester, it's altogether a totally different skill set.

It is more towards shift left security including Threat Modeling, Secure Code Review, Secure Code Design, Training Developers, taking care of overall SDL process, and of course OWASP Top 10 web and API security. I have another page specifically for "API Security Study Plan" because that skill also needs good time to learn.

In short:

  1. AppSec is not Pentesting (Penetration Testing) or Web Security (people use it generically).
  2. Think more of a combination of developer and attacker
  3. Talking to developers, giving training to them or going through the code should not scare you.
  4. Tougher than Pentesting (Topic of debate for another day)
  5. Can write code for PoC, Exploit or demo with comfort
  6. API security should be your area of interest.

Usually it will take you 6-12 months to be good at the Application Security fundamentals to get a job at entry level.

ToC:

  1. Web Application Concepts - 6 weeks
  2. Threat Modeling - 2-3 weeks
  3. Secure Code Review - 6-8 weeks
  4. Cryptography - 3 weeks
  5. Security Development Lifecycle (SDL) - 4 weeks
  6. Books
  7. Videos
  8. Courses - Try to complete at least 1-2 courses (1-2 months)
  9. Certifications - on your bandwidth and wish
  10. Interview Questions
  11. Application Security Tools
  12. Whom to follow on Twitter

Web Application Concepts

This topic will have an overlap with the concepts required for Pentesting, but you have to now think more of a defender than offender. Go with your pace, but make sure you understand the basic web security concepts very well like HTTP Security Response headers, Bruteforce, CSRF, Injection, JWT, Cryptography, Hashing, Encoding etc.

Basics

  1. Understanding of various HTTP methods, PUT vs POST, UPDATE vs PATCH, leverage OPTIONS method
  2. Ability to understand response status codes.
  3. what if you got 200, when you tried something malicious
  4. what can we do if we get 403
  5. let's try to get 500 status code, and why so? What will it reveal?
  6. Try to understand each status code which as a pentester you would love to see.
  7. Understand HTTP headers very well, especially response headers. You would need it more often while doing pentest.
  8. TCP 3 way handshake
  9. How SSL works
  10. Basics of security terminologies
  11. Essentials Security Concepts

Security Concepts

You can find the majority of the security concepts at OWASP Cheatsheet

Understand the fundamental concepts on what it is, how it can be vulnerable and how you can either exploit it or mitigate it.

  1. Understanding how proper implementation of AuthN and AuthZ contribute to robust security. What can an attacker do to exploit it and how to mitigate/defend it
  2. How session and cookies work and how it can be vulnerable, bypassed or even exploited
  3. Understand how session management can be more secured
  4. In-depth understanding of XSS from both perspective exploit and mitigation
  5. REST concepts like CRUD.
  6. Different types of injections specially SQLi, RFI,LFI, RCE
  7. Mass Assignment
  8. Concepts like rate limit, bruteforce, replay attack, MITM, session fixation, session hijack, credential stuffing
  9. CORS concepts
  10. How can you prevent SSRF attacks
  11. JWT Tokens in depth
  12. Basic of encoding, decoding, hashing
  13. Good understand of Cryptography and its implementation in application
  14. SAST vs SCA

Advance Level of application security skill sets

  1. Very good at OWASP Top 10 for Web 2021 and OWASP Top 10 for API: 2019
  2. Go through OWASP Secure Code Review Guide, understand what to verify and how to use this guide.
  3. Very good at OWASP ASVS (Application Security Verification Standard), it's your job to make every developer aware about it and must use while development.
  4. Go through OWASP Software Assurance maturity Model (OSAMM), if you aim for a security architect role.
  5. Understand what causes BOLA and BFLA and try to be good at testing these vulnerabilities.
  6. Various weak cipher suites, how to test, how to make developers aware about it
  7. Authentication and Authorization
  8. Advanced SQL Injection
  9. XML Injection, JSON Injection
  10. Understand SAML and LDAP Injection
  11. NoSQL Injection
  12. GraphQL Injection
  13. XXE Attacks
  14. Server-side Template Injection
  15. Deserialization
  16. CSP: Content Security Policy

Threat Modeling

Read Threat Modeling Study Plan

Secure Code Review

Read Secure Code Review

Cryptography

Read Cryptography

Security Development Lifecycle (SDL)

Read Security Development Lifecycle

Books

  1. Agile Application Security
  2. Application Security Program Handbook
  3. Writing Secure Code
  4. The Tangled Web: A Guide to Securing Modern Web Applications
  5. Alice and Bob Learn Application Security
  6. OWASP Code Review Guide

Videos

  1. Introduction to Application Security
  2. Scaling your AppSec Program with semgrep
  3. Building an AppSec Program from the ground up by Snyk
  4. Application Security - Understanding, Exploiting and Defending against Top Web Vulnerabilities by Cerner
  5. Securing Web Application
  6. Web Application Security: 10 things developers need to know
  7. Application Security from SANS Institute

Courses

  1. Software Security on Coursera
  2. Cloud Application Security
  3. Application Security Guide - Udemy
  4. Sec522: Application Security: Securing Web Apps, APIs, and Microservices from SANS Really nice one but costly.
  5. Free OWASP Top 10 practice from Kontra Security

Certifications

  1. CSSLP: Certified Secure Software Lifecycle Professional Recommended
  2. CASE: Certified Application Security Engineer for Java and .NET professionals
  3. GWEB: GIAC Certified Web Application Defender

Interview Questions

Possible Application Security interview questions is shared at different github repo to keep it aligned with career roadmap guide.

AppSec Tools

  1. Checkmarx for SAST or HCL AppSCan (Previously it was IBM AppScan)
  2. Snyk Code for SAST and Snyk Open Source for SCA
  3. git-secrets or gitleaks or trufflehog to find out secrets
  4. Chef Inspec
  5. OWASP Dependency Check is for SCA
  6. Bandit for python code
  7. Sonarqube for SAST with few plugins like findsecbugs
  8. RetireJS for JS libraries
  9. Contrast for IAST solution
  10. Coverity from Snyopsys
  11. You must not ignore Burp Suite Pro
  12. Veracode
  13. InSight from Rapid7

Whom to follow on twitter

Why twitter? Because you will see lots of security professionals very active here and sharing cool stuff often.

  1. Jim Manico
  2. Gyan Chawdhary
  3. Abhay Bhargav)
  4. Inon Shkedy
  5. Chris Romeo
  6. Tanya Janca
  7. Anant Shrivastava
  8. Defcon
  9. Nullcon
  10. OWASP