5 min read

Getting Lost in the Weeds of AppSec?

I wanted to dive right into a blog post about appsec labs, CTFs, and all the other fun hands-on training and practice out there, but then I realized that isn’t how this journey went. There was, what I consider, a crucial step that first took place–establishing foundational knowledge.
Getting Lost in the Weeds of AppSec?

Oops, I did it again! This is going to be another lengthy one–and no, that was not a reference to the Brittney Spears song. I wanted to dive right into a blog post about appsec labs, CTFs, and all the other fun hands-on training and practice out there, but then I realized that isn’t how this journey went. There was, what I consider, a crucial step that first took place–establishing foundational knowledge.

The "Weeds" of Appsec

Application security is vast. It touches several aspects of tech, from networking to databases to software development, and beyond. I’ll stop there because the purpose of this post is to actually help mitigate the overwhelm, not exacerbate it. The point I was trying to make is that I think it can be particularly easy to get lost in the weeds when learning appsec. That’s where foundational knowledge comes in.

I didn’t start learning appsec by diving right into TryHackMe labs or ctfs, and I’m thankful for that. If I had, I wouldn’t have known what the day-to-day of an appsec engineer might look like–so how could I possibly know if I wanted to pursue a career as one? Without a detailed overview of appsec, I wouldn’t have been able to see the end goal–so how could I possibly reach it? If I didn’t know what I was working toward, if I didn’t know how to get there, getting lost in the weeds becomes a much more likely scenario.

First Step

In my first blog post, I mentioned a book called, “Alice and Bob Learn Application Security,” by Tanya Janca. I consider this book to be the “call to adventure,” of my “hero’s journey” into appsec. I was fortunate enough to come across this recommendation and, looking back on everything I have since learned, I am extraordinarily grateful I started with this book. “Alice and Bob Learn Application Security,” did an excellent job explaining application security overall, covering both basic and complex topics with ease, all while not getting too far into–you guessed it! The weeds. This book covers the core topics of appsec in a very digestible manner and provides a solid foundation to build on. It gave me the big picture and made appsec feel attainable. Not only is this book where my passion for appsec started, but I finished reading thinking, “I can definitely do this.”

The “I can definitely do this,” part is important. I used to tutor math back in high school. During these sessions, I often found myself coaching students to stop saying, “I can’t.” I would usually make a joke, “well not with that attitude,” but I would then explain, in all seriousness, how powerful beliefs and spoken words about yourself can be. I felt they weren’t going to learn if they already decided they couldn’t, or, at the very least, it would make it that much more difficult. So, we would pause the session and not move forward until we talked through and put a stop to the “I can’ts.” I’d like to preface this next statement by saying I promise this is not to brag, this is just to illustrate the power behind self-talk – I never failed to teach what they needed to learn, and, to their surprise, they never failed to learn it. Nurture and maintain positive self-talk, and have the confidence to say, “I can,”–it’s important.

Second Step

After reading “Alice and Bob Learn Application Security,” I felt like I had a solid foundation and I was excited. The next step I took further solidified that. In the back of the book, there was a list of recommended next steps—one of which was to join OWASP. So I did. I joined OWASP and immediately explored the resources my new membership had to offer. I found a link to WeHackPurple’s Application Security Foundations Level 1 OWASP Edition course. (Sidebar for some great news: this course, and the following 2 levels, are now offered for free!) By the end of the course, I had written an appsec program which I then presented to my manager, who approved it on the spot. It was remarkably exciting and a great confidence boost to already start applying this newly acquired knowledge at my workplace and see a real benefit. The course was engaging, it was encouraging, and it was, again, tackling a complex field with ease.

Third Ste—Oh No! Weeds!

So, why that book? Why that course? Why write a whole blog post about them? Well, there are times when I’m in the weeds on a CTF or a lab, really trying to understand a vulnerability, how it’s exploited, the damage it can cause, and how to protect against it, and I look up and think, “this is just one vulnerability!” There are times when I research appsec engineers, the varied skills and conceptual understandings they should have, and I think, “I have so much more to learn!” These brief moments of overwhelm are quickly quieted when I allow that already established foundation to support the weight. Without these resources to reflect on and the ability gained from these resources to take a step back and see the big picture, I could very well have already gotten lost in the weeds.

Weed Killer Ingredients

I’m not claiming this to be the only way or the best way – or EVEN the second-best way, to begin a journey into appsec, but it has proven to be incredibly valuable for me, especially during those times I feel I’m getting a bit lost in the weeds. Okay, with that disclaimer out of the way, these are the ingredients I used to free myself of those pesky weeds!

  1. Read “Alice and Bob Learn Application Security.” As I said before, this book lays the foundation in a direct and easily digestible way. It allowed me to get the big picture first (hint: this helped with the “I can”). A passion for appsec emerged, a goal was set, and I’ve held onto that.
  2. Complete WHP’s Application Security Fundamentals Level 1. This course solidified everything I gained from reading, “Alice & Bob Learn Application Security,” and I even got some on-the-job experience while I was at it!

Instructions for Use

If not applied properly–or applied at all, those ingredients would have been useless. Every time I feel the need to do a little weed killing, these are the instructions for application I follow:

  1. Disregard the naysayers and, more importantly, do not become a naysayer! Think, speak, and breathe in “I can.”–actually, I’m not sure how to breathe in “I can,” so maybe just stick to the thinking and speaking part.
  2. Remember the foundation. When I think back on the book and the course, I am reminded of the confidence I gained from both, the strong belief and determination that I can do this, and the excitement I had to get there. Then I think, “well none of that has changed, so all that’s left to do is to just keep pushing.”

Published by:

DeAnne Roseen