Some Useful AppSec Resources

While no doubt OWASP has earned the prestige of being the #1 AppSec resource, there are many other good information sources across the web that I have collected over the years that have been very helpful to me and to others whom I have shared with.  I especially enjoy a blog that explains things simply and clearly while at the same time being technically correct.  Below is a list of my favourite such resources.  I am greatly appreciative to those who can reciprocate with their own list.

Blogs / General AppSec

Certificate Pinning

Cookie Security

CORS

Cross Site Scripting

Cryptography

Deserialization

DevSecOps

Http Security Headers

Input Validation

  • Validating Input – This is old, but is a classic.  For more recent guidance, see the Martin Fowler website blog on The Basics of Web Application Security (linked above)

JWTs

Logging

Mobile Security

Oauth

  • An Illustrated Guide to OAuth and OpenID Connect – Most people want to dive into the technical details of Oauth before they really understand its purpose. Slow down, read this, and then you will have a better insight to the complex protocol

Passwords

PHP

Race Conditions

Server Side Request Forgery

SSL/TLS

SQL Injection