Micro Focus is now part of OpenText. Learn more >

You are here

You are here

The #AppSec 50: Top application security pros to follow on Twitter

John P. Mello Jr. Freelance writer

Attacks on the application layer can be the hardest to defend against. User input scenarios for your apps can be difficult to identify with intrusion detection signatures. On top of that, the layer is the most accessible and exposed to the Internet. It's a recipe for trouble.

That's why application security soldiers need to stay on top of what's happening in their field. As the threats to applications grow, so has our list of knowledgeable folks whose Twitter feeds can help anyone interested in keeping applications safe from malicious hackers.

With the help of our original 25 app sec experts to follow on Twitter, we've enlarged the list. Here are 50 savvy security practitioners who you should closely follow.

Katy Anton


Anton, a self-described app sec enthusiast and an application security consultant with Veracode, works with software architects, developers, and security teams around the world, advising them on how to secure their software. She's also co-lead of OWASP's Top 10 Proactive Controls Project—a list of security techniques that should be included in every software development project—and a well-known speaker at both developer and security conferences.

Kurt Baumgartner


Baumgartner is a principal security researcher with Kaspersky Lab's Global Research and Analysis Team, where he monitors malware across the Americas. His specialties include reversing and analyzing known and unknown malware, and identifying unique behaviors and static characteristics. In addition to tweeting, he blogs.

Kevin Beaumont


Beaumont is a senior threat intelligence analyst at Microsoft. He joined the gang in Redmond after spending years running large security operations centers and writing about cybersecurity in his popular DoublePulsar blog and on Twitter. Microsoft has credited Beaumont and Marcus Hutchins—who stopped the 2017 WannaCry ransomware cryptoworm outbreak and was later arrested for his efforts—with identifying the first attempts to exploit BlueKeep. This was a Windows bug that had the potential to be as severe as WannaCry, which affected more than 200,000 computers in 150 counties.

Brute Logic


Brute Logic is Brazilian hacker Rodolfo Assis, a self-employed information security researcher and consultant. His main interest is cross-site scripting (XSS), one of the most common vulnerabilities found in websites. Over his career, Brute Logic has helped fix more than 1,000 XSS vulnerabilities in web applications, including those of Oracle, LinkedIn, Baidu, Amazon, Groupon, and Microsoft. He is currently managing, maintaining, and developing an online XSS discovery service, called KNOXSS, to help bug hunters find vulnerabilities.

Adam Chester


Chester is a red teamer, infosec researcher, and blogger, as well as technical director at MDSec, a provider of information security publications, tools, and training. He gained some notoriety demonstrating how the Meltdown design flaw in Windows 7 and Windows Server 2008 R2 could be exploited by an ordinary user to create an administrator-level command-line shell.

Lee Christensen


As a security consultant with SpecterOps, Christensen does red teaming, penetration testing, tool development, malware hunting, and security training. He says he enjoys studying attacker tradecraft, as well as researching and developing new offensive and defensive tactics, techniques, and procedures. Christensen is the author of several offensive tools and techniques, including UnmanagedPowerShell (incorporated into the Metasploit, Empire, and Cobalt Strike toolsets), and KeeThief. 

Michael Coates


Coates is co-founder and CEO of Altitude Networks and former head of security at Mozilla and Twitter. He also founded AppSensor, an OWASP open-source project that detects and responds to attacks from with an application, and is chairman of the board of OWASP.

Joshua Corman


Corman is a senior advisor and visiting researcher for the Cybersecurity and Infrastructure Security Agency in the US Department of Homeland Security and a co-founder of I Am the Cavalry, a global grass-roots organization focused on the intersection of digital security, public safety, and human life.

Dan Cornell


Cornell is CTO of the Denim Group. With over 12 years' experience in developing and architecting secure software for the web, Cornell offers his followers insightful advice. He also gives tips about the latest app sec research coming from the Denim Group.

Daniel Cuthbert


Cuthbert is the global head of security research for financial services giant Grupo Santander, also known as Santander Group, and co-author of OWASP's Application Security Verification Standard. His job has high goals: build a best-in-class cybersecurity research capability to protect Santander's 200,000 staffers, 125 million clients, and some 1 million global systems, devices, and applications. In addition to his security tweets, he sprinkles his Twitter feed with items about music synthesis and photography.

Dino A. Dai Zovi


Dai Zovi is head of security at Cash App, a mobile payment service developed by Square, and co-founder and CTO of Capsule 8, a real-time, zero-day attack detection platform. He has also co-authored The iOS Hacker's Handbook, The Mac Hacker's Handbook, and The Art of Software Security Testing, and is a regular speaker at security conferences, including Black Hat and Def Con.

Mark Dowd


Dowd is a director of L3 Trenchant, which was formed by L3 Technologies after it purchased Azimuth Security—founded by Dowd—and Linchpin Labs in August 2018. Over Dowd's 10 years in application security, he's worked at IBM's Internet Security Systems (ISS) X-Force, and as a principal security architect for McAfee.

Mark Goodwin


Goodwin is a security researcher at Hardonize and a former security engineer at Mozilla. A developer-turned-information security specialist, his specialties include web application security, ethical hacking, penetration testing, and application security.

Holly Graceful


Holly Grace Williams is managing director of Secarma, a cybersecurity consulting firm specializing in penetration testing. Over her 13-year career in information security, she has worked with a wide variety of organizations, including as a site security officer for the British military, and has appeared on UK media to talk about breaking security news. Her security tweets focus on pen testing, phishing, and other infosec topics.

Robert Graham


Graham is CEO of Errata Security, a penetration testing and security consulting firm. His accomplishments include creating the first intrusion prevention system, the BlackICE series of products, sidejacking, and masscan. A frequent speaker at security conferences and a blogger, he has strong opinions—and his Twitter feed reflects that.

Jeremiah Grossman


Grossman is CEO of Bit Discovery. His resume includes information security officer at Yahoo and founder, in 2001, of WhiteHat Security. As a researcher, he has demonstrated ways to surreptitiously turn on anyone's computer video camera and microphone from anywhere across the Internet, and how to sidestep corporate firewalls, abuse online advertising networks to take any website offline, hijack the email and bank accounts of millions, and silently rip out saved passwords and surfing histories from any web browser.

Jason Haddix


Haddix is director of Ubisoft's application security engineers and technical operations and, with his team, oversees more than 300 security programs across a variety of industry verticals. His skill set includes performing security assessments, handling clients, architecting solutions, designing services, improving business processes, managing technical consultants, training, technical writing, marketing, and delivering solutions. He also writes for several information security publications and is a semi-regular player of capture the flag.

Ben Hawkes


Hawkes is a founding member and the current technical lead of Google's Project Zero, a team created to find zero-day vulnerabilities in software. He's discovered dozens of serious vulnerabilities in a variety of software platforms and regularly presents and publishes research focused on vulnerability analysis and software exploitation.

Ashar Javed


Chosen No. 1 on Microsoft's 2018 top security researchers list, Javed performs penetration testing, source code reviews, and mobile application vulnerability assessments for Hyundai AutoEver Europe. There, he works with developers and third-party vendors to eliminate web vulnerabilities in their applications. He's frequently invited to speak at conferences such as Black Hat, Hack in the Box, and RSA. He also blogs at Respect XSS.

Konstantinos Karagiannis


Karagiannis is head of the NYC Hacking Lab and senior quantum computing technologist at Protiviti, a global business consulting and internal audit firm, where he works at defending organizations against emerging threats, and getting them post-quantum ready. He's an expert in financial application hacking and network penetration, and is often invited to speak at conferences such as RSAC.

Dave Kennedy


Kennedy, who has more than 100,000 Twitter followers, is co-founder of Binary Defense, a monitoring and detection company, and founder of TrustedSec, an information security consultancy. He also founded DerbyCon, a well-known security conference held annually in Louisville, Kentucky, and is author of a popular pen-testing tome, Metasploit: The Penetration Testers Guide. He's a software writer, too, and has developed several open-source tools, including The Social-Engineer Toolkit. In addition to his security tweets, Kennedy likes to comment about physical fitness and grilling.

Mohit Kumar


Kumar is founder and CEO of Hacker News, an online publication that attracts more than 10 million readers every month. Many of his tweets are touts for HN stories, but he also mixes in retweets about application security from other sources.

David Litchfield


Litchfield is director of information security assurance at Apple and one of the authors of The Shellcoder's Handbook, which explores the origin of security holes and how to close them. He's also one of the world's leading authorities on database security. In addition to application security, his tweets reveal a fascination with astronomy.

Jim Manico


A self-proclaimed app sec enthusiast, Manico is founder of Manicode Security, where he trains software developers on secure coding and security engineering. He has more than 19 years' experience as a developer and more than 10 years of application security experience. Currently an OWASP volunteer, he is a former OWASP board member.

Gary McGraw


McGraw is co-founder of the Berryville Institute of Machine Learning and a globally recognized authority on software security. He has authored eight best-selling books on software security, including Software Security, Exploiting Software, Building Secure Software, and Java Security. His Silver Bullet Security podcast, which features in-depth interviews with security experts, reaches 13,000 listeners every month.

Malik Mesellem


Mesellem is a penetration tester and ethical hacker. He's also the creator of #bWAPP, a buggy, open-source web application that was designed to be insecure as an educational tool for security enthusiasts, developers, and students who want to learn about preventing web vulnerabilities. His company, MME, specializes in security audits, user awareness, penetration testing, ethical hacking, and security training.

Alyssa Miller


If you want to advance your career in application security, you'll want to follow Alyssa Miller's Twitter feed. A self-proclaimed hacker, Miller leads the information security solutions practice at CDW. She also works with executive and senior business leaders on developing comprehensive enterprise security programs. Additionally, she evangelizes her message about evolving the way people think about and approach security, privacy, and trust through speaking engagements at various conferences and other events, including hosting the Uncommon Journey podcast, where industry personalities discuss their unique journeys into security.

Katie Moussouris


Moussouris is the founder and CEO of Luta Security, which helps businesses and governments work with hackers to defend themselves from digital attacks. She's a well-known authority on bug bounty programs and helped Microsoft and the US Department of Defense start their first bug bounty programs. She's also an equal-pay-for-equal-work advocate and snello enthusiast.

Chris Nickerson


Nickerson is CEO of Lares, a provider of penetration testing, app security, and adversarial simulation services, as well as a virtual CISO for multiple Fortune 1,000 companies and a faculty member at the Institute for Applied Network Security in Denver. He says he's spent 20 years in information security fighting to make customers more secure and avoid infosec FUD.

Louis Nyffenegger


Nyffenegger describes himself as a CVE connoisseur, trying to save the Internet one web at a time. He's also a security engineer and founder of PenesterLab, a learning platform for web penetration testing. He also does code reviews and penetration testing and runs training sessions. He is a regular guest speaker at security conferences, including OWASP and Ruxcon. His most recent talks were about monitoring GitHub repositories for fun and profit and discussing test-driven security.

John Opdenakker


Opdenakker specializes in application security, especially web application security, and security awareness. He's also a blogger and member of @TheBeerFarmers, an online social group of infosec enthusiasts. His Twitter feed includes security advice aimed at lay users—"Let's crowdsource a list of common #infosec-related terminology that we should no longer use when we approach non-tech users"—sprinkled with tech humor—"I somewhere read 'infosec tool of the day' and the first thing I thought about wasn’t software or hardware."

Tavis Ormandy


With more than 100,000 followers, Ormandy is one of the more popular application security experts on Twitter. As a member of Google's Project Zero team, he's discovered major flaws in antivirus software made by Sophos, Symantec, and Trend Micro. He also uncovered Cloudbleed, a bug in Cloudflare's infrastructure leaking user-sensitive data along with requests affecting millions of websites around the world, and a flaw in SymCrypt, the core cryptographic library for implementing asymmetric crypto algorithms in Windows 10. His opinions, which are strictly his own, can be controversial, such as why two-factor SMS authentication and reproducible builds aren't needed.

Chris Romeo


Romeo is CEO and founder of Security Journey, an application security training program, and co-host of the AppSec podcast. He previously worked at Cisco as chief security advocate in charge of Cisco's Secure Development Lifecycle program, where he encouraged engineers to build security into all products. Many of his tweets promote guests on his podcast.

Marcello Salvati


Salvati is a security researcher and software writer at BlackHills Information Security. His passions include anything Active Directory, trolling people on GitHub, and writing open-source tools for the security community. His projects include SilentTrinity, CrackMapExec, DeathStar, and RedBaron.

Sam Stepanyan


Stepanyan wears multiple infosec hats. He's the leader of the London chapter of OWASP, director and principal consultant with Step9 consulting, and on contract as an application security architect at Schroders, a multinational asset management company. His Twitter feed mixes industry news about data breaches, conferences, and training with tweets about bugs and vulnerabilities.

Maddie Stone


Stone is a security researcher with Google's Project Zero, where she focuses on zero-day vulnerabilities used in the wild. Previously, she was a reverse engineer and team lead on the Android Security team, focusing predominantly on pre-installed and off-Google Play malware. She also spent many years deep in the circuitry and firmware of embedded systems. She says she likes to speak at conferences, and she has appeared at Black Hat USA, REcon, OffensiveCon, KasperskySAS, and others.

Parisa Tabriz


Tabriz is the "browser boss" at Google, where she is responsible for Chrome security and serves as "den mom" for Project Zero. During the Obama administration, she worked for the US Digital Service, where she advised the Executive Office of the President on best practices to enhance network and software security.

Mike Thompson


The AppSec Bloke's path to his current position as an information security analyst at a midsized telecom and ISP has had some twists and turns. He started with an electronic and electrical equipment distributor, started and failed an industrial automation business, became a business analyst and programmer, moved on to be a consultant with a large professional services firm, took a side road into the music industry, and finally landed a job at the telecom as a business analyst, which he eventually parlayed into security analyst. His Twitter feed is a mix of infosec and non-infosec stuff.

Thunder Son


Thunder Son is the Twitter handle of Elie Saad, an application security engineer and project lead of OWASP's CheatSheetSeries. The series is a concise collection of important information about a number of application security topics. He's also the project lead of the Web Security Testing Guide, a comprehensive open-source document about testing the security of web applications and services. His day job is information security officer at the Saradar Bank in Beirut.

Tim Tomes


With more than a decade of information security experience, Tomes is an application security professional schooled as both a technician and manager for the US military and private industry. He hones his skills by managing multiple open-source software projects and taking on consulting gigs. He says he has a strong interest in contributing to the community and does so by writing technical articles, speaking at conferences, and conducting training both as an independent instructor and for training providers. In his Twitter feed, you can find tweets about anything from TLS stripping and disclosure issues in web applications to bugs in Node.js and running Python scripts in throwaway environments.

Chris Truncer


Offensive security is Truncer's specialty, something he gets plenty of time to practice at FortyNorth Security, which he co-founded. Not only is he a veteran red teamer and penetration tester, but he's an open source developer and teacher, too. He can also be found participating in and designing capture-the-flag events at security conferences. In addition to tweets about network, database, and cloud security, his Twitter feed includes information about FortyNorth's latest training offerings.

Johannes Ullrich


Ullrich is director of the SANS Internet Storm Center, which is used by more than 10,000 network security professionals daily, and dean of research at the SANS Technology Institute. He also teaches courses at the SANS Institute, including SEC522: Defending Web Applications Security Essentials.

Andrew van der Stock


As executive director of the OWASP Foundation and co-lead of the OWASP Application Security Verification Standard project, which is used by organizations to build and verify safer software, van der Stock is very knowledgeable about what it takes to make applications secure. In addition to his app sec tweets, van der Stock also keeps the security community aware of the latest OWASP events and developments.



The mysterious VectorSEC describes himself as a "cybersecurity enthusiast" who sometimes has a stroke of brilliance "but most of the time just the symptoms of a stroke." His projects on GitHub can be found under NullArray. If you're interested in hardcore hacking, VectorSEC is a Twitter account you'll definitely want to follow.

Chris Vickery


Vickery is director of cyber risk research at UpGuard and a data breach hunter. He's discovered millions of records exposed to the public Internet, largely through misconfigured databases and servers, and has been cited as a cyber security expert by The New York Times, Forbes, Reuters, the BBC, The Los Angeles Times, The Washington Post, and many other publications.

Dave Waterson


Waterson is founder, CEO, and chairman of the board of SentryBay, which uses secure containers to protect applications from threat actors. He's also an award-winning blogger and has been on the top 10 tech thought leaders list released by A.T. Kearney at the World Economic Forum held in Davos, Switzerland. Many of his tweets focus on endpoint vulnerabilities, data protection, and work-from-home security.

Jeff Williams


Over a career spanning 25 years, Williams created the OWASP Foundation, a worldwide open-source application security organization; founded Aspect Security, a consulting firm focusing exclusively on application security; and launched Contrast Security, which concentrates on fully automating application security at the speed of DevOps. His Twitter feed is full of solid information on application security, "shifting left," and reducing vulnerability remediation times through the use of modern app sec tools.

Robin Wood


Wood is a freelance security consultant specializing in web app testing. He has a developer background, which can be a plus when explaining security problems in apps to the people who made them. He is also co-founder of the SteelCon conference, is an associate lecturer at Sheffield Hallam University in the UK, and has been a speaker at a number of conferences, including Def Con, ShmooCon, and Wild West Hackin’ Fest. He likes to mix a little whimsy into his Twitter feed.

Chris Wysopal


A former programmer at Lotus and later a security researcher at the hacker collective L0pht, Wysopal was part of a team that warned Congress about gaping Internet vulnerabilities as far back as 1998. Wysopal is CTO and a co-founder of Veracode, an application security vendor. A self-professed application security and security-transparency buff, Wysopal's tweets are newsy and cover a wide range of security-related topics.



Zseano is the handle of a well-known hacker in the bug bounty community. Over the last few years, the self-taught hacker has created a platform for exchanging bug bounty notes, organized a live hacking event, and hosted a number of online mentoring sessions. He's a full-time bug bounty hunter who lives in the UK and has a "pay it forward" attitude toward life. As he told one interviewer, "I have always had people share their knowledge and help me, so I am just passing the good will on."

Keep learning

Read more articles about: SecurityApplication Security