You are here

You are here

The top 25 #appsec leaders to follow on Twitter

John P. Mello Jr. Freelance writer

Attacks on the application layer can be the hardest to defend against. User input scenarios for your apps can be difficult to identify with intrusion detection signatures. On top of that, the layer is the most accessible and exposed to the Internet. It's a recipe for trouble.

That's why application security soldiers need to stay on top of what's happening in their field. Here are 25 knowledgeable folks whose Twitter feeds can help anyone interested in keeping applications safe from malicious hackers.

Michael Coates


Coates is co-founder of Altitude Networks and former head of security at Mozilla and Twitter. He also founded AppSensor, an OWASP open-source project that detects and responds to attacks from with an application.

Kurt Baumgartner


Baumgartner is a principal security researcher with Kaspersky Lab's Global Research and Analysis Team, where he monitors malware across the Americas. His specialties include reversing and analyzing known and unknown malware and identifying unique behaviors and static characteristics. In addition to tweeting, he blogs.

Joshua Corman


Corman is chief security officer at PTC and a co-founder of I Am The Cavalry, a global grassroots organization. It's focused on the intersection of computer security, public safety, and human life, concentrating on medical devices, automobiles, home electronics, and public infrastructure.

Dan Cornell


Cornell is CTO of the Denim Group. With over 12 years' experience in developing and architecting secure software for the web, Cornell offers his followers insightful advice. He also gives tips about the latest app sec research coming from the Denim Group.

Mark Dowd


Dowd is a director and founder of Azimuth Security, a small, independent information security consultancy. Over his 10 years in application security, he's worked at IBM's Internet Security Systems (ISS) X-Force and as a principal security architect for McAfee.

Mark Goodwin


Goodwin is a staff security engineer at Mozilla. A developer turned information security specialist, his specialties include web application security, ethical hacking, penetration testing, and application security.

Robert Graham


Graham is CEO of Errata Security, a penetration testing and security consulting firm. His accomplishments include creating the first intrusion prevention system, the BlackICE series of products, sidejacking, and masscan. A frequent speaker at security conferences, he has strong opinions—and his Twitter feed reflects that.

Jeremiah Grossman


Grossman is chief of security strategy at SentinelOne. His résumé includes information security officer at Yahoo and founder, in 2001, of WhiteHat Security. As a researcher, he has demonstrated ways to surreptitiously turn on anyone's computer video camera and microphone from anywhere across the Internet, and how to sidestep corporate firewalls, abuse online advertising networks to take any website offline, hijack the email and bank accounts of millions, and silently rip out saved passwords and surfing histories from any web browser.

Ben Hawkes


Hawkes is a founding member and the current manager of Google's Project Zero, a team created to find zero-day vulnerabilities in software. He's discovered dozens of serious vulnerabilities in a variety of software platforms and regularly presents and publishes research focused on vulnerability analysis and software exploitation.

Ashar Javed


Javed performs penetration testing, source code reviews, and mobile application vulnerability assessments for Hyundai AutoEver Europe. There, he works with developers and third-party vendors to eliminate web vulnerabilities in their applications. He's frequently invited to speak at conferences such as Black Hat, Hack in the Box, and RSA.

Konstantinos Karagiannis


Karagiannis is chief technology officer for the security consulting practice at BT Americas, an IT services management company. He's an expert in financial application hacking and network penetration, and is often invited to speak at conferences such as Black Hat.

Mohit Kumar


Kumar is founder and CEO of Hacker News, an online publication that attracts more than 10 million readers every month. Many of his tweets are touts for HN stories, but he also mixes in retweets about application security from other sources.

David Litchfield


Litchfield is one of the authors of The Shellcoder's Handbook, which explores the origin of security holes and how to close them. He's also one of the world's leading authorities on database security. In addition to application security, his tweets reveal a fascination with snakes.

Gary McGraw


McGraw is vice president for security technology at Synopsys and the author of 12 books, including Software Security. His Silver Bullet Security podcast, which features in-depth interviews with security experts, reaches 13,000 listeners every month.

Malik Mesellem


Mesellem is a penetration tester and ethical hacker. He's also the creator of #bWAPP, a buggy open-source web application that was designed to be insecure as an educational tool for security enthusiasts, developers, and students who want to learn about preventing web vulnerabilities.

Katie Moussouris


Moussouris is the founder and CEO of Luta Security, which helps businesses and governments work with hackers to defend themselves from digital attacks. She's a well-known authority on bug bounty programs and helped the US Department of Defense start its first bug bounty program, Hack the Pentagon.

Chris Romeo


Romeo is CEO and founder of Security Journey, an application security training program. He previously worked at Cisco as chief security advocate in charge of Cisco’s Secure Development Lifecycle program, where he encouraged engineers to build security into all products.

Parisa Tabriz


Tabriz is the "browser boss" at Google, where she is responsible for Chrome security and "den mom" for Project Zero. During the Obama administration, she worked for the US Digital Service, where she advised the Executive Office of the President on best practices to enhance network and software security.

Johannes Ullrich


Ullrich is director of the SANS Internet Storm Center, which is used by more than 10,000 network security professionals daily, and dean of research at the SANS Technology Institute. He also teaches courses at the SANS Institute. His offerings include SEC503 Intrusion Detection in Depth, IPv6 Security Essentials, and Defending Web Applications.



The mysterious VectorSEC describes himself as a "cybersecurity enthusiast" who sometimes has a stroke of brilliance "but most of the time just the symptoms of a stroke." His projects on GitHub can be found under NullArray. If you're interested in hardcore hacking, VectorSEC is a Twitter account you'll definitely want to follow.

Chris Vickery


Vickery is director of cyber risk research at UpGuard and a data breach hunter. He's discovered millions of records exposed to the public Internet largely through misconfigured databases and servers.

Robin Wood


Wood is a freelance security consultant specializing in web app testing. He comes from a developer's background, which can be a plus when explaining security problems in apps to the people who made them. He's also co-founder of the SteelCon conference and an associate lecturer at Sheffield Hallam University in the UK. He likes to mix a little whimsy into his Twitter feed.

Chris Wysopal


A former programmer at Lotus and later a security researcher at the hacker collective L0pht, Wysopal was part of a team that warned Congress about gaping Internet vulnerabilities as far back as 1998. Wysopal is CTO and a co-founder of Veracode, an application security vendor. A self-professed application security and security-transparency buff, Wysopal's tweets are newsy and cover a wide range of security-related topics.

Dino A. Dai Zovi


Dai Zovi is co-founder and CTO of Capsule 8, a real-time, zero-day attack detection platform, and co-author of The iOS Hacker's Handbook, The Mac Hacker’s Handbook, and The Art of Software Security Testing. He's also a regular speaker at security conferences, including Black Hat and Defcon.

Keep learning

Read more articles about: SecurityApplication Security