# Appendices ![Appendices](/files/vXPXHneM2HTYU2VIZQEW) ## Reading Paths > **Section focus:** Appendices.\ > **Best use:** pick a starting path based on the kind of reviewer, builder, or leader you want to become faster. | Reader goal | Best path | | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Become useful quickly as a newcomer | [Guided Learning Paths for Newcomers](/learning-labs-interview-and-templates/index-3/guided-learning-paths-for-newcomers.md) → [From Zero to Useful](/learning-labs-interview-and-templates/index-3/from-zero-to-useful-how-to-start.md) → [Security Review Checklists and Cheat Sheets](/learning-labs-interview-and-templates/index-3/security-review-checklists-and-cheat-sheets.md) | | Learn API review as a beginner | [API Authentication and Authorization](/architecture-api-crypto-and-identity/index/api-authentication-and-authorization.md) → [API Review Checklist](/learning-labs-interview-and-templates/index-3/api-review-checklist.md) → [Worked Example API Review Lab](https://github.com/D3One/Product-Security-Gitbook/blob/main/22-learning-paths-and-labs/worked-example-api-review-lab.md) | | Learn Kubernetes review as a beginner | [Kubernetes Security Baseline](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-security-baseline.md) → [Kubernetes Deployment Review Checklist](/learning-labs-interview-and-templates/index-3/kubernetes-deployment-review-checklist.md) → [Runtime Investigation Playbook for Kubernetes and Containers](/cloud-kubernetes-and-infrastructure-security/index-1/runtime-investigation-playbook.md) | | Build a release-gating model in GitLab | [GitLab CI YAML Deep Dive](/devsecops-cicd-and-supply-chain/index-1/gitlab-ci-yaml-deep-dive.md) → [Security Quality Gates and Release Blocking](/devsecops-cicd-and-supply-chain/index-1/security-quality-gates-and-release-blocking.md) → [GitHub, GitLab, and Cloud Trust Patterns](/architecture-api-crypto-and-identity/index-2/github-gitlab-oidc-and-cloud-trust-patterns.md) | | Learn product threat modeling that actually changes designs | [Threat Modeling Methods and Workflows](/application-security-and-secure-sdlc/index/threat-modeling-methods-and-workflows.md) → [Multi-Tenant and Microservice Threat Modeling](/application-security-and-secure-sdlc/index/multi-tenant-and-microservice-threat-modeling.md) → [Multi-Tenant SaaS and Admin-Plane Patterns](/architecture-api-crypto-and-identity/index-1/multi-tenant-saas-and-admin-plane-patterns.md) | | Improve product detection and incident response | [Logging and Telemetry Strategy](/attack-paths-testing-detection-and-hardening/index/logging-and-telemetry-strategy.md) → [High-Signal Detection Patterns and SIEM Examples](/attack-paths-testing-detection-and-hardening/index/high-signal-detection-patterns-and-siem-examples.md) → [Product Security Incident Response Playbooks](/attack-paths-testing-detection-and-hardening/index/product-security-incident-response-playbooks.md) | | Tighten cloud identity controls | [Workload Federation and Non-Human Identities](/architecture-api-crypto-and-identity/index-2/workload-federation-and-non-human-identities.md) → [GitHub, GitLab, and Cloud Trust Patterns](/architecture-api-crypto-and-identity/index-2/github-gitlab-oidc-and-cloud-trust-patterns.md) → [AWS IAM and Role Design](/cloud-kubernetes-and-infrastructure-security/index/aws-iam-and-role-design.md) | | Learn frontend and session security | [Browser Security Foundations: CSP, CORS, Cookies, and Sessions](/application-security-and-secure-sdlc/index-2/browser-security-foundations-csp-cors-cookies-and-sessions.md) → [OAuth for SPA, BFF, and Frontend Secret Anti-Patterns](/application-security-and-secure-sdlc/index-2/oauth-for-spa-bff-and-frontend-secret-antipatterns.md) | | Practice business-logic abuse review | [API Authorization, Business-Flow Abuse, and Third-Party API Consumption](/architecture-api-crypto-and-identity/index/api-authorization-business-flows-and-third-party-api-consumption.md) → [Business Logic Abuse Review Playbook](https://github.com/D3One/Product-Security-Gitbook/blob/main/19-business-logic-abuse-and-product-abuse/business-logic-abuse-review-playbook.md) → [Tenant Isolation, Object-Level, and Workflow Abuse](/application-security-and-secure-sdlc/index-3/tenant-isolation-object-level-and-workflow-abuse.md) | | Ramp up a new Product Security engineer | [Product Security Ramp-Up Tracks](/learning-labs-interview-and-templates/index-2/product-security-ramp-up-tracks.md) → [Security Review Checklists and Cheat Sheets](/learning-labs-interview-and-templates/index-2/security-review-checklists-and-cheat-sheets.md) → [Break-Fix Labs and Tabletop Scenarios](/learning-labs-interview-and-templates/index-2/break-fix-labs-and-tabletop-scenarios.md) | | Practice API contract security before runtime | [API Design and Contract Security](/architecture-api-crypto-and-identity/index/api-design-and-contract-security.md) → [API Definition Conformance Lab - OpenAPI, Contract Linting, AuthZ Checks, and CI Validation](/learning-labs-interview-and-templates/index-2/api-definition-conformance-lab-openapi.md) → [API Testing, Observability, and Release Gates](/architecture-api-crypto-and-identity/index/api-testing-observability-and-release-gates.md) | | Build a standards and assurance lens | [Cloud Security Frameworks and Standards — Practical Map](/metrics-audit-risk-evidence-and-compliance/index-1/cloud-security-frameworks-and-standards-practical-map.md) → [Vendor Guides and Standards Map](/metrics-audit-risk-evidence-and-compliance/index-1/vendor-guides-and-standards-map.md) → [DevSecOps Assessment Framework (DAF) and DSOMM — Practical Positioning](/metrics-audit-risk-evidence-and-compliance/index-3/devsecops-assessment-framework-daf-and-dsomm-practical-positioning.md) | | Build a broader Product Security reading and community map | [Product Security Ecosystem Projects, Communities, and Learning Hubs](/learning-labs-interview-and-templates/index-2/product-security-ecosystem-projects-communities-and-learning-hubs.md) → [Top Books for Product Security by Domain and Role](/learning-labs-interview-and-templates/index-2/top-books-for-product-security-by-domain-and-role.md) → [Three-Month Product Security Self-Study Plan](/learning-labs-interview-and-templates/index-2/three-month-product-security-self-study-plan.md) | | Learn from notable public practitioners and leaders | [Product Security Contributors, Authors, and Community Builders](/strategy-governance-and-leadership/index/product-security-contributors-authors-and-community-builders.md) → [Julie Davila and Vincent Danen — Product Security Leadership Notes](/strategy-governance-and-leadership/index/julie-davila-and-vincent-danen-product-security-leadership-notes.md) | ### Deepening path: browser, abuse, and integration reviewers 1. [Frontend Security Review Playbook](https://github.com/D3One/Product-Security-Gitbook/blob/main/18-frontend-and-browser-security/frontend-security-review-playbook.md) 2. [Business Logic Abuse Review Playbook](https://github.com/D3One/Product-Security-Gitbook/blob/main/19-business-logic-abuse-and-product-abuse/business-logic-abuse-review-playbook.md) 3. [API Authorization, Business-Flow Abuse, and Third-Party API Consumption](/architecture-api-crypto-and-identity/index/api-authorization-business-flows-and-third-party-api-consumption.md) 4. [GitHub Actions and GitLab Components Review Playbook](https://github.com/D3One/Product-Security-Gitbook/blob/main/21-third-party-and-integration-security/github-actions-and-gitlab-components-review-playbook.md) 5. [Worked Example Lab: Frontend Session Review](https://github.com/D3One/Product-Security-Gitbook/blob/main/22-learning-paths-and-labs/worked-example-frontend-session-review-lab.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/appendices-assets-and-reusable-artifacts/reading-paths.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.