Skip to content

Latest commit

 

History

History
494 lines (282 loc) · 21 KB

README.md

File metadata and controls

494 lines (282 loc) · 21 KB

Awesome AppSec Awesome

A curated list of resources for learning about application security. Contains books, websites, blog posts, and self-assessment quizzes.

Maintained by Paragon Initiative Enterprises with contributions from the application security and developer communities. We also have other community projects which might be useful for tomorrow's application security experts.

Contributing

Please refer to the contributing guide for details.

Application Security Learning Resources

General

Articles

Released: February 25, 2014

Advice on cryptographically secure pseudo-random number generators.

Released: August 6, 2014

A post on Crackstation, a project by Defuse Security

Released: May 3, 2014

Mentions many ways to make /dev/urandom fail on Linux/BSD.

Books

Released: September 27, 2011

Great introduction to Web Application Security; though slightly dated.

Released: March 15, 2010

Develops a sense of professional paranoia while presenting crypto design techniques.

Released: May 3, 2009

Released: November 30, 2006

Released: August 30, 1996

Released: April 15, 2005

Released: May 1, 2008

Released: June 17, 2007

Released: March 3, 2009

Released: August 22, 2008

Released: June 25, 1998

Released: December 29, 2004

Released: December 13, 1989

Released: August 3, 2009

Released: March 1, 2015

Classes

A vulnerability research and exploit development class by Owen Redwood of Florida State University.

Be sure to check out the lectures!

Developed from the materials of NYU Poly's old Penetration Testing and Vulnerability Analysis course, Hack Night is a sobering introduction to offensive security. A lot of complex technical content is covered very quickly as students are introduced to a wide variety of complex and immersive topics over thirteen weeks.

Websites

Learn about application security by attempting to hack this website.

Self-assessment quiz for web application security

Secure passwords in several languages/frameworks.

A list of security news sources.

Video courses on low-level x86 programming, hacking, and forensics.

Capture The Flag - Learn Assembly and Embedded Device Security

A series of programming exercises for teaching oneself cryptography by Matasano Security. The introduction by Maciej Ceglowski explains it well.

PentesterLab provides free Hands-On exercises and a bootcamp to get started.

An intentionally insecure Javascript Web Application.

Blogs

Showcasing bad cryptography

The blog of Matasano Security, part of NCC Group.

Wiki pages

The top ten most common and critical security vulnerabilities found in web applications.

Android

Books and ebooks

Released: February 24, 2015

A community-maintained Wiki detailing secure coding standards for Android development.

C

Books and ebooks

Released: May 24, 2006

A community-maintained Wiki detailing secure coding standards for C programming.

Released: August 11, 2015

Provides guidelines for improving software security through secure coding. Covers common programming languages and libraries, and focuses on concrete recommendations.

C++

Books and ebooks

Released: July 18, 2006

A community-maintained Wiki detailing secure coding standards for C++ programming.

C Sharp

Books and ebooks

Released: July 14, 2015

An introduction to developing secure applications targeting version 4.5 of the .NET Framework, specifically covering cryptography and security engineering topics.

Java

Books and ebooks

Released: January 12, 2007

A community-maintained Wiki detailing secure coding standards for Java programming.

Released: April 2, 2014

Secure Java programming guidelines straight from Oracle.

Node.js

Training

Learn from the team that spearheaded the Node Security Project

PHP

Articles

Released: November 28, 2014

A gentle introduction to timing attacks in PHP applications

Released: April 21, 2015

Discusses password policies, password storage, "remember me" cookies, and account recovery.

Released: April 22, 2013

Padriac Brady's advice on building software that isn't vulnerable to XSS

Released: November 23, 2011

Though this article is a few years old, much of its advice is still relevant as we veer around the corner towards PHP 7.

Released: June 16, 2014

@timoh6 explains implementing data encryption in PHP

TL;DR - don't escape, use prepared statements instead!

Released: August 7, 2015

A human-readable overview of commonly misused cryptography terms and fundamental concepts, with example code in PHP.

If you're confused about cryptography terms, start here.

Books and ebooks

Securing PHP: Core Concepts acts as a guide to some of the most common security terms and provides some examples of them in every day PHP.

Useful libraries

Symmetric-key encryption library for PHP applications. (Recommended over rolling your own!)

If you're using PHP 5.3.7+ or 5.4, use this to hash passwords

Useful for generating random strings or numbers

A secure OAuth2 server implementation

Websites

websec.io is dedicated to educating developers about security with topics relating to general security fundamentals, emerging technologies and PHP-specific information

Blogs

The blog of our technology and security consulting firm based in Orlando, FL

A blog about PHP, Security, Performance and general web application development.

Pádraic Brady is a Zend Framework security expert

Mailing lists

A weekly newsletter about PHP, security, and the community.

Perl

Books and ebooks

Released: January 10, 2011

A community-maintained Wiki detailing secure coding standards for Perl programming.

Python

Books and ebooks

Lists standard library features that should be avoided, and references sections of other chapters that are Python-specific.

Websites

Released: June 21, 2014

A wiki maintained by the OWASP Python Security project.

Ruby

Books and ebooks

Released: March 10, 2014

A guide to secure Ruby development by the Fedora Security Team. Also available on Github.