How to Get Into AppSec#

Section A — New to Tech (start here)#

Productivity basics
- Spreadsheets: formulas, pivot tables, charts
- Free: Google Sheets Training, Microsoft Excel Training
Git basics
- Free: GitHub Skills – Introduction to GitHub
Programming intro (Python recommended)
- CS50’s Introduction to Programming with Python
- Core topics: variables, loops, functions, lists/dicts, exceptions, reading stack traces
Web fluency
- HTTP request/response, status codes, headers
- Cookies, sessions, JSON, DOM basics
- Free: MDN Web Docs (start with HTTP, web security, and JavaScript basics)
SQL basics
- FreeCodeCamp: SQL Tutorial – Full Database Course for Beginners
Small project
- Build a simple CRUD app (Python + SQLite or Node + SQLite)

Engineering literacy
- Frontend vs backend vs APIs
- Production vs dev vs staging (deployment basics)
- CI/CD concepts
Security mindset
- CIA triad (confidentiality, integrity, availability)

What to learn
- Threat Modeling Manifesto
- Threat Modeling: Designing for Security (Adam Shostack)
- OWASP Threat Modeling Cheat Sheet
- Tools: OWASP Threat Dragon, Microsoft Threat Modeling Tool
How to do it
1. Diagram system (DFD: processes, data stores, arrows)
2. Identify assets (user data, money, secrets)
3. Enumerate threats (STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege)
4. Prioritize (likelihood + impact)
5. Mitigate (auth, validation, rate limits, monitoring)
6. Review yourself (did you miss obvious paths?)
Practice
- Threat model your CRUD app
- Pick a public app → sketch flows + threats
- Map threats to OWASP Top 10 categories
Portfolio deliverable
- Diagram + list of threats (mapped to STRIDE) + mitigations + short README

OWASP Top 10 — learn each vuln as WHAT / HOW / DEFEND
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable/Outdated Components
- Identification & Authentication Failures
- Software & Data Integrity Failures
- Logging & Monitoring Failures
- SSRF / Other
API Security
- Study the OWASP API Security Top 10
- Common flaws: Broken object-level auth, mass assignment, excessive data exposure
Secure Coding Essentials
- Validate inputs (allowlists > blacklists)
- Use secure password storage (bcrypt/argon2)
- Don’t roll your own crypto (use vetted libraries)
- Handle errors safely (no sensitive info in stack traces)
- Apply principle of least privilege
Secrets & Key Management
- Never hardcode secrets in code
- Use vaults: HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager
- Rotate and expire API keys/tokens regularly
- Scan repos with Gitleaks or git-secrets
Tools
- Browser DevTools (network tab, storage, console)
- Burp Suite Community Edition
- OWASP ZAP
- GitHub/GitLab PR review workflow

Goal: understand how vulnerabilities work by exploiting them.

Goal: learn how to spot and prevent flaws in code before they ship.

Static analysis / SAST
- Semgrep
- CodeQL
- Bandit (Python)
- FindSecBugs (Java)
Dependency / SCA
Secrets detection
- Gitleaks
- git-secrets
Workflow
- Pre-commit hooks, Dependabot, GitHub Actions + CodeQL scan

Goal: learn both sides by building vulnerable features, breaking them, then fixing them.

Build a small app with: auth + sessions + DB + REST API + frontend
Intentionally add: SQLi, XSS, auth bypass
Exploit → document impact → fix
Add secure patterns: parameterized queries, CSRF tokens, input validation, secure session cookies
Write up steps → publish on GitHub/blog

Design phase → Threat modeling
Coding phase → Secure coding practices, linting, pre-commit hooks
Code review → SAST (Semgrep, CodeQL), manual secure code checklist
CI/CD → Dependency scanning (Trivy, Dependency-Check), secret scanning, automated tests
Deployment → Secure configs, hardened defaults, TLS everywhere
Maintenance → Patch dependencies, rotate secrets, monitor logs
Reference: OWASP SAMM — maturity model for building AppSec into organizations