appsec resources

July 14, 2023

2023   ·   appsec   resources  

appSec_study_resources

S-SDLC

  • https://blog.convisoappsec.com/o-que-voce-precisa-saber-sobre-o-s-sdlc/
  • https://github.com/wh0isdxk/DesenvolvimentoSeguro/blob/main/Conceitos/Fundamentos.md#quais-os-pilares-do-desenvolvimento-seguro
  • https://blog.convisoappsec.com/implementando-um-programa-de-seguranca-de-aplicacoes-baseado-no-owasp-samm/
  • https://owasp.org/www-project-integration-standards/writeups/owasp_in_sdlc/
  • https://owaspsamm.org/guidance/quick-start-guide/
  • intro to SDLC https://tryhackme.com/room/sdlc

Requisitos (requisitos de segurança)

  • https://blog.convisoappsec.com/design-segundo-samm-requisitos-de-seguranca-em-seguranca-de-aplicacoes/
  • https://github.com/wh0isdxk/DesenvolvimentoSeguro/blob/main/1-Planejamento.md#requisitos-de-seguran%C3%A7a
  • https://www.synopsys.com/blogs/software-security/software-security-requirements/
  • https://www.researchgate.net/publication/276284984_Security_Requirements_Engineering_Analysis_and_Prioritization
  • Security Quality Requirements Engineering (SQUARE) https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=484884

Abuse Cases

  • https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html
  • https://www.synopsys.com/blogs/software-security/abuse-cases/
  • https://www.synopsys.com/blogs/software-security/abuse-cases-can-drive-security-requirements/

Modelagens de Ameaças (Threat Modeling)

  • https://owasp.org/www-community/Threat_Modeling
  • https://www.threatmodelingmanifesto.org/
  • https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
  • https://blog.convisoappsec.com/design-segundo-samm-modelagem-de-ameacas-em-seguranca-de-aplicacoes/
  • https://blog.convisoappsec.com/modelagem-de-ameacas-o-que-e-e-por-que-desenvolvedores-devem-ficar-atentos-a-isso/
  • https://github.com/jassics/security-study-plan/blob/main/threat-modeling-study-plan.md
  • https://threatmodeler.com/data-flow-diagrams-process-flow-diagrams/

Secure Code Review

  1. Code Review = development/developers
  2. Secure Code Review = security/appsec
  • https://parad0x-0xff.github.io/blog/2020/10/10/What-is-Code-Review.html
  • https://parad0x-0xff.github.io/dropdown/2020-10-17-Methods-Code-Review.html
  • https://snyk.io/blog/secure-code-review/
  • https://owasp.org/www-project-code-review-guide/
  • https://github.com/wh0isdxk/DesenvolvimentoSeguro/blob/main/3-Desenvolvimento.md#desenvolvimento
  • https://blog.convisoappsec.com/code-review-versus-secure-code-review/
  • https://blog.convisoappsec.com/diferenca-entre-code-review-e-sast/

Testing

  • https://owasp.org/www-project-web-security-testing-guide/latest/
  • https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/0-The_Web_Security_Testing_Framework#A-Typical-SDLC-Testing-Workflow
  • https://brightsec.com/blog/application-security-testing/
  • https://www.zup.com.br/blog/ferramentas-ssdlc
  • https://blog.convisoappsec.com/verificacao-segundo-samm-testes-de-seguranca-em-seguranca-de-aplicacoes/
  • https://blog.convisoappsec.com/verificacao-segundo-samm-testes-orientados-a-requisitos-em-seguranca-de-aplicacoes/
  • https://owaspsamm.org/model/verification/security-testing/stream-a/
  • https://owaspsamm.org/model/verification/security-testing/stream-b/

Testing Tools

  • https://owasp.org/www-project-web-security-testing-guide/latest/6-Appendix/A-Testing_Tools_Resource
  • https://owasp.org/www-community/Free_for_Open_Source_Application_Security_Tools
  • https://owasp.org/www-community/Source_Code_Analysis_Tools
  • https://owasp.org/www-community/Vulnerability_Scanning_Tools
  • https://owasp.org/www-community/api_security_tools

Deployment

  • https://blog.convisoappsec.com/implementacao-segundo-samm-deploy-seguro-em-seguranca-de-aplicacoes/
  • https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/README
  • https://owaspsamm.org/model/implementation/secure-deployment/stream-a/
  • https://owaspsamm.org/model/implementation/secure-deployment/stream-b/
  • intro to pipeline https://tryhackme.com/room/introtopipelineautomation

Outros

  • Appsec Interview Prep => https://gist.github.com/themoonofendor/da6eb90f7b2a3f4db2ad42ecfb81977e
  • Awesome AppSec => https://github.com/paragonie/awesome-appsec
  • TrendMicro Owasp Top 10 => https://www.trendmicro.com/pt_br/devops/21/k/overview-owasp-top-10-2021.html
  • Microsoft STRIDE => https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool
  • articles => https://www.appsecguy.se/tag/appsec/
  • talks, articles && more => https://www.appsecvillage.com/
  • articles => https://snyk.io/learn/topic/application-security/
  • intro to appsec => https://www.linkedin.com/posts/joas-antonio-dos-santos_application-security-introduction-overview-activity-6859172257219063808-Ll8G?utm_source=share&utm_medium=member_desktop