A working reference for application security and secure SDLC: secure coding, threat modeling, DevSecOps pipelines, framework mappings, architecture patterns, tooling evaluation methodology, and finding writeups.
This repository focuses on the defensive side of AppSec. Offensive cheatsheets, payloads, and pentest tooling live in a separate repository: https://github.com/maverick-hackz/Workstation
| Section | Purpose |
|---|---|
| Secure coding | Language-specific guidelines with insecure to secure examples |
| Threat modeling | STRIDE/PASTA/Attack Trees methodology, templates, worked examples |
| Secure SDLC | Requirements, code review, security gates, VDP templates |
| DevSecOps | CI/CD security templates, pre-commit, custom Semgrep rules, K8s policies |
| Frameworks | ASVS, SAMM, NIST SSDF, OWASP Top 10 (Web/API/LLM/CI-CD), CWE Top 25 |
| Architecture | Zero Trust, OAuth2/OIDC/SAML/mTLS, crypto, secrets management |
| Tooling evaluation | SAST/SCA/DAST/MAST/ASPM evaluation methodology |
| Writeups | Sanitized finding writeups: Finding -> Impact (CVSS 3.1) -> Repro -> Fix |
| References | Reading list, standards, conferences, glossary |
- AppSec engineers building or reviewing secure SDLC programs
- Developers integrating security into CI/CD
- Security architects working on auth, crypto, API security
- Hiring managers evaluating AppSec engineering depth
- Offensive cheatsheets and pentest tooling: Workstation