A curated list of resources for learning about application security

Related tags

Miscellaneous security curated owasp application-security security-experts reading-list
Overview

Awesome AppSec Awesome

A curated list of resources for learning about application security. Contains books, websites, blog posts, and self-assessment quizzes.

Maintained by Paragon Initiative Enterprises with contributions from the application security and developer communities. We also have other community projects which might be useful for tomorrow's application security experts.

If you are an absolute beginner to the topic of software security, you may benefit from reading A Gentle Introduction to Application Security.

Contributing

Please refer to the contributing guide for details.

Application Security Learning Resources

General

Articles

How to Safely Generate a Random Number (2014)

Released: February 25, 2014

Advice on cryptographically secure pseudo-random number generators.

Salted Password Hashing - Doing it Right (2014)

Released: August 6, 2014

A post on Crackstation, a project by Defuse Security

A good idea with bad usage: /dev/urandom (2014)

Released: May 3, 2014

Mentions many ways to make /dev/urandom fail on Linux/BSD.

Why Invest in Application Security? (2015)

Released: June 21, 2015

Running a business requires being cost-conscious and minimizing unnecessary spending. The benefits of ensuring in the security of your application are invisible to most companies, so often times they neglect to invest in secure software development as a cost-saving measure. What these companies don't realize is the potential cost (both financial and to brand reputation) a preventable data compromise can incur.

The average data breach costs millions of dollars in damage.

Investing more time and personnel to develop secure software is, for most companies, worth it to minimize this unnecessary risk to their bottom line.

Be wary of one-time pads and other crypto unicorns (2015)

Released: March 25, 2015

A must-read for anyone looking to build their own cryptography features.

Books

nonfree Web Application Hacker's Handbook (2011)

Released: September 27, 2011

Great introduction to Web Application Security; though slightly dated.

nonfree Cryptography Engineering (2010)

Released: March 15, 2010

Develops a sense of professional paranoia while presenting crypto design techniques.

nonfree Securing DevOps (2018)

Released: March 1, 2018

Securing DevOps explores how the techniques of DevOps and Security should be applied together to make cloud services safer. This introductory book reviews state of the art practices used in securing web applications and their infrastructure, and teaches you techniques to integrate security directly into your product.

nonfree Gray Hat Python: Programming for Hackers and Reverse Engineers (2009)

Released: May 3, 2009

nonfree The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (2006)

Released: November 30, 2006

nonfree C Interfaces and Implementations: Techniques for Creating Reusable Software (1996)

Released: August 30, 1996

nonfree Reversing: Secrets of Reverse Engineering (2005)

Released: April 15, 2005

nonfree JavaScript: The Good parts (2008)

Released: May 1, 2008

nonfree Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition (2007)

Released: June 17, 2007

nonfree The Mac Hacker's Handbook (2009)

Released: March 3, 2009

nonfree The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler (2008)

Released: August 22, 2008

nonfree Internetworking with TCP/IP Vol. II: ANSI C Version: Design, Implementation, and Internals (3rd Edition) (1998)

Released: June 25, 1998

nonfree Network Algorithmics,: An Interdisciplinary Approach to Designing Fast Networked Devices (2004)

Released: December 29, 2004

nonfree Computation Structures (MIT Electrical Engineering and Computer Science) (1989)

Released: December 13, 1989

nonfree Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection (2009)

Released: August 3, 2009

Secure Programming HOWTO (2015)

Released: March 1, 2015

Security Engineering - Second Edition (2008)

Released: April 14, 2008

nonfree Bulletproof SSL and TLS (2014)

Released: August 1, 2014

Holistic Info-Sec for Web Developers (Fascicle 0) (2016)

Released: September 17, 2016

The first part of a three part book series providing broad and in-depth coverage on what web developers and architects need to know in order to create robust, reliable, maintainable and secure software, networks and other, that are delivered continuously, on time, with no nasty surprises.

Holistic Info-Sec for Web Developers (Fascicle 1)

The second part of a three part book series providing broad and in-depth coverage on what web developers and architects need to know in order to create robust, reliable, maintainable and secure software, VPS, networks, cloud and web applications, that are delivered continuously, on time, with no nasty surprises.

Classes

Offensive Computer Security (CIS 4930) FSU

A vulnerability research and exploit development class by Owen Redwood of Florida State University.

Be sure to check out the lectures!

Hack Night

Developed from the materials of NYU Poly's old Penetration Testing and Vulnerability Analysis course, Hack Night is a sobering introduction to offensive security. A lot of complex technical content is covered very quickly as students are introduced to a wide variety of complex and immersive topics over thirteen weeks.

Websites

Hack This Site!

Learn about application security by attempting to hack this website.

Enigma Group

Where hackers and security experts come to train.

Web App Sec Quiz

Self-assessment quiz for web application security

SecurePasswords.info

Secure passwords in several languages/frameworks.

Security News Feeds Cheat-Sheet

A list of security news sources.

Open Security Training

Video courses on low-level x86 programming, hacking, and forensics.

MicroCorruption

Capture The Flag - Learn Assembly and Embedded Device Security

The Matasano Crypto Challenges

A series of programming exercises for teaching oneself cryptography by Matasano Security. The introduction by Maciej Ceglowski explains it well.

PentesterLab

PentesterLab provides free Hands-On exercises and a bootcamp to get started.

Juice Shop

An intentionally insecure Javascript Web Application.

Supercar Showdown

How to go on the offence before online attackers do.

OWASP NodeGoat

Purposly vulnerable to the OWASP Top 10 Node.JS web application, with tutorials, security regression testing with the OWASP Zap API, docker image. With several options to get up and running fast.

Blogs

Crypto Fails

Showcasing bad cryptography

NCC Group - Blog

The blog of NCC Group, formerly Matasano, iSEC Partners, and NGS Secure.

Scott Helme

Learn about security and performance.

Cossack Labs blog (2018)

Released: July 30, 2018

Blog of cryptographic company that makes open-source libraries and tools, and describes practical data security approaches for applications and infrastructures.

Wiki pages

OWASP Top Ten Project

The top ten most common and critical security vulnerabilities found in web applications.

Tools

Qualys SSL Labs

The infamous suite of SSL and TLS tools.

securityheaders.io

Quickly and easily assess the security of your HTTP response headers.

report-uri.io

A free CSP and HPKP reporting service.

Android

Books and ebooks

SEI CERT Android Secure Coding Standard (2015)

Released: February 24, 2015

A community-maintained Wiki detailing secure coding standards for Android development.

C

Books and ebooks

SEI CERT C Coding Standard (2006)

Released: May 24, 2006

A community-maintained Wiki detailing secure coding standards for C programming.

Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team (2018)

Released: July 30, 2018

Provides guidelines for improving software security through secure coding. Covers common programming languages and libraries, and focuses on concrete recommendations.

C++

Books and ebooks

SEI CERT C++ Coding Standard (2006)

Released: July 18, 2006

A community-maintained Wiki detailing secure coding standards for C++ programming.

C Sharp

Books and ebooks

nonfree Security Driven .NET (2015)

Released: July 14, 2015

An introduction to developing secure applications targeting version 4.5 of the .NET Framework, specifically covering cryptography and security engineering topics.

Go

Articles

Memory Security in Go - cryptolosophy.io (2017)

Released: August 3, 2017

A guide to managing sensitive data in memory.

Java

Books and ebooks

SEI CERT Java Coding Standard (2007)

Released: January 12, 2007

A community-maintained Wiki detailing secure coding standards for Java programming.

Secure Coding Guidelines for Java SE (2014)

Released: April 2, 2014

Secure Java programming guidelines straight from Oracle.

Node.js

Articles

Node.js Security Checklist - Rising Stack Blog (2015)

Released: October 13, 2015

Covers a lot of useful information for developing secure Node.js applications.

Books and ebooks

nonfree Essential Node.js Security (2017)

Released: July 19, 2017

Hands-on and abundant with source code for a practical guide to Securing Node.js web applications.

Training

nonfree Security Training by ^Lift Security

Learn from the team that spearheaded the Node Security Project

nonfree Security Training from BinaryMist

We run many types of info-sec security training, covering Physical, People, VPS, Networs, Cloud, Web Applications. Most of the content is sourced from the book series Kim has been working on for several years. More info can be found here

PHP

Articles

It's All About Time (2014)

Released: November 28, 2014

A gentle introduction to timing attacks in PHP applications

Secure Authentication in PHP with Long-Term Persistence (2015)

Released: April 21, 2015

Discusses password policies, password storage, "remember me" cookies, and account recovery.

20 Point List For Preventing Cross-Site Scripting In PHP (2013)

Released: April 22, 2013

Padriac Brady's advice on building software that isn't vulnerable to XSS

25 PHP Security Best Practices For Sys Admins (2011)

Released: November 23, 2011

Though this article is a few years old, much of its advice is still relevant as we veer around the corner towards PHP 7.

PHP data encryption primer (2014)

Released: June 16, 2014

@timoh6 explains implementing data encryption in PHP

Preventing SQL Injection in PHP Applications - the Easy and Definitive Guide (2014)

Released: May 26, 2014

TL;DR - don't escape, use prepared statements instead!

You Wouldn't Base64 a Password - Cryptography Decoded (2015)

Released: August 7, 2015

A human-readable overview of commonly misused cryptography terms and fundamental concepts, with example code in PHP.

If you're confused about cryptography terms, start here.

A Guide to Secure Data Encryption in PHP Applications (2015)

Released: August 2, 2015

Discusses the importance of end-to-end network-layer encryption (HTTPS) as well as secure encryption for data at rest, then introduces the specific cryptography tools that developers should use for specific use cases, whether they use libsodium, Defuse Security's secure PHP encryption library, or OpenSSL.

The 2018 Guide to Building Secure PHP Software (2017)

Released: December 12, 2017

This guide should serve as a complement to the e-book, PHP: The Right Way, with a strong emphasis on security and not general PHP programmer topics (e.g. code style).

Books and ebooks

nonfree Securing PHP: Core Concepts

Securing PHP: Core Concepts acts as a guide to some of the most common security terms and provides some examples of them in every day PHP.

Using Libsodium in PHP Projects

You shouldn't need a Ph.D in Applied Cryptography to build a secure web application. Enter libsodium, which allows developers to develop fast, secure, and reliable applications without needing to know what a stream cipher even is.

Useful libraries

defuse/php-encryption

Symmetric-key encryption library for PHP applications. (Recommended over rolling your own!)

ircmaxell/password_compat

If you're using PHP 5.3.7+ or 5.4, use this to hash passwords

ircmaxell/RandomLib

Useful for generating random strings or numbers

thephpleague/oauth2-server

A secure OAuth2 server implementation

paragonie/random_compat

PHP 7 offers a new set of CSPRNG functions: random_bytes() and random_int(). This is a community effort to expose the same API in PHP 5 projects (forward compatibility layer). Permissively MIT licensed.

psecio/gatekeeper

A secure authentication and authorization library that implements Role-Based Access Controls and Paragon Initiative Enterprises' recommendaitons for secure "remember me" checkboxes.

openwall/phpass

A portable public domain password hashing framework for use in PHP applications.

Websites

websec.io

websec.io is dedicated to educating developers about security with topics relating to general security fundamentals, emerging technologies and PHP-specific information

Blogs

Paragon Initiative Enterprises Blog

The blog of our technology and security consulting firm based in Orlando, FL

ircmaxell's blog

A blog about PHP, Security, Performance and general web application development.

Pádraic Brady's Blog

Pádraic Brady is a Zend Framework security expert

Mailing lists

Securing PHP Weekly

A weekly newsletter about PHP, security, and the community.

Perl

Books and ebooks

SEI CERT Perl Coding Standard (2011)

Released: January 10, 2011

A community-maintained Wiki detailing secure coding standards for Perl programming.

Python

Books and ebooks

Python chapter of Fedora Defensive Coding Guide

Lists standard library features that should be avoided, and references sections of other chapters that are Python-specific.

nonfree Black Hat Python: Python Programming for Hackers and Pentesters

Black Hat Python by Justin Seitz from NoStarch Press is a great book for the offensive security minds

nonfree Violent Python

Violent Python shows you how to move from a theoretical understanding of offensive computing concepts to a practical implementation.

Websites

OWASP Python Security Wiki (2014)

Released: June 21, 2014

A wiki maintained by the OWASP Python Security project.

Ruby

Books and ebooks

Secure Ruby Development Guide (2014)

Released: March 10, 2014

A guide to secure Ruby development by the Fedora Security Team. Also available on Github.

Comments
  • Added SSL/TLS practical tutorial

    Added SSL/TLS practical tutorial

    Added an example project which has no security. It provides how-to steps to enable encryption with SSL/TLS for three scenarios:

    • one way authentication - server communicates over https and identifies itself with a certificate
    • two way authentication - both server and client needs to identify itself and trust each other
    • two way authentication based on trusting the certificate authority - same as above one but trusting the root-ca is enough to get the same result

    Java spring based web server A variation of http clients which are supported

    Helps the person to learn about certificates, keystores, ssl commands and basic web security based on certificates.

    opened by Hakky54 2
  • Add Cossack Labs blog

    Add Cossack Labs blog

    Cossack Labs are sharing tips from their cryptographic development, as well as basic-sanity data security advice.

    Not sure what link is better to use – for blog or for medium, decided to add blog.

    opened by vixentael 2
  • [README.md/compiler.php] name field (containing

    [README.md/compiler.php] name field (containing " - ") isn't handled correctly

    JSON:

    • data/00-general/articles/0002-hashing-security.json
    • data/00-general/books/0018-security-engineering.json
    • data/00-general/websites/00-blogs/0002-nccgroup.json
    • data/00-general/websites/02-tools/0003-report-uri.json
    • data/Go/articles/0001-cryptolosophy-memory-security.json
    • data/Node.js/articles/0001-risingstack-checklist.json

    Examples: NOK(broken link)

    • https://github.com/paragonie/awesome-appsec#security-engineering-second-edition-2008
    • https://github.com/paragonie/awesome-appsec#security-engineering---second-edition-2008
    • https://github.com/paragonie/awesome-appsec#ncc-group-blog
    • https://github.com/paragonie/awesome-appsec#ncc-group---blog
    • https://github.com/paragonie/awesome-appsec#report-uri-io
    • https://github.com/paragonie/awesome-appsec#report-uriio
    • https://github.com/paragonie/awesome-appsec#memory-security-in-go-cryptolosophy-io-2017
    • https://github.com/paragonie/awesome-appsec#memory-security-in-go---cryptolosophyio-2017
    • https://github.com/paragonie/awesome-appsec#node-js-security-checklist-rising-stack-blog-2015
    • https://github.com/paragonie/awesome-appsec#nodejs-security-checklist---rising-stack-blog-2015

    JSON:

    • data/00-general/articles/0005-crypto-unicorns.json
    • data/00-general/websites/0005-news-feeds.json
    • data/00-general/books/0020-holistic-info-sec-for-web-developers-f0.json
    • data/00-general/books/0021-holistic-info-sec-for-web-developers-f1.json

    Examples: OK

    • https://github.com/paragonie/awesome-appsec#be-wary-of-one-time-pads-and-other-crypto-unicorns-2015
    • https://github.com/paragonie/awesome-appsec#security-news-feeds-cheat-sheet
    • https://github.com/paragonie/awesome-appsec#holistic-info-sec-for-web-developers-fascicle-0-2016
    • https://github.com/paragonie/awesome-appsec#holistic-info-sec-for-web-developers-fascicle-1

    Workaround: Add this snippet or similar task between lines 237/238 (suggestion). src/Util.php

            if (\array_key_exists('name', $fd)) {
          if (isset($fd['name'])) {
            $fd['name'] = preg_replace('/\-/', ' ', $fd['name']);
        }
    opened by ghost 1
  • Removing whitespace that was breaking linking

    Removing whitespace that was breaking linking

    For some reason it looks like this whitespace was affecting the linking when using the readme. It was kind of bugging me. If you click the the second bullet point in the books and ebooks java section it won't take you to the proper place. Regenerating the read me should fix this with the space change.

    Thanks for making this repository by the way. Very useful!

    opened by CBrowne 1
  • CERT Coding Standard

    CERT Coding Standard

    CERT C Coding Standard: https://www.securecoding.cert.org/confluence/display/c/CERT+C+Coding+Standard

    CERT C++ Coding Standard: https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637

    Android, Java, Perl: https://www.securecoding.cert.org/confluence/spacedirectory/view.action

    enhancement 
    opened by abderraouf-adjal 1
  • README: Offensive Computer Security (CIS 4930) FSU link is broken

    README: Offensive Computer Security (CIS 4930) FSU link is broken

    {"date":"2023-01-1","free":true,"name":"Angela","remark":"Received a 404 error on the CIS 4930 link.","url":"https://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/"}

    opened by angietechcafe 0
  • Add API Security in Action book link

    Add API Security in Action book link

    This is a bit of shameless self-promotion (well, my publisher asked me to), but I wonder if you would be willing to add a link to my book, API Security in Action? (I can send you a link for a free copy if you want to read it first - it is still in "early access" so not complete yet).

    It has a chapter on basic secure application development techniques, and then chapters covering CSRF, etc. It covers JWT because it is hard not to, but is clear to point out the security weaknesses and covers alternatives like Macaroons and Paseto :-) (I also mention CipherSweet in a section on database hardening, so Paragon IE is well covered...)

    opened by NeilMadden 1
Owner
Paragon Initiative Enterprises
Technology should support your ambitions, not hinder them. We are a team of technology consultants that specialize in application security.
Paragon Initiative Enterprises
GitHub https://paragonie.com/projects
A list of ICs and IPs for AI, Machine Learning and Deep Learning.

AI Chip (ICs and IPs) Editor S.T.(Linkedin) Welcome to My Wechat Blog StarryHeavensAbove for more AI chip related articles Latest updates Add news of

Shan Tang 1.4k Jan 3, 2023
A high-level machine learning and deep learning library for the PHP language.

Rubix ML A high-level machine learning and deep learning library for the PHP language. Developer-friendly API is delightful to use 40+ supervised and

Rubix 1.7k Jan 1, 2023
PHP Machine Learning Rain Forecaster is a simple machine learning experiment in predicting rain based on a few forecast indicators.

PHP Machine Learning Rain Forecaster is a simple machine learning experiment in predicting rain based on a few forecast indicators.: forecasted "HighT

null 4 Nov 3, 2021
Rubix ML - A high-level machine learning and deep learning library for the PHP language.

A high-level machine learning and deep learning library for the PHP language. Developer-friendly API is delightful to use 40+ supervised and

Rubix 1.7k Jan 6, 2023
A list of useful Magento technical resources

Magento 2 Resources A curated list of useful Magento 2 resources. Resources are listed alphabetically within each category. This file is automatically

Alessandro Ronchi 895 Dec 28, 2022
Exploiting and fixing security vulnerabilities of an old version of E-Class. Project implemented as part of the class YS13 Cyber-Security.

Open eClass 2.3 Development of XSS, CSRF, SQLi, RFI attacks/defences of an older,vulnerable version of eclass. Project implemented as part of the clas

Aristi_Papastavrou 11 Apr 23, 2022
List of Magento extensions with known security issues.

Magento Vulnerability Database List of Magento 1 and 2 integrations with known security issues. Objective: easily identify insecure 3rd party software

Sansec 184 Dec 7, 2022
A simple way to know if you are on the list of major security breaches like "HIBP", but it is specific for Iran.

Leakfa.com A simple way to know if you are on the list of major security breaches like "HIBP", but it is specific for Iran. Service content This produ

Leakfa 100 Nov 20, 2022
Get the system resources in PHP, as memory, number of CPU'S, Temperature of CPU or GPU, Operating System, Hard Disk usage, .... Works in Windows & Linux

system-resources. A class to get the hardware resources We can get CPU load, CPU/GPU temperature, free/used memory & Hard disk. Written in PHP It is a

Rafael Martin Soto 10 Oct 15, 2022
This plugin allow you play music from resources pack in minecraft

Music Player for PocketMine-MP Commands music-start songname music-stop songname IMPORTANT! You must add music resources pack to PocketMine resources

Excalibur 1 Oct 14, 2021
Resources back-end for the Nextcloud CalDAV server

Calendar Resource Management This app enables the ??️ Calendar App to work with resources and rooms Installation Place this app in nextcloud/apps/ You

Nextcloud 35 Nov 8, 2022
Patches that prevent malicious Minecraft plugins from saturating host internet resources for DDoS.

Minecraft Host DoS Botnet Patches Patches that prevent malicious Minecraft plugins from saturating host internet resources for DDoS. In recent events,

Riley Nevins 4 Jul 16, 2022
Demo serverless applications, examples code snippets and resources for PHP

The Serverless LAMP stack Examples Code example Description AWS blog link 0.1-SimplePhpFunction A very simple implementation of a PHP Lambda function.

AWS Samples 303 Dec 20, 2022
Resources for the Magento 2 Certified Professional Front End Developer exam

Magento 2 Certified Professional Front End Developer Training Resources Below are the 6 slide decks used internally at Fisheye to help us prepare for

Fisheye Academy 109 Oct 21, 2022
The WebLink component manages links between resources

The WebLink component manages links between resources. It is particularly useful to advise clients to preload and prefetch documents through HTTP and HTTP/2 pushes.

Symfony 1.3k Dec 22, 2022
PHP Machine Learning library

PHP-ML - Machine Learning library for PHP Fresh approach to Machine Learning in PHP. Algorithms, Cross Validation, Neural Network, Preprocessing, Feat

Jorge Casas 204 Dec 27, 2022
This is a collection of tutorials for learning how to use Docker with various tools. Contributions welcome.

Docker Tutorials and Labs At this time we are not actively adding labs to this repository. Our focus is on training.play-with-docker.com where new lab

Docker 11.1k Jan 2, 2023
PHP Machine Learning with Naive Bayes to classify the right contraceptive based on your medical history

What is php-ml-bayes PHP-ML Bayes is a Machine Learning with Naive Bayes Algorithm to classify the right contraceptive based on your medical history.

Fikri Lazuardi 2 Jan 21, 2022
Learning design patterns by implementing them in various programming languages.

design-patterns Learning design patterns by implementing them in various programming languages. Creational design patterns Creational design patterns

Paweł Tryfon 1 Dec 13, 2021