Resources

AppSec resources for engineers

Practical application security knowledge — blog articles, downloadable checklists, and curated links to the best external resources in the field.

Blog Articles
Checklists
External Links

Latest from the Blog

Practitioner-written AppSec articles

Abstract illustration showing a security check arriving too late in the pipeline
AppSec Strategy

Why Shift Left Fails (And What to Do Instead)

The "shift left" mantra has dominated AppSec for a decade. Here's why it's not delivering results for most teams — and a more practical approach.

Read article →
Abstract STRIDE threat model diagram
Threat Modeling

Threat Modeling Without Security Expertise

You don't need a CISSP to run a useful threat modeling session. Here's how any engineering team can do it in 90 minutes.

Read article →
Abstract code document with security check marks
Code Review

The Secure Code Review Checklist

A practical, technology-agnostic checklist for spotting security vulnerabilities during code review — covering injection, auth, access control, and more.

Read article →
View all articles

Downloadable Resources

Free checklists for your team

Practitioner-built checklists you can adapt to your own team's workflow.

Secure Code Review Checklist

Technology-agnostic checklist for security-aware code review. Covers OWASP Top 10 categories, dependency review, and auth patterns.

View checklist

Threat Modeling Session Guide

Step-by-step facilitation guide for running a 90-minute threat modeling session. Includes STRIDE prompts and an output template.

View guide

SDLC Security Gate Checklist

What to check at each stage of your development pipeline — commit, build, deploy. Policy-as-code templates for GitHub Actions and GitLab CI.

View guide

External Resources

Curated AppSec references

The best external references in application security — curated and described for practitioners, not vendors.

OWASP Top 10

The canonical reference for the most critical web application security risks. Updated regularly — the 2021 version added broken access control as #1.

OWASP Testing Guide (WSTG)

Comprehensive testing methodology for web applications. Useful for building internal security testing checklists and understanding what "security testing" actually involves.

CWE/SANS Top 25 Most Dangerous Software Weaknesses

MITRE's list of the most common and impactful software weaknesses. Useful as a complement to OWASP Top 10 — broader and more code-level focused.

NIST SP 800-53 Rev 5

NIST's security and privacy controls catalogue. Most relevant for teams in regulated industries or building for government customers. Useful for gap analysis.

OWASP Cheat Sheet Series

Concise, actionable guidance on specific security topics — password storage, input validation, XSS prevention, JWT security, and 90+ others. Bookmark this one.

Put this knowledge into practice

SafeStack helps your team apply this knowledge in the workflow you already use — not in a separate training portal.

Start free trial See the training modules