6 min read

Recipe for AppSec

Recipe for AppSec
Photo by David Calavera

The cake is done! And by that, I mean I completed my quest into application security. This one will be short but sweet (get it?) with a link to reference. The point of this blog was essentially to document whatever recipe I concocted to enter the application security field, and the point of this post is to finally share it. Because I’m a “jump to recipe” kind of girl, I’ve written a TLDR for this one. With that being said, you are also entirely welcome to stick around as I continue prattling about. So, without further ado, more prattling!

Jump To Recipe (TL;DR)

And So a Blog was Born

I started this blog after five or so months of trying to infiltrate—I mean join—the appsec world from a non-developer background. I felt the majority of advice out there was rather discouraging for someone with my background (see first blog post). Given my experience, I suspected other non-dev appsec-enthusiasts could likely find themselves in a similar position. And so, a blog was born. I created this blog to be a voice of encouragement among other not-so-encouraging voices. I hoped to document my “quest” so that others could use it for a bit of direction where I felt there was little out there—besides switching careers to become a dev for a few years and then entering back into the security world via appsec—a big thanks to my mentor for nipping any of that talk in the bud.

Alas, that documentation fell off. Why? Because last September, an incredibly helpful recruiter contacted me, which ultimately led to landing my first job in appsec that October. Since then, I’ve been exhausting my brain, learning a new position and new technologies, not to mention taking up what seemed to be a never-ending backyard remodel project in my spare time. Ask me in a couple of years, and I’m sure the remodel will definitely, probably, maybe have been worth it.

Now that I’m feeling settled in my new position and the backyard remodel from hell is behind me, the inspiration to write has struck again. Unfortunately, I’ve built quite a backlog of to-write blog posts. I’ve found myself torn between writing for the initial purpose of this blog and writing about what comes after. I created this ”recipe” blog post to hopefully satisfy the former so I can do the latter guilt-free. So, the prattling ends here, mostly, and the recipe begins.

The Recipe

Before AppSec Quest, or BASQ

Got ya! In true recipe blog fashion, I’ve decided not to actually start the recipe here. Instead, this is the part of the recipe where we hear about how this dish single-handedly mended a broken family by using the secret ingredient to healthy family communication: fresh curly parsley harvested from your backyard organic herb garden—don’t even think about using that store-bought flat-leaf parsley. The blogger then attempts to convince us how this absolutely is necessary and relevant to the recipe except, in this case, this actually is relevant. I think—I hope. Well, regardless, I’m leaving it here, and in rough chronological order, no less.

Before AppSec Quest, or BASQ—just kidding, we don’t need any more acronyms in this industry, do we? This is a rough overview of my three years in the tech industry before discovering my love for application security. 

  • MTA Networking Fundamentals
  • ITIL Foundation Level
  • CIW Site Development Associate
  • EC2 Certified Encryption Specialist
  • CompTIA A+
  • CompTIA Network+
  • CompTIA Security+
  • CIW Web Security Specialist
  • Udemy Java Course (Not complete)
  • FreeCodeCamp JavaScript (Not complete)
  • ISC2 SSCP Systems Security Certified Practioner
  • CompTIA CySA+
  • B.S. Cybersecurity & Information Assurance
  • 3 years of tech industry experience, 1-½ of which specialized in security
    • Small code contributions to production apps
      • Java
    • Data integration between apps & third-party software
      • Working with REST APIs, JSON, JavaScript
    • UI/UX design
    • Security recommendations for new and existing apps
    • QA testing
    • Project Coordination

Ingredients

The ingredients. Also known as everything I studied, practiced, and did from when my interest in appsec was first piqued right up to getting my first job specializing in the industry. 

Prep Time: About 7 months
Servings: 1 career in appsec

  • Read Alice and Bob Learn Application Security
  • Joined OWASP
  • Completed WeHackPurple’s Application Security Fundamentals 1
  • Attended various related webinars and OWASP meetups
  • Found a mentor on Twitter using #cybermentormonday
    • Met weekly
  • Completed TryHackMe’s Web Fundamentals
  • Completed PortSwigger Academy courses
    • (79) Labs
      • 35 Apprentice Level
      • 38 Practioner Level
      • 5 Expert Level
    • Across (8) Topics:
      • Access Control
      • Authentication
      • Business Logic
      • Information Disclosure
      • JWT
      • Path Traversal
      • SQL
      • XSS
  • Read chapters from The Web Hacker's Handbook
    • Read chapters associated with PortSwigger Academy courses
  • Completed PicoCTF ctfs
    • (16) Labs
      • Cookies
      • Dont-use-client-side
      • GET aHEAD
      • Includes
      • Insp3ct0r
      • Inspect HTML
      • Local Authority
      • Login
      • Logon
      • Most Cookies
      • picobrowser
      • Scavenger Hunt
      • Search Source
      • Some Assembly Required 1
      • Where are the robots
      • Who are you?
  • Created and presented an appsec program, accepted
  • Implemented SAST, performed validations, provided recommended remediations
  • Studied SCA tools and SBOMs in preparation for next step in appsec program
  • MOOC Java I & II
    • Java I - Parts 1-7
    • Java II - Part 8
  • MOOC Python
    • Introduction to Programming - Parts 1-7
    • Advanced Course in Programming - Part 8
  • YouTube Spring Boot Tutorials
    • Spring Boot Quick Start by Java Brains
    • Spring Boot Tutorial | Full In-depth Course by Daily Code Buffer
  • NowSecure Security Analyst Courses

Directions

Just listing ingredients and hoping readers can bake a cake out of them would probably result in countless soupy, burnt, or potentially hazardous cakes. So, like any good recipe, I thought I should provide a few directions on how to use and combine these ingredients. Keep in mind, there’s more than one way to bake a cake.

  1. For any hands-on training like labs or coding exercises, I highly recommend and cannot stress enough not to give in to the temptation to look up those often easily accessible answers. Remember, you’re only cheating yourself!
  2. I always preferred to study two topics at a time, where one topic was appsec-specific and the other was code-specific. Everyone’s brains are wired differently, but this method seemed to be effective for me when it came to potential burnout or spinning of the wheels. If I was stuck on a CTF for too long, I could switch to a coding exercise and vice versa. More often than not, when I returned to the former, I’d have my aha moment shortly after.
  3. When completing labs or CTFs, read the associated Web Hackers Handbook chapter, consider how the vulnerability could be prevented or remediated, and consult references like the OWASP cheat sheet series. See Operation XSS for more details on my lab approach.
  4. When working through coding exercises, remember to practice, practice, practice. After enough practice, try to write a little something of your own. Also, the classic programming question many people have—which language should I learn? I saw a lot of advice about how it doesn’t matter because once you know one, the rest come easy, and they’re probably right, but I will say I started with Java, and I don’t regret that decision.
  5. Apply what you learned wherever you can in your existing job/situation. Take on any project that will get you closer to code and closer to appsec. Present appsec-related ideas your studies have brought about and, if accepted, be the one to implement them. Keep an eye out for any possible way you can get that hands-on experience and, not only that, create those opportunities for yourself. If budget is a concern for tooling, learn about the open-source options available—there are plenty.

Reviews

“I used a dark-colored metal pan instead, and it baked in 4 months instead of 7.
4 Stars.”
“I decided to omit the spinach because why was there spinach in a cake?
3 Stars.”
“I made a completely different recipe, and it was the best cake I’ve ever had.
5 Stars.”

Okay, I think you get the point. This “recipe” is not the only way, and I’m sure there are better recipes out there, but I wanted to contribute to the community the one that worked for me—so, with that being said, bon appetite!

TL;DR

Wow. Rude.
Okay, fine, here is your TLDR.

I made it into the appsec world before I had time to blog all the steps I took in my quest—I know, I know, world’s smallest violin—so I created a page outlining this quest so that I can provide the help I hoped to give and begin blogging about what comes after.

The Quest into AppSec

Published by:

DeAnne Roseen