This is a continuation of my resource series of posts. Application security is the field I found a lot of interest in. This despite coming from the operations side of IT not development. Using the resources below I was able to get a job in application security.
I first realized I had an interest in appsec after reading a Troy Hunt post. Not only were things explained well, but I was also paying attention to every word in his blog posts. He has since branched out to more breach related content as the creator and maintainer of Have I Been Pwned. Still he has a lot of good appsec content. He has several courses on Pluralsight for beginners plus. He also does a weekly podcast that’s worth checking out.
The Open Web Application Security Project (OWASP) is the go to resource for AppSec. It’s a massive non-profit organization that has tons of projects, knowledge bases, cheat sheets, and more. There might even be a local OWASP chapter. There’s annual conferences to attend (I’ve never been). It’s the resource I recommend for people starting out.
Application Security Podcast
James Jardine puts on the DevelopSec podcast. The podcast is targeted at developers. It’s also consumable by security people. This podcast doesn’t release on a regular schedule. The Application Security podcast is also targeted at developers. It releases in seasons.
The first bit of AppSec training I got was the SANS SEC542 Web Application Penetration Testing and Ethical Hacking. It’s a lot of AppSec information, concluding with a Capture The Flag (CTF) exercise. I’d try to get your organization to pay for this as it’s several thousand dollars.
The Practical Web Application Penetration Testing course is a Tim Tomes course. He’s a former SANS instructor who puts on this training several times throughout the year in public and for organizations. It’s a great affordable course that Tim tries to keep up to date with relevant information.