Websites
Bi-Weekly Appsec Tutorials
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP and created by PureSec. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.
Tools
The infamous suite of SSL and TLS tools.
Quickly and easily assess the security of your HTTP response headers.
A free CSP and HPKP reporting service.
Test and learn Clickjacking. Make clickjacking PoC, take screenshot and share link. You can test HTTPS, HTTP, intranet & internal sites.
Books and ebooks
FunctionShield is a 100% free AWS Lambda security and Google Cloud Functions security library that equips developers with the ability to easily enforce strict security controls on serverless runtimes.
Released: June 17, 2020
A curated list of resources to secure Electron.js-based applications.
Articles
Released: May 5, 2020
Repository with Clojure examples of OWASP top 10 vulnerabilities.
]]>Websites
Showcasing bad cryptography
The blog of NCC Group, formerly Matasano, iSEC Partners, and NGS Secure.
Learn about security and performance.
Released: July 30, 2018
Blog of cryptographic company that makes open-source libraries and tools, and describes practical data security approaches for applications and infrastructures.
]]>Books
Released: March 1, 2018
Securing DevOps explores how the techniques of DevOps and Security should be applied together to make cloud services safer. This introductory book reviews state of the art practices used in securing web applications and their infrastructure, and teaches you techniques to integrate security directly into your product.
Released: September 17, 2016
The first part of a three part book series providing broad and in-depth coverage on what web developers and architects need to know in order to create robust, reliable, maintainable and secure software, networks and other, that are delivered continuously, on time, with no nasty surprises.
Classes
The second part of a three part book series providing broad and in-depth coverage on what web developers and architects need to know in order to create robust, reliable, maintainable and secure software, VPS, networks, cloud and web applications, that are delivered continuously, on time, with no nasty surprises.
Websites
Purposly vulnerable to the OWASP Top 10 Node.JS web application, with tutorials, security regression testing with the OWASP Zap API (⭐1.6k), docker image (⭐1.6k). With several options to get up and running fast.
Books and ebooks
Released: August 3, 2017
A guide to managing sensitive data in memory.
Released: December 12, 2017
This guide should serve as a complement to the e-book, PHP: The Right Way, with a strong emphasis on security and not general PHP programmer topics (e.g. code style).
Black Hat Python by Justin Seitz from NoStarch Press is a great book for the offensive security minds
Training
Released: July 19, 2017
Hands-on and abundant with source code for a practical guide to Securing Node.js web applications.
Articles
We run many types of info-sec security training, covering Physical, People, VPS, Networs, Cloud, Web Applications. Most of the content is sourced from the book series Kim has been working on for several years. More info can be found here
]]>Books
Released: August 1, 2014
Websites
How to go on the offence before online attackers do.
A portable public domain password hashing framework for use in PHP applications.
]]>Books
Released: March 25, 2015
A must-read for anyone looking to build their own cryptography features.
]]>Websites
Violent Python shows you how to move from a theoretical understanding of offensive computing concepts to a practical implementation.
]]>Websites
Where hackers and security experts come to train.
]]>Articles
Released: October 13, 2015
Covers a lot of useful information for developing secure Node.js applications.
]]>Books
Released: April 14, 2008
]]>Useful libraries
You shouldn't need a Ph.D in Applied Cryptography to build a secure web application. Enter libsodium, which allows developers to develop fast, secure, and reliable applications without needing to know what a stream cipher even is.
]]>Articles
Released: June 21, 2015
Running a business requires being cost-conscious and minimizing unnecessary spending. The benefits of ensuring in the security of your application are invisible to most companies, so often times they neglect to invest in secure software development as a cost-saving measure. What these companies don't realize is the potential cost (both financial and to brand reputation) a preventable data compromise can incur.
The average data breach costs millions of dollars in damage.
Investing more time and personnel to develop secure software is, for most companies, worth it to minimize this unnecessary risk to their bottom line.
Released: August 2, 2015
Discusses the importance of end-to-end network-layer encryption (HTTPS) as well as secure encryption for data at rest, then introduces the specific cryptography tools that developers should use for specific use cases, whether they use libsodium, Defuse Security's secure PHP encryption library (⭐3.5k), or OpenSSL.
Books and ebooks
Released: February 24, 2015
A community-maintained Wiki detailing secure coding standards for Android development.
Released: May 24, 2006
A community-maintained Wiki detailing secure coding standards for C programming.
Released: January 12, 2007
A community-maintained Wiki detailing secure coding standards for Java programming.
Useful libraries
PHP 7 offers a new set of CSPRNG functions: random_bytes()
and random_int()
. This is a community effort to expose the same API in PHP 5 projects (forward compatibility layer). Permissively MIT licensed.
A secure authentication and authorization library that implements Role-Based Access Controls and Paragon Initiative Enterprises' recommendaitons for secure "remember me" checkboxes.
]]>Articles
Released: August 6, 2014
A post on Crackstation, a project by Defuse Security
Released: August 7, 2015
A human-readable overview of commonly misused cryptography terms and fundamental concepts, with example code in PHP.
If you're confused about cryptography terms, start here.
Repositories
Released: July 14, 2015
An introduction to developing secure applications targeting version 4.5 of the .NET Framework, specifically covering cryptography and security engineering topics.
]]>Websites
An intentionally insecure Javascript Web Application.
Books and ebooks
Released: May 23, 2022
Provides guidelines for improving software security through secure coding. Covers common programming languages and libraries, and focuses on concrete recommendations.
Released: July 18, 2006
A community-maintained Wiki detailing secure coding standards for C++ programming.
Released: January 10, 2011
A community-maintained Wiki detailing secure coding standards for Perl programming.
Lists standard library features that should be avoided, and references sections of other chapters that are Python-specific.
Released: June 21, 2014
A wiki maintained by the OWASP Python Security project.
Released: March 10, 2014
A guide to secure Ruby development by the Fedora Security Team. Also available on Github (⭐8).
Articles
Released: April 2, 2014
Secure Java programming guidelines straight from Oracle.
Training
Learn from the team that spearheaded the Node Security Project
]]>Websites
Developed from the materials of NYU Poly's old Penetration Testing and Vulnerability Analysis course, Hack Night is a sobering introduction to offensive security. A lot of complex technical content is covered very quickly as students are introduced to a wide variety of complex and immersive topics over thirteen weeks.
]]>Books
Released: March 1, 2015
]]>Websites
Capture The Flag - Learn Assembly and Embedded Device Security
A series of programming exercises for teaching oneself cryptography by Matasano Security. The introduction by Maciej Ceglowski explains it well.
PentesterLab provides free Hands-On exercises and a bootcamp to get started.
Articles
Released: May 26, 2014
TL;DR - don't escape, use prepared statements instead!
]]>Books
Released: May 3, 2009
Released: November 30, 2006
Released: August 30, 1996
Released: April 15, 2005
Released: May 1, 2008
Released: June 17, 2007
Released: March 3, 2009
Released: August 22, 2008
Released: June 25, 1998
Released: December 29, 2004
Released: December 13, 1989
Released: August 3, 2009
Websites
websec.io is dedicated to educating developers about security with topics relating to general security fundamentals, emerging technologies and PHP-specific information
]]>Classes
A vulnerability research and exploit development class by Owen Redwood of Florida State University.
Be sure to check out the lectures!
]]>Books
Released: March 15, 2010
Develops a sense of professional paranoia while presenting crypto design techniques.
Websites
Video courses on low-level x86 programming, hacking, and forensics.
The blog of our technology and security consulting firm based in Orlando, FL
A blog about PHP, Security, Performance and general web application development.
Pádraic Brady is a Zend Framework security expert
Books and ebooks
Securing PHP: Core Concepts acts as a guide to some of the most common security terms and provides some examples of them in every day PHP.
Useful libraries
A secure OAuth2 server implementation
]]>Websites
Secure passwords in several languages/frameworks.
A list of security news sources.
Articles
Released: April 22, 2013
Padriac Brady's advice on building software that isn't vulnerable to XSS
Released: November 23, 2011
Though this article is a few years old, much of its advice is still relevant as we veer around the corner towards PHP 7.
Released: June 16, 2014
@timoh6 explains implementing data encryption in PHP
]]>Articles
Released: May 3, 2014
Mentions many ways to make /dev/urandom
fail on Linux/BSD.
Articles
Released: February 25, 2014
Advice on cryptographically secure pseudo-random number generators.
Released: November 28, 2014
A gentle introduction to timing attacks in PHP applications
Released: April 21, 2015
Discusses password policies, password storage, "remember me" cookies, and account recovery.
Books
Released: September 27, 2011
Great introduction to Web Application Security; though slightly dated.
Websites
Learn about application security by attempting to hack this website.
Self-assessment quiz for web application security
The top ten most common and critical security vulnerabilities found in web applications.
Useful libraries
Symmetric-key encryption library for PHP applications. (Recommended over rolling your own!)
If you're using PHP 5.3.7+ or 5.4, use this to hash passwords
Useful for generating random strings or numbers
Books and ebooks
A weekly newsletter about PHP, security, and the community.
]]>