@munin I'd point them at the OWASP Top 10 and stuff like DVWA, since web stuff is generally the most accessible place to start and webapp tests are still the meat of generalist pentest work.
picoCTF and OverTheWire are beginner friendly CTFs, although I'd warn them that getting too heavily into CTF challenges has a tendency to pigeonhole your thinking, so make sure to look at real bugs in real code too (search for CVEs with write-ups, read them)
@munin most appsec stuff being done at generalist pentest places is gonna be Windows, so for RE skills I'd tell them to start with grabbing dnSpyEx or ILSpy and pulling some .NET programs apart with it, figuring out how they do stuff, modifying them to have different behaviour. single player Unity games are great for this cos you can load up Assembly-CSharp.dll and see ~all the game code. don't worry so much about looking for security bugs specifically, the core RE skills are more important.
@gsuberland @munin Very specific to AppSec from someone that’s been doing it as a consultant for 10+ years)
Check out the OWASP application security testing guide and the application verification standard. Know how to identify all the issues pointed out by these guides. Join bug bounties and practice. Many of these items are straightforward. This control is present or not. Others are harder and require more exploration XXS, SQLi, etc. focus on business use cases and assumptions (how does this registration/check out/forgot password flow actually work?). Much of this is boring, but it’s the practice necessary. Can all be accomplished with basic tools (which I’d suggest doing with the bare minimum).
I would also suggest to anyone to learn python. A lot of appsec code is written in python. Build some utilities, cli apps, web, just enough to help learn the basics of HTTP.
The other OWASP top 10 projects are also good to learn from.
Also, focus on really understanding and communicating the underlying issue and remediation. Many have a really hard time doing this but it’s crucial for success.
