The Quest into AppSec

The Quest into AppSec
Photo by kevin laminto
In a world plagued by relentless cyber threats, chaos reigns as vulnerabilities in critical applications expose nations to the brink of disaster. The elders of the realm have issued a call to action, summoning all who dare to take up the mantle of Application Security Engineer. Should you choose to embark on this quest, you must seek ancient tomes—but not too ancient—and wise mentors to hone your skills and gain the wisdom needed to safeguard the digital realm from impending doom.

Alright, now that the stage has been appropriately set, I've written a brief overview of my "quest" into application security to serve as a reference. The background is everything I did prior to "choosing to embark on this quest," and the quest, well I think that one is self-explanatory. The only question left now is, do you accept this quest?

The Background

  • MTA Networking Fundamentals
  • ITIL Foundation Level
  • CIW Site Development Associate
  • EC2 Certified Encryption Specialist
  • CompTIA A+
  • CompTIA Network+
  • CompTIA Security+
  • CIW Web Security Specialist
  • Udemy Java Course (Not complete)
  • FreeCodeCamp JavaScript (Not complete)
  • ISC2 SSCP Systems Security Certified Practioner
  • CompTIA CySA+
  • B.S. Cybersecurity & Information Assurance
  • 3 years of tech industry experience, 1-½ of which specialized in security
    • Small code contributions to production apps
      • Java
    • Data integration between apps & third-party software
      • Working with REST APIs, JSON, JavaScript
    • UI/UX design
    • Security recommendations for new and existing apps
    • QA testing
    • Project Coordination

The Quest

  • Read Alice and Bob Learn Application Security
  • Joined OWASP
  • Completed WeHackPurple’s Application Security Fundamentals 1
  • Attended various related webinars and OWASP meetups
  • Found a mentor on Twitter using #cybermentormonday
    • Met weekly
  • Completed TryHackMe’s Web Fundamentals
  • Completed PortSwigger Academy courses
    • (79) Labs
      • 35 Apprentice Level
      • 38 Practioner Level
      • 5 Expert Level
    • Across (8) Topics:
      • Access Control
      • Authentication
      • Business Logic
      • Information Disclosure
      • JWT
      • Path Traversal
      • SQL
      • XSS
  • Read chapters from The Web Hacker's Handbook
    • Read chapters associated with PortSwigger Academy courses
  • Completed PicoCTF ctfs
    • (16) Labs
      • Cookies
      • Dont-use-client-side
      • GET aHEAD
      • Includes
      • Insp3ct0r
      • Inspect HTML
      • Local Authority
      • Login
      • Logon
      • Most Cookies
      • picobrowser
      • Scavenger Hunt
      • Search Source
      • Some Assembly Required 1
      • Where are the robots
      • Who are you?
  • Created and presented an appsec program, accepted
  • Implemented SAST, performed validations, provided recommended remediations
  • Studied SCA tools and SBOMs in preparation for next step in appsec program
  • MOOC Java I & II
    • Java I - Parts 1-7
    • Java II - Part 8
  • MOOC Python
    • Introduction to Programming - Parts 1-7
    • Advanced Course in Programming - Part 8
  • YouTube Spring Boot Tutorials
    • Spring Boot Quick Start by Java Brains
    • Spring Boot Tutorial | Full In-depth Course by Daily Code Buffer
  • NowSecure Security Analyst Courses