If you’re new to the world of security, in whatever capacity, gaining a good understanding of AppSec can seem daunting and distant – but don’t fear. Becoming more application security aware doesn’t have to be hard or time-consuming. It can be as easy as taking a few minutes out of every day to advance your application security knowledge to a higher level – no matter where it stands today.
To help, we’ve gathered ten AppSec areas, and dedicated resources for each, that you can read in your own time to help take your application security knowledge up a few notches.
Build your application security knowledge with the basics – the vulnerabilities that threaten our code.
The basic idea of application security is protecting your applications from being attacked through undetected vulnerabilities, with a high degree of confidence. One of the basic learning steps is to truly understand the vulnerabilities themselves and the best ways to keep them out of our apps in the first place. The Vulnerability Knowledgebase is a great starting point, especially for developers.
Understand the fundamentals of the SDLC – and how security fits into the big picture
Learning the ins and outs of the development lifecycle and where security is best integrated is another crucial step in your AppSec education. How it will work in your organization will differ from others, but knowing where it can be integrated in structures from waterfall to DevOps will help guide your own implementation. To get started, read our Beginner’s Guide to Security Testing in the SDLC.
Do some deep digging on Mobile Application Security
Lots is still left to learn when it comes to mobile application security, as we found in our recent State of Mobile Application Security survey. Applications built for iOS, Android, Windows, as well as hybrid applications continue to be riddled with vulnerabilities, leaving mobile devices, increasingly the center of our lives, open to attack. Catch up on mobile AppSec with these articles:
- Webinar: Meet the Experts: State of Mobile Application Security
- Mobile Application Security: 15 Best Practices for App Developers
- 40 Tips You Must Know About Secure iOS App Development
Learn how to engage your developers (or get engaged) with security
Getting developers engaged – and for developers, getting engaged – with security can pose a challenge. Developers already have a lot on their plates, and some can see security as a burden. It’s not. Being able to code securely is not going to just look good on a resume – in the very near future, it will be an absolute requirement. But approaching the subject in fun and interesting ways is important to getting the point across.
Here are some ‘quick wins’ to making security interesting – and easy to learn – for developers:
- Treat them to a Game of Hacks
- Get them to try their hand at hacking with 13 Sites to Legally Practice Hacking Skills + Part 2
- Download and print our 31 Security Tips for Developers poster to post somewhere visible
Understand the importance of fixing vulnerabilities early in the SDLC
Once you’ve understand where security testing fits in the SDLC, the next step in increasing your application security knowledge is to learn why fixing vulnerabilities as early in the SDLC as possible is both a business and security imperative. We suggest our Software Security & Early Prevention of Vulnerable Code webinar with Troy Hunt (@troyhunt) and Checkmarx Product Evangelist Amit Ashbel (@aashbel) as they discuss how and why to remediate vulnerabilities early in the SDLC to save time and money later.
Not sure about agile or DevOps environments? Start here:
- Learn how application security testing in the SDLC can actually fit in fast-paced environments in The AppSec How-To: Application Security in Continuous Integration and the 5 Benefits of Automated Security in Agile Software Development
- Read the AppSec How-To: Achieving Security in DevOps
- Get started with integrating security and DevOps with our guide
- Listen to other DevOps and Security Experts have to say in these talks and other resources as well as these DevSecOps best practices used by the pros.
Get an understanding of the evolving AppSec landscape
The Internet of Things is changing the way we embed application security in our organizations. IoT allows for incredible innovation, but it demands very close attention towards the security aspect. In hospitals, cars, airplanes, and more, the Internet of Things pose both major advantages and challenges that need to be dealt with. Learn more about the challenges and how to address them in our IoT series:
- IoT: Hack My Smart City
- IoT: Hack My Hospital
- IoT: Hack My Home
- IoT: Hack My Ride
- OWASP Top 10 for the Internet of Things, Explained
Learn the differences between tools and which ones fit your environment and needs
Specific development and organizational needs will be the main factors in choosing your AppSec toolbox, the solutions used to defend and protect your applications. Learning how security tools from DAST to WAF to SAST (oh my!) work will help guide your decisions. Remove at least some of the confusion with these articles to help you choose the best application security technologies for the job:
- The AppSec How-To: The Defender’s Toolbox
- Static Analysis Tools: The AppSec Checklist
- SAST vs. WAF
- SAST vs. DAST
- SAST vs. IAST
Learn how to get involved in the AppSec community, locally or digitally
One of the easiest ways of learning – or at least the most social – is by getting involved in local or online security groups. Whether it’s joining local OWASP meetups, attending BSides conferences, or just subscribing to the hundreds of mailing lists available, just by surrounding yourself with other security people you’ll be helping yourself. Start by getting familiar with AppSec organizations, and recruit other security professionals or developers at your company to get involved with you.
Listen in on application security rockstars conversations
Our last easy way to keep up to date with AppSec news and trending topics is to take to the Twitterverse. Twitter has some of the best minds in the industry constantly sharing their thoughts and content they’re enjoying or learning from, so why not take advantage? Here are thought-leaders in various AppSec expertises to get you started:
- 21 AppSec & Security Experts You Should Follow on Twitter
- 16 CISOs You Should Follow on Twitter
- 15 DevOps & Security Experts You Should Be Following on Twitter
What are some other easy wins to add to the list? Share below!