This repository was created with the intention of spreading the word of DevSecOps to educate and direct aspiring security professionals to a place that is different from the famous choice between the blue team and the red team, that place being the wonderful (and challenging) world of Application Security: a relatively new area, but one that is constantly expanding, with its own unique peculiarities. It's also a way I've found to repay what the community has done for me, because I didn't get to where I am on my own and many people have guided and directed me so that I can be a little better every day.
Any AppSec professional is welcome to contribute and add insights!
You may already have the answer in your head, but there are those who may be undecided: The AppSec area (at least in Brazil, in my view) encompasses those professionals who don't want to make a living solely from pentesting. Of course, the idea of Red Team is fantastic and attracts a lot of people to the area (the Mr. Robot series probably brought more people to the area than any other professional or course in existence), but in a way it's a very common opinion in AppSec circles that it's difficult to find companies that take the Red Team concept literally. In addition, for those who have learned programming or even been devs, will have an easier transition and will use this knowledge much more within AppSec. This is not to say that in other areas we don't need to program, not at all, but anyone who likes or has already become professional through coding and has an interest in security will feel at home in AppSec (obviously, everyone will have a different experience of this).
💡TL;DR - If you don't want to be a Red Team and want to do pentests, if you've been a dev but want to be in security, AppSec is for you! In many companies, AppSecs also do pentests :D
It's understood that if you've reached this repo, in most cases it's because you already know that AppSec is a niche and you already know the basics of SegInfo, perhaps with the exception of programming. Don't know? Not sure? Go back a few steps and study the beginner content of this roadmap. It's essential because a lot of the content here will only make sense if you already have the basics down.
💡 Click on the desired session to delve deeper into the topic. All the course/content suggestions below are free, except those marked with 💰
🔗 OWASP
🔗 Cloud
🔗 Mobile
- Tayna from She Hacks Purple
- The Cyber Mentor's channel
- Tib3rius
- Ben Sadeghipour AKA NahamSec
With that, you should be well equipped to start your career and try your luck at the vacancies! Don't be fooled into thinking that it's an easy path that ends with just the content recommended here. **It's not, there's a lot more content you'll need. But it's a rewarding journey, from day 1 (:
I'm deeply grateful for the people who pushed to do this repo: Sabrina from Menina de CyberSec and Helena AKA MolocoHorror.
Also, the first contribuitors for the Brazilian Version of this Repo:
If you have any questions, feel free to send me a message (I also speak Portuguese and Spanish too :D). I wish you all the success in the world on your journey o/