As security professionals, we spend a lot of time searching through resources, documentation, and references while working on projects or investigating vulnerabilities. I got tired of hunting for the same links over and over, so I built AppSec.fyi — a curated collection of application security resources that serves as the go-to reference I always wanted.

What is AppSec.fyi?

AppSec.fyi is a centralized hub that organizes security knowledge across multiple domains, making it easy to find authoritative sources and reference materials for common vulnerabilities and security topics. I describe it as “a somewhat curated list of links to various topics in appsec” — though that undersells it a bit at this point.

The approach is simple but effective: each major vulnerability class or topic gets its own dedicated page with curated links to high-quality resources, primarily from OWASP but also including other authoritative sources like Wikipedia, vendor documentation, and security tools.

Coverage and Organization

I’ve organized the site as a clean landing page with links to detailed topic pages. The main categories include:

Core Vulnerability Classes

  • Insecure Direct Object Reference (IDOR) — Links to OWASP prevention cheat sheets
  • Cross-Site Scripting (XSS) — References to OWASP attack documentation
  • SQL Injection — Coverage of database injection vulnerabilities
  • XML External Entity Processing (XXE) — Details on XML-based attacks
  • Server-Side Request Forgery (SSRF) — Resources on server-side abuse
  • Cross-Site Request Forgery (CSRF) — State-changing attack vectors
  • Remote Code Execution (RCE) — Arbitrary code execution references

Security Domains and Practices

  • AI Security — Protecting AI systems from threats like data poisoning and model inversion
  • Open-Source Intelligence (OSINT) — Publicly available intelligence gathering
  • Bug Bounty Related — Resources for bug bounty programs and researchers
  • Reconnaissance — Information gathering techniques
  • Fuzzing — Automated testing methodologies

Tools and Technologies

  • Burp Suite — The leading web application testing platform from PortSwigger
  • Python — Programming resources (I’m a Python convert, so this one’s personal)
  • GraphQL — API query language security considerations

Additional Resources

  • Talks — A dedicated page cataloging security presentations and talks with dates, links, and excerpts from sources like Speaker Deck, covering topics from OWASP projects to security scaling guides

What Makes It Valuable

A few things I focused on when building the site:

Quality Over Quantity: Rather than overwhelming visitors with hundreds of links, I focus on curating high-quality, authoritative resources. Most entries link directly to OWASP documentation, which is widely recognized as the gold standard for web application security guidance.

Practical Organization: I organized topics the way security professionals actually work. Whether you’re investigating a potential SSRF vulnerability or need to refresh your knowledge on XSS variants, you can quickly navigate to the relevant section.

Easy Navigation: The simple, clean design makes it easy to scan topics and find what you need. The landing page provides brief descriptions of each topic, while dedicated pages offer more detailed resource collections.

Actively Maintained: I regularly add new resources and update existing links. The talks section shows dates for when content was added, and I’m continuously expanding the collection as new quality resources emerge.

Use Cases

I’ve designed AppSec.fyi to serve several practical purposes:

Learning Path: For those new to application security, the site provides a structured way to explore different vulnerability classes, starting with authoritative resources rather than random blog posts or outdated documentation.

Quick Reference: During security assessments or code reviews, having quick access to OWASP cheat sheets and attack documentation is invaluable for confirming attack vectors or mitigation strategies. This is honestly the use case I built it for — I needed it myself.

Training Resource: Security teams can use the site as a baseline reading list for new team members or for ongoing security education programs.

Research Starting Point: When investigating a new vulnerability class or attack technique, the curated links provide a solid foundation before diving into more specialized resources.

Why I Built It

I built AppSec.fyi because I wanted a single place to find the resources I use most in my day-to-day work as an application security engineer. What sets it apart from automated link aggregators is that every resource is hand-picked based on actual use. I choose resources that are genuinely useful rather than just highly ranked in search results. The inclusion of categories like “Talks” with hand-picked presentations reflects the kind of knowledge you build from being engaged with the security community over time.

Final Thoughts

In an era of information overload, having a trusted, curated collection of security resources is increasingly valuable. I built AppSec.fyi to fill this niche — a focused collection of high-quality links across the major application security domains. Whether you’re a seasoned security professional looking for quick references or someone building their security knowledge, I hope it provides a practical, well-organized starting point.

Sometimes the most useful tools are the simplest ones — a well-curated list of links, maintained by someone who knows what security professionals actually need.

Visit: https://appsec.fyi