What is Application Security?
CIA Triad (Confidentiality, Integrity, Availability)
Security vs Privacy
Common Threats (XSS, CSRF, SQL Injection, etc.)
OWASP Top 10 Overview
Secure Development Lifecycle (SDL)
π‘ Understanding risks is the first step in defending against them.
Input Validation & Output Encoding
HTTPS, TLS and SSL
Authentication (Sessions, JWT, OAuth)
Authorization (RBAC, ABAC)
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
SQL/NoSQL Injection
File Upload Security
π Tools: OWASP ZAP, Postman, Burp Suite (Community Edition)
Password Hashing (bcrypt, PBKDF2, Argon2)
Multi-Factor Authentication (MFA)
OAuth 2.0 / OpenID Connect
SSO (Single Sign-On)
Session Management Best Practices
π‘ Never store passwords in plain text β use strong, salted hashes.
Securing REST APIs (Tokens, Scopes)
Rate Limiting & Throttling
API Keys vs OAuth
Preventing Replay Attacks
CORS Configuration
Input Sanitization
Schema Validation (e.g., Joi, Zod)
Principle of Least Privilege
Error & Exception Handling
Avoiding Hardcoded Secrets
Using Secure Defaults
Handling Sensitive Data (e.g., GDPR compliance)
Secure Deserialization
π§ Code securely by default β donβt rely on external protection alone.
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Software Composition Analysis (SCA)
Secret Scanning Tools (e.g., GitGuardian, TruffleHog)
Tools: SonarQube, Snyk, Checkmarx, Bandit (Python), ESLint Security Plugins
Keeping Dependencies Updated
Using Package Lock Files (npm, pip, etc.)
Verifying Package Authenticity
Detecting Vulnerabilities with SCA Tools
Avoiding Malicious Packages
CI/CD Security (secrets, permission scoping)
Secrets Management (Vault, AWS Secrets Manager)
Container Security (Docker best practices, image scanning)
Kubernetes Security (RBAC, Network Policies)
Infrastructure as Code (IaC) Security
Least Privilege IAM Configuration
Web Application Firewalls (WAF)
IDS/IPS (Snort, Suricata)
Logging & Audit Trails
Rate Limiting & DoS Protection
Secure Headers (CSP, HSTS, X-Content-Type-Options)
Zero Trust Architecture Principles
What is Penetration Testing?
Reconnaissance & Enumeration
Manual Testing with Burp Suite
Using Kali Linux Tools (nmap, sqlmap, etc.)
Reporting Vulnerabilities
Legal & Ethical Considerations
π§ͺ Pentesting is about thinking like an attacker β responsibly.
OWASP Top 10 Scenarios
Secure Design Questions
Threat Modeling Basics
Incident Response Questions
Explain OAuth vs JWT
Scenario: Secure a file upload endpoint
OWASP.org Projects
HackerOne / Bugcrowd Writeups
Awesome Security Lists (GitHub)
Cybersecurity Subreddits & Discords
YouTube Channels (LiveOverflow, STΓK, NetworkChuck)