๐๏ธ Three-Month Product Security Self-Study Plan
Intro: This plan is designed for someone who wants to become useful fast without pretending they can master all of Product Security in twelve weeks. The right goal is not โfinish everything.โ The right goal is to build a repeatable study rhythm around reading + lab work + note taking + retelling what you learned.
Study rules
- Spend 5โ7 focused hours per week.
- Split each week into reading, hands-on practice, and retrospective notes.
- Keep a notebook with three sections:
- what I learned,
- what broke,
- what I would change in a real product.
- Every second week, explain what you learned to another engineer or to yourself in writing.
The 12-week path
| Week | Focus | Book / reading | Lab / environment | Outcome |
|---|---|---|---|---|
| 1 | Build the foundation | Alice and Bob Learn Application Security โ Tanya Janca | OWASP Juice Shop or Security Shepherd | establish baseline vocabulary: authn/authz, input validation, abuse cases, common web flaws |
| 2 | Threat modeling and secure design | Threat Modeling: Designing for Security โ Adam Shostack | draw DFDs for Juice Shop or a small internal service design | practice STRIDE and design-review questions instead of only bug-hunting |
| 3 | Secure coding mindset | Writing Secure Code โ Howard / LeBlanc | language-specific secure coding review labs from this KB | learn to recognize bug classes before scanners do |
| 4 | API security | API Security in Action โ Neil Madden | API Definition Conformance Lab + Juice Shop API endpoints | focus on tokens, authorization, API contracts, and misuse cases |
| 5 | Business logic and abuse | Alice and Bob Learn Application Security (selected chapters) + internal KB business-logic pages | Worked Example Business Logic Abuse Lab | shift from purely technical bugs to product abuse and workflow risk |
| 6 | DevSecOps and CI/CD trust | Agile Application Security or Learning DevSecOps | CI/CD Goat + local GitHub/GitLab demo repos | learn commit-to-deploy trust boundaries, approvals, provenance, and runner risk |
| 7 | Supply chain security | Building Secure and Reliable Systems (selected chapters) + KB supply-chain pages | Sigstore/Cosign or SLSA-oriented toy pipeline | understand attestations, signed artifacts, and dependency trust |
| 8 | Cloud security basics | AWS-focused security book or cloud-native security reading pack | CloudGoat or flAWS / flAWS2 | practice IAM, storage, networking, logging, and blast-radius reasoning |
| 9 | Kubernetes and containers | Container Security (Liz Rice) + Hacking Kubernetes / Learn Kubernetes Security | Kubernetes Goat or EKS Goat | learn workload isolation, admission, RBAC, and runtime detection fundamentals |
| 10 | Crypto, secrets, and key management | Real-World Cryptography โ David Wong | small lab with KMS envelope encryption or HashiCorp Vault / step-ca | build intuition for key hierarchy, signing, rotation, and common crypto failure modes |
| 11 | Detection and incident response | Building Secure and Reliable Systems + Product Security incident pages in this KB | runtime investigation playbook lab or Falco/Tetragon sandbox | connect telemetry, containment, and product-facing incident response |
| 12 | Leadership, reporting, and synthesis | How to Measure Anything in Cybersecurity Risk + The Managerโs Path | write a short quarterly Product Security review based on the labs you ran | turn technical observations into priorities, metrics, and an action plan |
Recommended environments
Fast local options
- Docker-based labs: Juice Shop, Security Shepherd, Dependency-Track, DefectDojo, Falco demo stacks
- Local Kubernetes: kind, k3d, minikube
- Cloud lab accounts: isolated AWS account for CloudGoat/flAWS-style exercises
Best KB companion pages
- Vulnerable Learning Labs and Goat Environments
- Break-Fix Labs and Tabletop Scenarios
- Product Security Ramp-Up Tracks
- Top Books for Product Security by Domain and Role
What โgood progressโ looks like after 3 months
By the end of this plan, you should be able to:
- explain a threat model with trust boundaries and abuse cases;
- review a simple API or service design for obvious Product Security gaps;
- recognize CI/CD trust boundary problems and common runner/secrets mistakes;
- discuss basic cloud IAM and Kubernetes isolation risks without hand-waving;
- write a short risk memo or review summary that leadership can actually use.
What to do after the first 3 months
Pick one specialization lane for the next quarter:
- AppSec and architecture review
- Cloud and Kubernetes platform security
- CI/CD and software supply chain
- Product Security leadership and governance
- Detection, response, and resilience