@solhuebner wrote:
Do you think it is a good start/reference or is there something better suited that has a focus on web application security?
https://owasp.org/
Sascha,
OWASP has a long, well established record of strong technologists addressing web application security. That is definitely the best place to start learning about the topic. However, in order to really understand the world that the CSLLP covers, I recommend you also incorporate work from the Building Security In Maturity Model (BSIMM) effort, which allows you to think in terms of the complete System Life Cycle (SLC) as described by INCOSE in both the Systems Engineering Body of Knowledge and the Systems Engineering Handbook.
It is important to address the full SLC as differentiated from the Software Development Life Cycle (SDLC) because too many programmers (coders) think the SDLC starts when someone else gives them the system requirements and ends with delivery of the code to meet those requirements. The complete SLC starts with the process to develop those requirements and continues through the operations, maintenance, and retirement stages of the systems' life. Especially in the world of security, paying attention to the security at retirement (e.g. disposal, destruction, data preservation, etc.) is a crucial part of our jobs.
Good luck, and congratulations on deciding to dive into a most important part of our profession.
