Application security

Application Security Study Plan

A milestone-based AppSec roadmap for shift-left security, threat modeling, secure code review, secure design, developer enablement, SDL, OWASP Web, and API security.

Use this after Common Security Skills. AppSec is not just pentesting: it blends developer thinking, attacker mindset, design review, code review, and security program work.

Expected pace

6-12 months

Entry-level fundamentals.

AppSec mindset

AppSec is not pentesting or generic web security.

Think like both developer and attacker.

Talking to developers, training them, and reading code should feel normal.

AppSec can be tougher than pentesting depending on scope.

Write code for PoCs, exploits, or demos with comfort.

API security should be a core area of interest.

IAM knowledge helps with auth-related design and reviews.

Web Security Study Plan API Security Study Plan IAM Security Study Plan Mobile Application Security

Web Application Concepts Threat Modeling Secure Code Review Cryptography Security Development Lifecycle Books Videos Courses Certifications Interview Questions Application Security Tools Whom to Follow on Twitter

Section 1

Web Application Concepts

6 weeks

Learn web security fundamentals from a defender's lens: HTTP, headers, CSRF, injection, JWT, crypto, hashing, encoding, SAST, SCA, and mitigation patterns.

Week 1-2: Basics

HTTP methods, PUT vs POST, UPDATE vs PATCH, and OPTIONS method HTTP response status codes

Analyze what 200 means after malicious input.

Understand what to do after 403.

Trigger and understand 500 responses and what they reveal.

Learn status codes pentesters and defenders should care about.

HTTP headers, especially response headers

TCP 3-way handshake.

How SSL works.

Cybersecurity terminologies Essential security concepts

Week 3-4: Security Concepts

Use OWASP Cheat Sheet Series to learn what each issue is, how exploitation works, and how mitigation works.

OWASP Cheat Sheet Series

Authentication and authorization implementation, exploitation, mitigation, and defense.

Sessions and cookies: behavior, vulnerabilities, bypasses, and exploitation.

Session Management Cheat Sheet

XSS from exploit and mitigation perspectives.

REST concepts like CRUD.

SQLi, RFI, LFI, and RCE injection classes.

Mass assignment.

Rate limit, bruteforce, replay attack, MITM, session fixation, session hijack, and credential stuffing.

CORS concepts.

SSRF prevention.

JWT tokens in depth.

Encoding, decoding, and hashing basics.

Cryptography and application implementation.

SAST vs SCA.

Week 5-6: Advanced Application Security Skill Sets

OWASP Top 10 for Web 2021 OWASP Top 10 for API 2019 OWASP Secure Code Review Guide OWASP ASVS OWASP SAMMUseful for architect path BOLA causes and testing BFLA causes and testing

Weak cipher suites: test and educate developers.

Authentication Cheat Sheet Authorization Cheat Sheet

Advanced SQL injection.

XML Security Cheat Sheet

JSON injection.

SAML Security Cheat Sheet

LDAP injection.

NoSQL injection.

GraphQL Cheat Sheet XXE Prevention Cheat Sheet Server-side template injection Deserialization Cheat Sheet Content Security Policy Cheat Sheet

Section 2

Threat Modeling

2-3 weeks

Threat modeling is core AppSec work for finding design risks before implementation.

Threat Modeling Study Plan

Section 3

Secure Code Review

6-8 weeks

Secure code review helps AppSec engineers find security flaws directly in source code.

Secure Code Review Study Plan

Section 4

Cryptography

3 weeks

Cryptography knowledge helps with implementation reviews, storage, transport, secrets, and auth design.

Cryptography Study Plan

Section 5

Security Development Lifecycle

4 weeks

SDL ties AppSec work into planning, design, development, testing, release, and training.

Secure SDLC Study Plan

Section 6

Books

Use these books and guides to build AppSec program, secure design, and code review judgment.

Agile Application Security Application Security Program Handbook Writing Secure Code The Tangled Web Alice and Bob Learn Application Security OWASP Code Review Guide

Section 7

Videos

Use videos to reinforce AppSec program thinking, developer education, and web vulnerability defense.

Introduction to Application Security Scaling your AppSec Program with Semgrep Building an AppSec Program from the Ground Up by Snyk Application Security by Cerner Securing Web Application Web Application Security: 10 Things Developers Need to Know Application Security from SANS Institute

Section 8

Courses

1-2 months

Complete at least 1-2 courses. Prefer lab-backed and developer-focused AppSec training.

Software Security on Coursera Cloud Application Security Application Security Guide - Udemy SEC522 from SANSStrong but costly Free OWASP Top 10 practice from Kontra

Section 9

Certifications

Certifications can help with HR screening. AppSec skill still comes from practice and code comfort.

Section 10

Interview Questions

Prepare AppSec interview answers and align them with career roadmap expectations.

Application Security Interview Questions Security Skills Career Roadmap

Section 11

Application Security Tools

Know where each tool fits: SAST, SCA, secret scanning, IAST, DAST, code quality, and platform security.

Checkmarx for SAST or HCL AppScan.

Snyk Code for SAST and Snyk Open Source for SCA.

git-secrets gitleaks trufflehog Chef InSpec OWASP Dependency Check Bandit for Python SonarQube find-sec-bugs RetireJS Contrast IAST Coverity from Synopsys Burp Suite ProDo not ignore Veracode Insight from Rapid7

Section 12

Whom to Follow on Twitter

Follow AppSec and security professionals who share practical guidance and security content.

Jim Manico Gyan Chawdhary Abhay Bhargav Inon Shkedy Chris Romeo Tanya Janca Anant Shrivastava Sanjeev Jaiswal Defcon Nullcon OWASP