A curated list of resources for learning about application security.
Maintained by Paragon Initiative Enterprises with contributions from the application security and developer communities.
Please refer to the contributing guide for details.
- General
- PHP
Released: February 25, 2014
Advice on cryptographically secure pseudo-random number generators.
Released: August 6, 2014
A post on Crackstation, a projecy by Defuse Security
Released: May 3, 2014
Mentions many ways to make /dev/urandom
fail on Linux/BSD.
Released: September 27, 2011
Great introduction to Web Application Security; though slightly dated.
Cryptography Engineering (2010)
Released: March 15, 2010
Develops a sense of professional paranoia while presenting crypto design techniques.
A vulnerability research and exploit development class by Owen Redwood of Florida State University.
Be sure to check out the lectures!
Learn about application security by attempting to hack this website.
Where hackers and security experts come to train.
Self-assessment quiz for web application security
Secure passwords in several languages/frameworks.
A list of security news sources.
Video courses on low-level x86 programming, hacking, and forensics.
Showcasing bad cryptography
The top ten most common and critical security vulnerabilities found in web applications.
It's All About Time (2014)
Released: November 28, 2014
A gentle introduction to timing attacks in PHP applications
Released: April 21, 2015
Discusses password policies, password storage, "remember me" cookies, and account recovery.
Released: April 22, 2013
Padriac Brady's advice on building software that isn't vulnerable to XSS
Released: November 23, 2011
Though this article is a few years old, much of its advice is still relevant as we veer around the corner towards PHP 7.
PHP data encryption primer (2014)
Released: June 16, 2014
@timoh6 explains implementing data encryption in PHP
Securing PHP: Core Concepts acts as a guide to some of the most common security terms and provides some examples of them in every day PHP.
Symmetric-key encryption library for PHP applications. (Recommended over rolling your own!)
If you're using PHP 5.3.7+ or 5.4, use this to hash passwords
Useful for generating random strings or numbers
A secure OAuth2 server implementation
websec.io is dedicated to educating developers about security with topics relating to general security fundamentals, emerging technologies and PHP-specific information
The blog of our technology and security consulting firm based in Orlando, FL
A blog about PHP, Security, Performance and general web application development.
Pádraic Brady is a Zend Framework security expert
A weekly newsletter about PHP, security, and the community.