Back in January I wrote about the launch of AppSec.fyi, the curated application security resource library I built and maintain. Three months later, I’ve added enough to warrant an update. What started as a clean list of links organized by vulnerability class has turned into something closer to a full reference platform.

By the Numbers

The resource count has crossed 2,241 items spread across 24 distinct categories. That’s a significant jump from the handful of core vulnerability classes I launched with. The original categories — XSS, SQLi, SSRF, IDOR, XXE, RCE, CSRF — are still there, but I’ve expanded into areas that reflect where application security is actually headed.

New categories include:

  • AI Security — prompt injection, model poisoning, LLM-specific attack surfaces
  • Supply Chain Security — dependency confusion, typosquatting, build pipeline attacks
  • API Security — broken authentication, excessive data exposure, rate limiting bypasses
  • GraphQL — introspection abuse, batching attacks, authorization flaws
  • Mobile Security — platform-specific vulnerabilities across iOS and Android
  • Deserialization — insecure deserialization across Java, PHP, Python, and .NET

Each category page isn’t just a dump of links. I organize resources with enough context that you can tell what you’re clicking into before you click.

Resource Health Indicators

This is one of the additions I’m most pleased with. Every topic now shows a health badge — active, stable, or stale — reflecting how recently I’ve reviewed and updated the resources on that page.

Link rot is the silent killer of curated resource lists. A page full of 404s is worse than no page at all. The health indicators give you a quick signal about whether you’re looking at a maintained section or one that might have drifted. It’s a small thing, but it keeps me accountable and lets visitors know what’s fresh.

Weekly AppSec Digest

I now publish a weekly newsletter — the AppSec Digest — delivered on Mondays. Rather than another firehose of security news, it follows the same curation philosophy as the site itself: a filtered selection of what’s worth reading that week.

If you’ve tried to keep up with the volume of security advisories, blog posts, conference talks, and tool releases that hit the wire every week, you know how noisy it gets. The digest is my attempt to cut through that. You can subscribe directly from the site.

Glossary

I added a glossary section that defines application security terminology in plain language. This might seem basic, but terminology in security is a real barrier to entry. The difference between authentication and authorization trips up experienced developers. The distinction between stored and reflected XSS matters when you’re writing a bug report. Having consistent, accessible definitions in one place is more useful than it sounds.

Comparisons

The site now includes a comparisons section for evaluating security tools and approaches side by side. When you’re choosing between SAST tools, or trying to understand the difference between DAST and IAST, a structured comparison from a practitioner’s perspective is more valuable than reading five vendor marketing pages. I’ve been building these out based on tools I’ve actually used in my own work.

Full-text search now spans the entire resource library. With the collection past 2,200 items, this was no longer a nice-to-have — it was essential. If you know you’re looking for resources on JWT attacks or OAuth misconfiguration, you can get there directly rather than browsing through categories.

Community Submissions

I added a portal for submitting resources. This is how I plan to scale curation without losing quality — I still review and approve every submission, but the community can surface resources that I might miss on my own. Open intake, curated output.

What’s Next

I built AppSec.fyi because the application security space has a discoverability problem. There are excellent resources scattered across OWASP, PortSwigger’s Web Security Academy, individual researcher blogs, GitHub repos, and conference archives. Finding the right resource at the right time — when you’re in the middle of a code review and need to confirm whether a particular SSRF bypass works against cloud metadata endpoints — that’s where curation earns its value.

I’m going to keep growing the library, adding new categories as the threat landscape shifts, and improving the tooling around it. If you work in application security and haven’t visited recently, come take a look.

Visit: https://appsec.fyi

See also: