Application Security Knowledgebase
A space to curate resources, blogs, and articles on application security, engineering and automation. Feel free to recommend me more resources, as I plan to keep this space updated.
General Articles & Career
Security Principles & Fundamentals
Building AppSec Programs
- How to start an AppSec Program with the OWASP Top 10
- How to build a successful application security program
- Building an Application Security Team
- Building An AppSec Program - People To Know
- Application Security Review Process – A Case Study
- Appsec Development: Keeping it all together at scale
- The future of AppSec and why I joined r2c
- Four levels of maturity that bridge the AppSec/engineering divide
- Part 1 — Defensive Application Security in a Modern Era
- Part 2 — Building an Application Security Programme
- CISO’s Guide to a Modern AppSec Program
- Boosting Security Excellence: How OKRs Drive Results in Application Security and DevSecOps
Product Security
Secure SDLC & DevSecOps
Developer Relations & Engineering Culture
- Why developers dislike security - and what you can do about it
- AppSec, We Have a Problem: Not Everyone Knows How to Code
- AppSec Should Focus on Providing Clarity for Engineers
- Shifting Engineering Right: What security engineers can learn from DevSecOps
- “Earn influence, don’t mandate it” – a conversation with Figma’s Devdatta Akhawe
- How to be a security person that engineers don’t hate
- Developer Experience Is Security
- Secure Development Is Dead, Long Live Secure Development
- DevEx: What Actually Drives Productivity
Security Culture & Teams
Security Champions
- Adobe’s 2020 Security Champions Summit
- How to Scale Application Security and Build Security Champions
- Is your champions program running out of steam?
- Security Champions: Why Do We Need Them and What Role Do They Play?
- Part 3 — Tackling Security Culture and Awareness
- Part 4 — Delivering an Application Security Training Course
Bug Bounty Programs
- One Year With a Private Bug Bounty Program at FINN.no
- How we run our bug bounty program at Segment
- Reflecting on the five years of Bug Bounty at Grab
- Running a Successful Bug Bounty Program
- Seven years of the GitHub Security Bug Bounty program
- Twilio’s Bug Bounty Program: Where we are and where we’re going
- Bug Bounty 5 years in
- Setting up bug bounties for success
- Where is your responsible disclosure page?
- Part 5 — A Comprehensive Guide to Running a Bug Bounty Program
Security Testing & Tooling
- Why Don’t Software Developers Use Static Analysis Tools to Find Bugs?
- Modern Static Analysis: how the best tools empower creativity
- Application Security Testing Belongs in the CI Pipeline
- Dynamic Application Security Testing(DAST): Overview and Tooling Guide
- Changing Security Tool Requirements in the New DevSecOps World
- Software Security at Rocketship Pace
- A Guide On Implementing An Effective SAST Workflow
- Building a SAST program at Razorpay’s scale
- Modernizing LinkedIn’s Static Application Security Testing Capabilities to protect our members
- Unpacking Application Security: A Comprehensive Threat Modeling Guide
- 10 Types of Application Security Testing Tools: When and How to Use Them
- SAST, DAST, IAST and Feedback-Based Fuzzing
- How we threat model - GitHub
- Threat Modeling: 12 Available Methods
Leadership & Strategy
Case Studies & Real-World Examples
- The More Things Change: 18 Years of AppSec in the Trenches
- What I Learned Watching All 44 AppSec Cali 2019 Talks
- How Flipkart Reacts to Security Vulnerabilities
- Log4Shell: Redefining Painful Disclosure
- The Gift of It’s Your Problem Now
- Discoveries as a Result of the Log4j Debacle
- LOG4J / LOG4SHELL (PART 1): MISCONCEPTIONS
- Log4j: It’s worse than you think
- Reddit Discussion on the pain about Log4j
Newsletters
Blogs/Websites
- tl;dr sec
- BoringAppSec
- Better AppSec
- r2c blog
- Phil Venables’ Website
- CloudSecDocs
- Scott Contini’s Blog
- Adam Shostack’s personal homepage
- Appsecco Blog
- Madhu Akula’s website
- securing.dev
- Abhay Bhargav’s website
- we45 blog
- NotSoSecure Blog
- anantshri’s website
- Rohit Salecha’s website
- Abhisek Datta’s website
- Leif Dreizlers’ Blog
- Brook Schoenfield’s Website
- Security - Dropbox Tech Blog
- Security – Netflix Tech Blog
- Security - Slack Engineering Blog
- Gitlab’s information security team’s handbook
- Security @ Adobe
- RIPS Technologies Blog
- Cloud Security Reading List
- APIsecurity.io
- Bug Bounty Community of Interest
- Collin Greene’s Website
- Julian Berton’s Website
- Patrick Debois’s Blog
- Keith Hoodlet’s Blogs
- Anshuman Bhartiya’s Website
- The AppSec and Startup focused blog by Chris Romeo
- Rethink Security
- Crash Override
- Brian Vermeer’s blog
- Jacob Kaplan-Moss’s website
- GitHub Engineering - Platform security
Resources & Guides
- OWASP Cheat Sheet Series
- Resources for Application Security
- Some Useful AppSec Resources
- Managing a DevSecOps Pipeline with Secure Development and Operations by Priyam Singh
- Cloud Native DevSecOps by Priyam Singh
- DevSecOps University(DevSecOps learning resources)
- How to turn developers into security champions
- Security Code Review 101
- Securec0ding
- Security Champions Playbook
- Twitter thread: How committed secrets can be monitored in a self-hosted GitLab instance in real-time
- Appsecco Github
- hysnsec GitHub
- Madhu Akula’s GitHub
- Veracode Resources
- DevSecOps Notes
- How to systematically secure anything: a repository about security engineering
- GitLab Engg Handbook - Security
- Security Knowledge framework
- Veeral Patel’s Knowledge Base
- Okta Security Technical Whitepaper
- Awesome Threat Modeling
- Software Supply Chain resource
- Threat modeling manifesto
- Security Champion Success Guide
- Building a Culture of Security - Whitepaper by Adobe
- How do you get to Staff level in security?
- unity-ssdlc
- Equinor AppSec Site
Videos/Playlists
- Playbook On How To Be The First Security Engineer At A Company
- Implementing security from day one at a fintech startup
- An Opinionated Guide to Scaling Your Company’s Security
- BSidesSF 2020 - How to 10X Your Company’s Security (Without a Series D)
- From Rogue One to Rebel Alliance: Building Developers into Security Champions
- SDL at Scale: Growing Security Champions
- AppSecCali 2019 - Lessons Learned from the DevSecOps Trenches (Panel)
- Detecting secrets in code committed to Gitlab (in real time)
- Loco Moco Security Conference on slideslive
- LocoMocoSec: Hawaii Product Security Conference on YouTube
- SAFECode Forum Training
- DevSecOps Live - Online Meetup
- Abhay Bhargav
- we45 Webinars
- we45 Live Code Sessions
- AppSecEngineer by we45
- Netflix Security
- Practical Approach to Automate the Discovery & Eradication of Open-Source Software Vulnerabilities
- 10,000 Dependencies Under The Sea - DEF CON 28SM AppSec Village
- Static Analysis Security Testing for Dummies… and You
- The (Application) Patching Manifesto
- Integrating Security in DevOps
- DevSecOps : What, Why and How
- Hella Secure
- AppSec California
- Software Security at Rocketship Pace
- Building effective security OKRs
- OWASP Global AppSec Virtual 2020
- Global AppSec US 2021 Virtual
- Security Engineering by Ross Anderson and Sam Ainsworth
- Making security usable: product engineer perspective
- BSidesSF 2020 - Secure by Design: Usable Security Tooling
- The Dept of Know_
- When Dependabot Is Worse Than Nothing: Log4J As A Sub-Dependency
- Scaling Security - Appsec
- Implementing SAST IRL
- How to do AppSec without a security team
- Don’t Run With Scissors How to Standardize the Way Your Developers Use Dangerous Aspects of Your Fra
- Eradicating Vulnerability Classes by Shelving SAST and Embracing Secure Defaults and Invariants
- AppSecCon 2022
Podcasts
- Product Security Insights with Rinki Sethi
- Being a Cybersecurity Influencer and Finding Security Champions with Ashish Rajan
- The Changing Landscape of Security with Dev Akhawe
- A Conversation With Leif Dreizler About Security Engineering at Segment
- Humans of InfoSec Episode #40: Where Engineering Meets Security
- Absolute AppSec
- The Purple Book Podcast
- Relating to DevSecOps
- Future of Application Security
- The Security Podcast of Silicon Valley
- Software Security Gurus
- The Security Table
- br3akp0int Security Podcast
- The Boring AppSec Podcast
Slides/Presentations
- An Opinionated Guide to Scaling Your Company’s Security
- How to 10X Your Security (Without the Series D)
- Security Champions 2.0
- Security Champions: How to Build an Alliance with Developers
- Detecting secrets in code committed to Gitlab (in real-time)
- Practical Approach to Automate the Discovery and Eradication of OpenSource Software Vulnerabilities at Scale
- Introduction to Software Composition Analysis
- Static Analysis Security Testing for Dummies… and You
Development/DevOps
- r/devops - Monthly ‘Getting into DevOps’ thread - Jan 2022
- 10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
- 10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
- Introduction to Software Architecture (Monolithic vs. Layered vs. Microservices)
- Practical DevOps - The Lab
- [Article] What is an Artifact Repository?
- [Video] Artifactory - Sharing Binaries the Smart Way!
- [Webinar] Introduction to JFrog Artifactory
- JFrog Academy
- [Blog Series] Understanding Apache Maven
- Introduction to the Dependency Mechanism in Maven
- An Introduction to Containers using Docker and using it for Security Automation
- [Webinar] Kubernetes 101
- The Kubernetes Handbook
- DevOps Resources
- DevOps Exercises
People to Follow
- Parisa Tabriz
- Clint Gibler
- Ross Anderson
- Gary McGraw
- Steve Springett
- Jeremy Long
- Adam Shostack
- Devdatta Akhawe
- Mohammed A. Imran
- Michal Zalewski
- Jim Manico
- Andrew van der Stock
- Anant Shrivastava
- Dinis Cruz
- Leif Dreizler
- John Melton
- Simon Bennetts
- Chandrapal Badshah
- Guy Podjarny
- Omer Levi Hevroni
- Liran Tal
- Riyaz Walikar
- Akash Mahajan
- Madhu Akula
- Abhisek Datta
- Avinash Jain
- Chris Cornutt
- Lavakumar Kuppan
- Abhay Bhargav
- Dino A. Dai Zovi
- Erlend Oftedal
- Rory McCune
- Scott Arciszewski
- Ray LeBlanc
- Hella Secure
- Dominique Righetto
- Josh Grossman
- Tanya Janca
- Vandana Verma
- Evan J
- Mark Manning
- Marco Lancini
- Frederick Fernando
- Michal Špaček
- Stu Hirst
- Christian Frichot
- Lewis Ardern
- Dafydd Stuttard
- Philippe De Ryck
- chetan conikee
- Chris Shiflett
- Scott Helme
- Justin Collins
- Petko D. Petkov
- Christian Folini
- Connor Gilbert
- Jerry Gamblin
- Neelu Tripathy
- Arkadiy Tetelman
- Narendra Shinde
- Marcin Hoppe
- Thunder Son
- Chris Eng
- Daniel Cuthbert
- Roberto Clapis
- Mathew Payne
- mackowski
- Ron Perris
- John Opdenakker
- Chris Romeo
- Rohit Salecha
- Ashish Rajan
- Rinki Sethi
- Phil Venables
- James Chiappetta
- Collin Greene
- Julian Berton
- Brook Schoenfield
- Julius Musseau
- John Viega