Application Security Study Plan

Who this is for: Engineers preparing for AppSec interviews, security practitioners leveling up, or developers who want to understand security the way attackers and experienced AppSec engineers do.

How to use this plan: Follow phases in order. Do not rush. Master the mental model before tools. Every phase maps directly to real interview expectations.

Phase 1 — Foundations (How Applications Really Work)

Goal: Understand how modern applications are built, communicate, and fail.

HTTP request/response lifecycle
State management (cookies, sessions, tokens)
Client vs server trust boundaries
What the browser enforces vs what the server must enforce

Study:

Interview focus: “Explain how a web application works end-to-end and where security controls belong.”

Phase 2 — Core Web Vulnerabilities (Depth > Breadth)

Goal: Stop memorizing OWASP. Start understanding exploit mechanics.

Injection as a class (SQLi, NoSQLi, OS, LDAP, XPath)
Contextual output encoding
Server-side vs client-side validation

Study (deeply):

Hands-on mindset: Always ask: What is the sink? What controls the input? Why does the fix work?

Interview focus: “Explain SQLi/XSS from request to database/DOM with a real example.”

Phase 3 — Authentication & Identity (High-Impact Area)

Goal: Understand how identities break — not just how they authenticate.

What I see in reviews: consistency beats intensity. Ten focused minutes per day on one boundary/bug class will outperform random deep dives.

Password storage & reset flows
MFA logic flaws
JWT internals (claims, signing, verification)
OAuth & SSO trust boundaries

Study:

Interview focus: “Explain JWT validation. What goes wrong in real systems?”

Phase 4 — Authorization & Business Logic (experienced-Level Skill)

Goal: Catch bugs scanners will never find.

Authorization vs authentication
IDOR / BOLA / BFLA
Workflow abuse
State manipulation

Study:

Interview focus: “How do you find business logic bugs?”

Phase 5 — API, Mobile & Cloud Expansion

Goal: Apply the same mental models beyond classic web apps.

API object-level authorization
Token misuse
Mobile trust assumptions
Cloud shared responsibility

Study:

Interview focus: “How is API security different from web security?”

Phase 6 — experienced AppSec Skills

Goal: Think like a security owner, not just a tester.

Threat modeling (STRIDE)
Secure SDLC integration
Risk-based prioritization
Writing high-quality reports

Study:

Interview focus: “How do you influence engineering teams and leadership?”

Final advice: If you can explain every topic here clearly, with examples and fixes, you are operating at a experienced AppSec level.