Security Engineer Learning Path

A structured 12-week journey through the Knowledge Vault for security engineers, AppSec specialists, and any developer serious about building secure systems. This path covers the OWASP Top 10, deep authentication (12 pages), real-world exploits (12 pages), authorization models, zero trust architecture, compliance frameworks, supply chain security, API security, encryption, secrets management, and DevSecOps.

Who This Is For

• Developers transitioning into AppSec or security engineering
• Junior security engineers building towards mid-level
• Backend engineers who want to build secure systems by default
• Anyone preparing for security-focused roles or certifications

Prerequisites

• Backend development experience (familiar with APIs, databases, deployments)
• Basic understanding of HTTP, TLS, and web architecture
• Some familiarity with Linux command line
• No prior security specialization required

Total estimated time: ~55 hours across 12 weeks

Learning Progression

---

Week 1-2: OWASP Top 10

Estimated reading time: 4.5 hours

The OWASP Top 10 is the baseline for web application security. Every security engineer must know these vulnerabilities.

• [ ] Required -- OWASP Overview (15 min)
• [ ] Required -- A01: Broken Access Control (25 min)
• [ ] Required -- A02: Cryptographic Failures (25 min)
• [ ] Required -- A03: Injection (25 min)
• [ ] Required -- A04: Insecure Design (25 min)
• [ ] Required -- A05: Security Misconfiguration (25 min)
• [ ] Required -- A06: Vulnerable Components (20 min)
• [ ] Required -- A07: Authentication Failures (25 min)
• [ ] Required -- A08: Data Integrity Failures (20 min)
• [ ] Required -- A09: Logging & Monitoring Failures (20 min)
• [ ] Required -- A10: SSRF (20 min)
• [ ] Optional -- 2017 to 2021 Mapping (15 min)
• [ ] Optional -- Secure Coding (25 min)

Checkpoint

After this section you should be able to: identify all 10 OWASP vulnerability categories, explain real-world exploitation scenarios, and implement preventive controls.

---

Week 2-3: Deep Authentication (Part 1)

Estimated reading time: 5 hours

Authentication is the front door of your application. This section covers the first half of the 12 deep auth pages.

• [ ] Required -- Authentication Overview (15 min)
• [ ] Required -- Auth Architecture (30 min)
• [ ] Required -- OAuth2 & OIDC (30 min)
• [ ] Required -- OAuth2 Flows (25 min)
• [ ] Required -- JWT Deep Dive (30 min)
• [ ] Required -- Session Deep Dive (25 min)
• [ ] Required -- Session Management (25 min)
• [ ] Required -- Token Strategies (25 min)

Checkpoint

After this section you should be able to: implement OAuth2 authorization code flow with PKCE, validate JWTs correctly, design secure session management, and choose between session and token strategies.

---

Week 3-4: Deep Authentication (Part 2)

Estimated reading time: 4.5 hours

Advanced auth patterns: MFA, passkeys, biometrics, enterprise SSO, device trust, and attack defense.

• [ ] Required -- MFA Deep Dive (25 min)
• [ ] Required -- MFA Implementation (25 min)
• [ ] Required -- Passkeys & WebAuthn (25 min)
• [ ] Required -- Passwordless Authentication (20 min)
• [ ] Required -- Auth Attack & Defense (30 min)
• [ ] Required -- API Key Design (20 min)
• [ ] Optional -- Biometric Authentication (20 min)
• [ ] Optional -- Enterprise SSO (25 min)
• [ ] Optional -- Device Trust (20 min)
• [ ] Optional -- Account Sharing Prevention (20 min)
• [ ] Optional -- Auth Providers (20 min)

Production reference:

• [ ] Optional -- Auth Service Blueprint (15 min)
• [ ] Optional -- Auth Service Architecture (25 min)
• [ ] Optional -- Auth Service Database Schema (20 min)

Checkpoint

After this section you should be able to: implement MFA with TOTP/WebAuthn, design passwordless auth flows, defend against credential stuffing and brute force, and plan an enterprise SSO rollout.

---

Week 4-5: Authorization

Estimated reading time: 3 hours

Authorization decides what authenticated users can do. Master RBAC, ABAC, ReBAC, and policy engines.

• [ ] Required -- Authorization Overview (15 min)
• [ ] Required -- RBAC, ABAC, ReBAC (30 min)
• [ ] Required -- Zanzibar (30 min)
• [ ] Required -- Policy Engines (25 min)

Checkpoint

After this section you should be able to: choose between RBAC, ABAC, and ReBAC for different access control needs, understand Google Zanzibar-style authorization, and evaluate policy engines (OPA, Cedar, Casbin).

---

Week 5-6: Real-World Exploits (Part 1)

Estimated reading time: 4 hours

Study real exploits to understand how vulnerabilities manifest and how to prevent them.

• [ ] Required -- Exploits Overview (15 min)
• [ ] Required -- XSS Advanced (25 min)
• [ ] Required -- Injection Advanced (25 min)
• [ ] Required -- Heartbleed (25 min)
• [ ] Required -- Log4Shell (25 min)
• [ ] Required -- Dirty Pipe (25 min)
• [ ] Required -- SolarWinds (25 min)

Checkpoint

After this section you should be able to: explain the technical details of each exploit, identify similar patterns in your own codebase, and implement defenses against each attack class.

---

Week 6-7: Real-World Exploits (Part 2)

Estimated reading time: 4 hours

More exploits covering crypto attacks, container escapes, cloud misconfigurations, and supply chain compromises.

• [ ] Required -- Crypto Attacks (25 min)
• [ ] Required -- Container Escapes (25 min)
• [ ] Required -- Cloud Misconfigurations (25 min)
• [ ] Required -- Spectre & Meltdown (25 min)
• [ ] Required -- XZ Backdoor 2024 (25 min)

Checkpoint

After this section you should be able to: detect cryptographic implementation flaws, prevent container escapes, audit cloud configurations for security holes, and understand hardware-level vulnerabilities.

---

Week 7-8: Encryption & Cryptography

Estimated reading time: 3.5 hours

Encryption protects data at rest and in transit. Understand the primitives so you can use them correctly.

• [ ] Required -- Encryption Overview (15 min)
• [ ] Required -- Symmetric vs Asymmetric (25 min)
• [ ] Required -- Cryptography for Engineers (30 min)
• [ ] Required -- Encryption at Rest (25 min)
• [ ] Required -- Encryption in Transit (25 min)
• [ ] Required -- Hashing Algorithms (25 min)
• [ ] Required -- Key Management (25 min)
• [ ] Optional -- Envelope Encryption (20 min)
• [ ] Optional -- TLS Handshake (20 min)

Secrets management:

• [ ] Required -- Secrets Management Overview (15 min)
• [ ] Required -- HashiCorp Vault (30 min)
• [ ] Required -- Rotation Automation (25 min)
• [ ] Optional -- AWS Secrets Manager (25 min)
• [ ] Optional -- Secrets in CI/CD (25 min)

Checkpoint

After this section you should be able to: choose between AES-256-GCM and ChaCha20-Poly1305, implement envelope encryption, hash passwords with bcrypt/argon2, manage secrets with Vault, and automate secret rotation.

---

Week 8-9: Zero Trust Architecture

Estimated reading time: 3 hours

The perimeter is dead. Zero trust assumes every request is potentially hostile.

• [ ] Required -- Zero Trust Overview (10 min)
• [ ] Required -- Zero Trust Principles (25 min)
• [ ] Required -- Identity Verification (25 min)
• [ ] Required -- Least Privilege (25 min)
• [ ] Required -- Network Segmentation (25 min)
• [ ] Required -- Continuous Verification (25 min)
• [ ] Optional -- K8s RBAC (25 min)
• [ ] Optional -- K8s Network Policies (20 min)
• [ ] Optional -- AWS IAM Deep Dive (25 min)

Checkpoint

After this section you should be able to: articulate zero trust principles, implement identity-based access, design least-privilege policies, and implement micro-segmentation.

---

Week 9-10: Compliance & Governance

Estimated reading time: 3.5 hours

Security without compliance is incomplete. Understand the major regulatory frameworks and how to implement them.

• [ ] Required -- Compliance Overview (15 min)
• [ ] Required -- GDPR Engineering (30 min)
• [ ] Required -- SOC 2 (25 min)
• [ ] Required -- PCI-DSS (25 min)
• [ ] Required -- Audit Logging (25 min)
• [ ] Optional -- Audit Log Blueprint (25 min)

Checkpoint

After this section you should be able to: implement GDPR data handling requirements, prepare for SOC 2 audits, design PCI-compliant payment flows, and build comprehensive audit logging.

---

Week 10-11: Supply Chain Security

Estimated reading time: 2.5 hours

Your code is only as secure as your dependencies. Understand supply chain attacks and how to defend against them.

• [ ] Required -- Supply Chain Security Overview (25 min)
• [ ] Required -- XZ Backdoor 2024 (25 min -- revisit with supply chain lens)
• [ ] Required -- SolarWinds (25 min -- revisit)
• [ ] Required -- A06: Vulnerable Components (20 min -- revisit)
• [ ] Required -- Security Scanning in CI/CD (25 min)

Checkpoint

After this section you should be able to: assess supply chain risk in your dependency tree, implement SBOM generation and dependency scanning, and design secure CI/CD pipelines that catch compromised packages.

---

Week 11: API Security

Estimated reading time: 3 hours

APIs are the primary attack surface. Every endpoint is a potential vulnerability.

• [ ] Required -- API Security Overview (15 min)
• [ ] Required -- Input Validation (25 min)
• [ ] Required -- CORS Deep Dive (25 min)
• [ ] Required -- CSP Headers (25 min)
• [ ] Required -- Rate Limiting (20 min)
• [ ] Required -- Advanced Rate Limiting (20 min)
• [ ] Required -- API Abuse Prevention (25 min)
• [ ] Optional -- Request Signing (20 min)

Checkpoint

After this section you should be able to: validate and sanitize all inputs, configure CORS and CSP correctly, implement multi-level rate limiting, and prevent API abuse.

---

Week 12: DevSecOps & Production Security

Estimated reading time: 4 hours

Shift security left by integrating it into your development and CI/CD workflows.

• [ ] Required -- Security Scanning in CI/CD (25 min)
• [ ] Required -- Docker Security Hardening (25 min)
• [ ] Required -- Terraform Security Hardening (25 min)
• [ ] Required -- Structured Logging (20 min)
• [ ] Required -- Sensitive Data Redaction (20 min)
• [ ] Required -- Alert Design (20 min)

Cybersecurity integration:

• [ ] Optional -- API Security Testing (25 min)
• [ ] Optional -- Container Security (25 min)
• [ ] Optional -- Cryptography Practical (25 min)

Checkpoint

After this section you should be able to: integrate SAST, DAST, and SCA into pipelines, scan containers for vulnerabilities, audit IaC for misconfigurations, and set up security alerting.

---

What You Will Be Able to Do After This Path

• Identify and remediate all OWASP Top 10 vulnerabilities
• Design and implement production-grade authentication systems (OAuth2, JWT, MFA, passkeys)
• Analyze real-world exploits and defend against each attack class
• Implement authorization with RBAC/ABAC/ReBAC and policy engines
• Design zero trust architectures with continuous verification
• Achieve compliance with GDPR, SOC 2, and PCI-DSS
• Secure the software supply chain from dependency to deployment
• Build DevSecOps pipelines with automated security scanning

Cross-References to Related Paths

• Cybersecurity Engineer Path -- Offensive security, pentesting, and OSCP prep
• Backend Engineer Path -- Understand the systems you are securing
• DevOps Engineer Path -- Infrastructure security and incident response
• Platform Engineer Path -- Secrets management and network segmentation at scale
• System Design Interview Path -- Design secure systems in interviews

---

Total Progress

This path contains approximately 100 pages. At a pace of 5 pages per day, you can complete it in about 3 weeks. Weeks 1-4 (OWASP + auth) are the critical foundation -- start there.