17 Resources You Can’t Miss When Starting Your Career in Application Security
When starting a career in cybersecurity, the broad resources available can quickly become overwhelming. Which organizations are reputable? What resources will have a tangible impact on my skills? These were some of the questions I encountered as I began my career in application security, so I thought others who are on the same journey would benefit from a roundup of the most helpful resources in AppSec.
These resources are focused on becoming a blue team/defensive application security (AppSec) engineer, not a web penetration tester/bug bounty hunter. Whenever people ask me how to get into application security, or I’m mentoring junior AppSec engineers, or developers want to be more security-minded, I provide these resources to them as a strong starting point.
These AppSec resources cover the following areas:
- Security fundamentals
- Web application fundamentals
- Top AppSec resources
- Hand-on activity
- Continuing education
- Professional organizations
Security Fundamentals before Starting in AppSec
It is important to have general security concepts down before we focus on the application domain. Security fundamentals are the foundation which AppSec is based on; this is the framework for describing AppSec vulnerabilities. Knowing these terms and patterns also helps when communicating with other AppSec and security professionals and having a consistent message in general.
This knowledge will also help when evaluating new features and scenarios in applications, and help judge how effective a fix is (or isn’t). This will lead to better conversations with both developers and leadership when you can explain why something is a vulnerability or why a particular fix did not fully remove the risk to the business.
Microsoft put together a free course on the basic foundational knowledge of security. It is a good place to start if you are thinking of starting a career in cybersecurity.
Cybersecurity for Beginners – a curriculum
https://github.com/microsoft/Security-101
Web Application Fundamentals
AppSec involves working primarily with developers in the development lifecycle. While you do not need to come from a development background, it is important to know how to code so you’re speaking the same language as the developers and engineers you’ll work with.
Coding
A lot of the foundational concepts, vulnerabilities, and recommendations are going to be at the code, design, and architectural levels. It is also important to know the impact of what is being asked of the developers.
I suggest knowing one compiled language and one scripting language.
Suggested languages:
- Compiled – Java or C#
- Scripted – Python or Go
If you are going to be working with web applications (as most AppSec positions do) then you will want to know HTML, CSS, and JavaScript.
The compiled language will help you when working with most development shops. The scripting language will help when you want to work with results from tools, script out tooling pipelines, and comes in handy around a tech shop.
Tip: I have found it invaluable when trying to understand some vulnerabilities to create an application that has the vulnerability, exploit it myself, then code the fix and know it worked. This has allowed me to get a better understanding of the vulnerability and better reason on how effective proposed fixes will be.
For these languages you do not need to be an expert in them, but you do need to know how to read them — understanding the different framework workflows, coding paradigms (idiosyncrasies), and effective ways of looking up documentation.
Top Resources when Starting an AppSec Engineer Career
This section contains the core foundational materials that will be used to build your knowledge and valuable resources when doing security reviews.
OWASP Top 10
https://owasp.org/www-project-top-ten
One of the most well-known lists in AppSec, this top 10 vulnerability list contains information on how to identify and remediate these categories. This list is a good starting point, but it’s important to know not to just focus on this list. While this list contains the most common vulnerabilities (in general), there are other vulnerabilities that need to be fixed as well. And for a specific company, their list might look different because of the different architectural, design, and coding standards they have in their organization.
OWASP Application Security Verification Standard (ASVS)
https://owasp.org/www-project-application-security-verification-standard
This document contains different controls that should be in an application, which is useful when talking about the design and architecture of an application and design requirements for developers. This is also a good list to use when reviewing code to see if any of these controls are missing or incomplete.
OWASP Proactive Controls
https://owasp.org/www-project-proactive-controls
This project provides areas of focus when looking at preventative controls that can help reduce or eliminate potential unknown future risks. It provides a helpful framework for creating best practices and secure coding guidelines for your organization.
IEEE Avoiding the Top 10 Software Security Design Flaws
https://cybersecurity.ieee.org/blog/2015/11/13/avoiding-the-top-10-security-flaws/
While there are a lot of resources out there when there is a code level mistake, this is specifically at the design/architecture level, making it especially useful for identifying common design flaws so software architects have a place to learn from others’ mistakes.
Honorable Mention: OWASP Cheat Sheet Series
https://owasp.org/www-project-cheat-sheets
This is a great resource for refreshing on a topic for yourself, or having a reference on hand to give to developers.
Web Information
Unless you already have a specific domain knowledge or an active interest in a different application type (e.g., embedded programming, thick client, etc.) it would be best to understand how the web works. This is the focus of most AppSec jobs today.
Mozilla has a good overview guide to HTTP: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP
Hands-On Activities to Help You Advance as an AppSec Engineer
The following projects provide training platforms where source code is presented, vulnerabilities identified, and remediations implemented.
OWASP Secure Code Dojo
The OWASP Secure Coding Dojo is an educational platform designed to teach secure coding practices to developers. This is a project that can be stood up locally. It comes with material already in it looking at vulnerabilities from the code perspective.
- Project: https://owasp.org/www-project-secure-coding-dojo/
- Demo/Live: https://securecodingdojo.owasp.org/public/index.html
SecDim
SecDim is a platform offering “Dev-Native Attack & Defence Wargames” to test and improve the security of software code in a controlled environment. You are provided with code/configuration files and need to identify the vulnerabilities and fix them. They are then run against unit tests to see if they meet the acceptance (security and non-security/functional tests).
https://secdim.com
Continuing Education in AppSec
Here are some interesting newsletters and podcasts to keep up with the latest security news and trends for both AppSec and general computer security topics.
Newsletters
AppSec Specific
tl;dr sec
https://tldrsec.com
This is a great curated list of articles, tools, and presentations on application security-related topics.
General Computer Security
This section contains some additional newsletters that have broader security topics than just AppSec. These focus on general (computer) security problems and company/nation policy and geopolitical level conversations. These would be valuable after you are comfortable with AppSec specific information.
Risky Business Newsletter
https://news.risky.biz
Three times a week newsletter that curates computer security news and does analysis on security events for the last several days. (There is also a podcast feed that provides a highlight of this newsletter.)
CRYPTO-GRAM
https://www.schneier.com/crypto-gram/
A monthly newsletter that focuses on general security/computer security topics.
Podcasts
AppSec Specific
Absolute Security
https://absoluteappsec.com
Two friends chatting about AppSec news and occasionally interview guests. They talk about application security specifically, some of the daily problems they have. At its core these are two friends that get together and talk about AppSec because they love it.
Application Security Podcast
https://appsec.buzzsprout.com
Another valuable resource that covers application security comes from people who have done a successful job (or lessons learned) when working in and on application security programs.
The Secure Developer
https://www.heavybit.com/library/podcasts/the-secure-developer
A developer-focused podcast on the intersection between development and security.
Generic Computer Security
These are podcasts that focus on either general computer security knowledge and/or companywide policies/leadership perspectives on topics.
Risky Business
https://risky.biz
Great weekly rundown of the week’s security news. Good commentary. The sponsored parts of the episodes are worth listening to. The hosts have them talk on a particular security area and let them pitch their product right at the end, it is really done well, and I do not skip those sections.
Defense in Depth
https://cisoseries.com/subscribe-podcast
This takes a particular IT topic from a CISO (Chief Information Security Officer) perspective.
Professional Organizations
It is a good idea to get involved in the AppSec community because you can stay up-to-date on the latest techniques for securing applications, new vulnerabilities and how to detect and defend against them, and increase your professional network. This is a small field, so getting your network of other AppSec individuals can help out when you want to learn a particular area or need advice on a problem you are facing. The above podcasts have Discord servers that you can join. There is also the OWASP Discord server and local chapters:
Local Chapters: https://owasp.org/chapters/
Final Thoughts
I consider this information to be foundational as the type of information I look for and expect of any level of AppSec engineer. This will help when doing the diverse activities inside of an AppSec team: manual code review, automated code review, handling bug bounty submissions, and all the other activities.
Keep learning by reading NetSPI’s Checklist for Application Security Program Maturity
Explore more blog posts
Q&A with Jonathan Armstrong: An Inside Look at CREST Accreditation
Explore the role of CREST accreditation in cybersecurity, its link to DORA, and insights from Jonathan Armstrong on its future in the security industry.
2025 Cybersecurity Trends That Redefine Resilience, Innovation, and Trust
Explore how 2025’s biggest cybersecurity trends—AI-driven attacks, deepfakes, and platformization—are reshaping the security landscape.
The Attack Surface is Changing – So Should Your Approach
Discover the pitfalls of DIY attack surface management and why NetSPI's solutions offer superior security and efficiency.