📌
Software Security
  • README
  • Prerequisites
    • Prerequisites
  • Introduction
    • Cyber security principles
    • Basic web concepts
      • HTTP
      • JavaScript
      • Cookies
      • SQL
      • DOM
      • APIs and the multitier architecture
    • Basic browser security concepts
      • Same-Origin Policy (SOP)
      • Cross-Origin Resource Sharing (CORS)
      • Cookies
      • Tracking
    • Basic security concepts
      • Hashing
  • Access Control: Basics
    • Authentication
      • Passwords
      • Password managers
      • Attacking passwords - online
      • Attacking passwords - offline
    • Authorization
      • Insecure direct object references
    • Session Management
    • CSRF
      • CSRF: why & how it works
      • Protecting against CSRF attacks
    • SSRF
      • SSRF: how it works and how we can protect against it
  • Access Control: Advanced
    • Authentication
      • Federation
      • Alternative authentication mechanisms
      • FIDO2 and WebAuthn
  • Injection attacks
    • Injection attacks
    • SQL Injection
    • Command Injection
    • Cross-site scripting
      • Input validation
      • Context sensitive output encoding
      • About the HttpOnly flag
      • Content Security Policy
    • Subresource integrity
    • Sandboxing
  • HTTPS
    • HTTPS
    • Introduction to cryptography
    • PKI
    • Setting up HTTPS
    • References
  • HTTP Headers for security
    • HTTP Headers
  • Threat Modeling
    • Threat modeling introduction
    • Threat modeling basics
    • Inspiration for threats
  • Bringing it all together
    • A comprehensive overview of controls
Powered by GitBook
On this page
  • 1. Application Security Verification Standard
  • 2. Top resources to use in a devsecops environment

Was this helpful?

  1. Bringing it all together

A comprehensive overview of controls

PreviousInspiration for threats

Last updated 2 years ago

Was this helpful?

1. Application Security Verification Standard

During this course, we have covered some very important topics about web application security. However, you have to keep in mind that this course is by no means an exhaustive summary of all possible attacks. Therefore, if you ever release a real-life application, you should first validate it using the Application Security Verification standard. This standard provides a basis for designing, building, and testing technical application security controls, including architectural concerns, secure development lifecycle, threat modelling, agile security including continuous integration / deployment, serverless, and configuration concerns.

Certain parts of this standard are part of the required study material (see Digitap for an overview of these parts). In any case, read through the whole standard to get a comprehensive overview of all the controls that you should include in your web application. Go to to download the latest version of the standard.

2. Top resources to use in a devsecops environment

This list provides you with some resources that I have found to be very useful. I will regularly update this list.

  • https://infosec.mozilla.org/guidelines/web_securit

  • https://github.com/microsoft/attacksurfaceanalyzer

  • https://www.sans.org/security-resources/posters/secure-devops-toolchain-swat-checklist/60/download

  • https://github.com/toniblyx/my-arsenal-of-aws-security-tools

  • https://bettercrypto.org/

  • https://www.owasp-risk-rating.com/

https://github.com/OWASP/ASVS#latest-released-version