Security Resources

Sites/Blogs/Newsletters

• tl;dr sec Newsletter - By Clint Gibler - Applying Academic Rigor to Curating the Best Security Research
• Few Thoughts on Cryptographic Engineering - Matt Green’s Crypto Blog
• ImperialViolet - Adam Langley’s Weblog
• Information Security StackExchange - Question and answer site for Information security professionals
• Cryptography StackExchange - Question and answer site for software developers, mathematicians and others interested in cryptography
• iSEC Research Labs - Tools, whitepapers and conference presentations developed/produced by iSEC’s security researchers

Web Application Security

• Browser Security Handbook - By Michal Zalewski
• Google Gruyere - Web Application Exploits and Defenses - a small, cheesy web application that allows its users to publish snippets of text and store assorted files.
• Google’s XSS game - In this training program, you will learn to find and exploit XSS bugs
• Damn Vulnerable Web Application (DVWA) - an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment

Linux Security/Internals

• Linux Insides - A series of posts about the linux kernel and its insides
• Linux Workstation Security Checklist - This document is aimed at teams of systems administrators who use Linux workstations to access and manage your project’s IT infrastructure

Network Security

• NMAP - Port Scanning Basics
• NMAP Mind Map - The ultimate network scanning tool
• MASSCAN by Robert Graham - This is the fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second

Cryptography

• Dan Boneh’s Cryptograhpy I - Learn about the inner workings of cryptographic primitives and how to apply this knowledge in real-world applications
• The Matasano Crypto Challenges - A different way to learn about crypto than taking a class or reading a book
• Security Baron - Crypto Blog - Resources/readings for folks who are new to security and want to learn about cryptography. (Thank you Ava for the recommendation!)

SSL/TLS

• How does SSL/TLS work? - Thomas Pornin’s wonderful answer to the question
• Meyer, C., & Schwenk, J. (2014). SoK: Lessons Learned From SSL/TLS Attacks - A brief chronology of SSL/TLS attacks
• SSL Threat Model - By Ivan Ristic

Memory Exploits

• David Brumley’s lecture notes on Exploits and Control Flow Hijack Defenses
• University of Maryland’s Software Security course on Coursera - explores the foundations of software security and covers important (and common) software vulnerabilities such as buffer overflows, SQL injection, and session hijacking
• Embedded Security CTF - You’ve been given access to a device that controls a lock. Your job: defeat the lock by exploiting bugs in the device’s code.

Best of StackOverflow/StackExchange Network

• Thoughts on (X)HTML parsing using Regular Expressions
• Our security auditor is an idiot. How do I give him the information he wants?
• How does SSL/TLS work?
• How to securely hash passwords?
• Why is it faster to process a sorted array than an unsorted array?
• What is the best comment in source code you have ever encountered?
• What’s your favorite “programmer” cartoon?
• We have an employee whose last name is Null - How to pass “Null” (a real surname!) to a SOAP web service in ActionScript 3?

Books

• The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws - Amazon Link
• The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage - Amazon Link