Further Reading: Application Security

Curated, annotated resources to deepen this chapter. Each entry notes the learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order; you do not need to read everything before Chapter 13.

Suggested order

  1. Read the OWASP Top 10 itself, front to back — it is short, and it is the map for §12.2.
  2. Bookmark the OWASP Cheat Sheet Series for input validation, output encoding, and SQL injection prevention; these are the practical "how" behind §12.3.
  3. Skim NIST SP 800-218 (SSDF) to see how the SSDLC (§12.1) is framed as a formal, mappable practice.
  4. Read a clear retrospective on Log4Shell to ground the chapter's anchor in the real event.
  5. Keep OWASP ASVS nearby as the testable standard you reach for when "awareness" is not enough.

Standards & primary documents (Tier 1)

  • OWASP, Top 10 Web Application Security Risks (owasp.org/Top10). 🏗️📜📋 The canonical category map this chapter is built around; each category page explains the risk, examples, and prevention. Read it whole — it is deliberately concise. Note the version/date you read; the list is periodically revised as data changes (e.g., the elevation of Insecure Design and SSRF in the 2021 edition).
  • OWASP, Application Security Verification Standard (ASVS). 🏗️📜 The testable counterpart to the Top 10: a long list of concrete, leveled requirements you verify against. This is where §12.6's "security requirements" come from at scale.
  • OWASP, Cheat Sheet Series (cheatsheetseries.owasp.org). 🏗️ The practitioner's how-to: the Input Validation, Cross-Site Scripting Prevention, SQL Injection Prevention, and Secrets Management cheat sheets are the operational detail behind §12.3–12.4. Your most-used reference as a builder.
  • NIST SP 800-218, Secure Software Development Framework (SSDF). 📋🏗️ NIST's framing of secure-development practices (prepare the organization, protect the software, produce well-secured software, respond to vulnerabilities) — the formal, auditable version of §12.1's SSDLC, and a touchstone for supply-chain governance (Chapters 29, 31).
  • MITRE, Common Weakness Enumeration (CWE) (cwe.mitre.org), incl. the CWE Top 25 Most Dangerous Software Weaknesses. 🏗️📜 The catalog of specific weakness types that scanner findings cite; the Top 25 is a complementary, weakness-level view to OWASP's category-level Top 10.
  • NIST National Vulnerability Database (NVD) and CISA Known Exploited Vulnerabilities (KEV) Catalog. 🛡️🏗️ Where SCA tools (and you) check whether a component you run is vulnerable and whether it is being exploited in the wild — the data behind A06 and Chapter 23's prioritization.
  • The Log4Shell advisory (CVE-2021-44228) and the CISA guidance issued in response. 🛡️📋 Read the primary advisory and a reputable engineering retrospective together; the chapter's anchor is best understood from the real timeline and the real (later) fixes and bypasses.

Books (Tier 1)

  • Shostack, A., Threat Modeling: Designing for Security. 🏗️ The definitive practitioner treatment of threat modeling and STRIDE (§12.6); the four-question framing in this chapter is Shostack's. Read it when threat modeling becomes part of your job.
  • Seacord, R., Secure Coding in C and C++ / CERT secure-coding standards. 🏗️ For the language-level detail of how memory- and input-handling bugs arise and are prevented; complements the higher-level patterns of §12.3.
  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide (Software Development Security material). 📜 Exam-aligned coverage of the OWASP categories, secure coding, and the SDLC at an approachable depth.
  • Harris, S., & Maymí, F., CISSP All-in-One Exam Guide (Software Development Security domain). 📜📋 The deeper, management-oriented treatment of secure development and the SDLC for CISSP candidates.
  • Bird, J. et al. / DevSecOps and secure-pipeline literature. 🏗️ Bridges this chapter to Chapter 31: how the SAST/DAST/SCA gates of §12.5 are automated into CI/CD without destroying delivery speed.

Free online & talks (Tier 1 / Tier 2)

  • OWASP WebGoat / Juice Shop (deliberately vulnerable training apps). 🏗️📜 The authorized, intended-for- learning way to see the OWASP categories live — run them only in your own lab. The single best hands-on complement to §12.2–12.3. (Tier 1 project; use ethically and locally.)
  • OWASP DependencyTrack / dependency-check (open-source SCA). 🏗️ Free tools that implement the §12.4–12.5 idea — inventory dependencies and flag known-vulnerable ones — and let you reproduce appsec.py's job at real scale, including SBOM ingestion.
  • The SLSA framework (slsa.dev) for supply-chain integrity. 🏗️📋 Previews Chapters 29 and 31 — a graded model for how much you can trust a build artifact's provenance; the structural answer to A08.
  • Conference talks on the Log4Shell response (major security conferences, 2022). 🛡️📋 First-hand accounts of the discovery-vs-patching problem from teams who lived it. (Tier 2: pick well-sourced, reputable talks; details and timelines vary by retelling.)

Tools to explore (in your own lab only)

  • A SAST linter for your language (many are free/open-source). 🏗️ Run it on your own toy project and read every finding critically — practice telling a true positive from the false positives §12.5 warns about.
  • A secret-scanning tool on a practice repo. 🏗️🛡️ Commit a fake credential to a private test repo and watch the scanner catch it — then internalize that the real-world fix is rotation, not deletion (Chapter 20).
  • A personal threat-model worksheet (STRIDE). 🏗️📋 Take one feature of any app you use and run the four-question method on paper. The best first threat-modeling lab needs no software, only the discipline of §12.6.

⚖️ Authorization & Ethics reminder: Vulnerable-by-design training apps (WebGoat, Juice Shop) and SAST/ SCA tools are powerful and meant for learning. Run them only against systems you own or are explicitly authorized to test, and study attack techniques solely to build the defenses in this chapter and Chapter 13. The skill that secures an application can, misapplied, be a crime (Chapter 39).