Application Security
Contents_Index
- ARTICLES5
- BOOKS20
- CLASSES2
- WEBSITES15
- BLOGS4
- WIKI PAGES1
- TOOLS4
- TOOLS1
- BOOKS AND EBOOKS1
- BOOKS AND EBOOKS2
- BOOKS AND EBOOKS1
- BOOKS AND EBOOKS1
- REPOSITORIES1
- ARTICLES1
- BOOKS AND EBOOKS2
- ARTICLES2
- BOOKS AND EBOOKS1
- TRAINING2
- ARTICLES9
- BOOKS AND EBOOKS2
- USEFUL LIBRARIES7
- WEBSITES1
- BLOGS3
- MAILING LISTS1
- BOOKS AND EBOOKS1
- BOOKS AND EBOOKS3
- WEBSITES1
- BOOKS AND EBOOKS1
Articles
5_ENTRIESAdvice on cryptographically secure pseudo-random number generators.
A post on Crackstation, a project by Defuse Security
Mentions many ways to make /dev/urandom fail on Linux/BSD.
Running a business requires being cost-conscious and minimizing unnecessary spending. The benefits of ensuring in the security of your application are invisible to most companies, so often times they neglect to invest in secure software development as a cost-saving measure. What these companies don't realize is the potential cost (both financial and to brand reputation) a preventable data compromise can incur.
The average data breach costs millions of dollars in damage.
Investing more time and personnel to develop secure software is, for most companies, worth it to minimize this unnecessary risk to their bottom line.
A must-read for anyone looking to build their own cryptography features.
- How to Safely Generate a Random Number
Released: February 25, 2014
- Salted Password Hashing - Doing it Right
Released: August 6, 2014
- A good idea with bad usage: /dev/urandom
Released: May 3, 2014
- Why Invest in Application Security?
Released: June 21, 2015
- Be wary of one-time pads and other crypto unicorns
Released: March 25, 2015
Books
20_ENTRIESGreat introduction to Web Application Security; though slightly dated.
Develops a sense of professional paranoia while presenting crypto design techniques.
Securing DevOps explores how the techniques of DevOps and Security should be applied together to make cloud services safer. This introductory book reviews state of the art practices used in securing web applications and their infrastructure, and teaches you techniques to integrate security directly into your product.
The first part of a three part book series providing broad and in-depth coverage on what web developers and architects need to know in order to create robust, reliable, maintainable and secure software, networks and other, that are delivered continuously, on time, with no nasty surprises.
- Web Application Hacker's Handbook
Released: September 27, 2011
- Cryptography Engineering
Released: March 15, 2010
- Securing DevOps
Released: March 1, 2018
- Gray Hat Python: Programming for Hackers and Reverse Engineers
Released: May 3, 2009
- The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
Released: November 30, 2006
- C Interfaces and Implementations: Techniques for Creating Reusable Software
Released: August 30, 1996
- Reversing: Secrets of Reverse Engineering
Released: April 15, 2005
- JavaScript: The Good parts
Released: May 1, 2008
- Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition
Released: June 17, 2007
- The Mac Hacker's Handbook
Released: March 3, 2009
- The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler
Released: August 22, 2008
- Network Algorithmics,: An Interdisciplinary Approach to Designing Fast Networked Devices
Released: December 29, 2004
- Computation Structures (MIT Electrical Engineering and Computer Science)
Released: December 13, 1989
- Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection
Released: August 3, 2009
- Secure Programming HOWTO
Released: March 1, 2015
- Security Engineering - Third Edition
Released: November 1, 2020
- Bulletproof SSL and TLS
Released: August 1, 2014
- Holistic Info-Sec for Web Developers (Fascicle 0)
Released: September 17, 2016
- Holistic Info-Sec for Web Developers (Fascicle 1)
The second part of a three part book series providing broad and in-depth coverage on what web developers and architects need to know in order to create robust, reliable, maintainable and secure software, VPS, networks, cloud and web applications, that are delivered continuously, on time, with no nasty surprises.
Classes
2_ENTRIESBe sure to check out the lectures!
- Offensive Computer Security (CIS 4930) FSU
A vulnerability research and exploit development class by Owen Redwood of Florida State University.
- Hack Night
Developed from the materials of NYU Poly's old Penetration Testing and Vulnerability Analysis course, Hack Night is a sobering introduction to offensive security. A lot of complex technical content is covered very quickly as students are introduced to a wide variety of complex and immersive topics over thirteen weeks.
Websites
15_ENTRIES- Hack This Site!
Learn about application security by attempting to hack this website.
- Enigma Group
Where hackers and security experts come to train.
- Web App Sec Quiz
Self-assessment quiz for web application security
- SecurePasswords.info
Secure passwords in several languages/frameworks.
- Security News Feeds Cheat-Sheet
A list of security news sources.
- Open Security Training
Video courses on low-level x86 programming, hacking, and forensics.
- MicroCorruption
Capture The Flag - Learn Assembly and Embedded Device Security
- The Matasano Crypto Challenges
A series of programming exercises for teaching oneself cryptography by Matasano Security. The introduction by Maciej Ceglowski explains it well.
- PentesterLab
PentesterLab provides free Hands-On exercises and a bootcamp to get started.
- Juice Shop
An intentionally insecure Javascript Web Application.
- Supercar Showdown
How to go on the offence before online attackers do.
- OWASP NodeGoat
Purposly vulnerable to the OWASP Top 10 Node.JS web application, with tutorials, security regression testing with the OWASP Zap API, docker image. With several options to get up and running fast.
- Securing The Stack
Bi-Weekly Appsec Tutorials
- OWASP ServerlessGoat
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP and created by PureSec. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.
- SecDim
SecDim is an appsec edutainment platform, Learn appsec with free git based labs. Think you got what it takes to build a secure app? Challenge yourself with appsec games! Fix bugs, get a score and your name on the leaderboards.
Blogs
4_ENTRIESBlog of cryptographic company that makes open-source libraries and tools, and describes practical data security approaches for applications and infrastructures.
- Crypto Fails
Showcasing bad cryptography
- NCC Group - Blog
The blog of NCC Group, formerly Matasano, iSEC Partners, and NGS Secure.
- Scott Helme
Learn about security and performance.
- Cossack Labs blog
Released: July 30, 2018
Wiki pages
1_ENTRIES- OWASP Top Ten Project
The top ten most common and critical security vulnerabilities found in web applications.
Tools
4_ENTRIES- Qualys SSL Labs
The infamous suite of SSL and TLS tools.
- securityheaders.io
Quickly and easily assess the security of your HTTP response headers.
- report-uri.io
A free CSP and HPKP reporting service.
- clickjacker.io
Test and learn Clickjacking. Make clickjacking PoC, take screenshot and share link. You can test HTTPS, HTTP, intranet & internal sites.
Tools
1_ENTRIES- PureSec FunctionShield
FunctionShield is a 100% free AWS Lambda security and Google Cloud Functions security library that equips developers with the ability to easily enforce strict security controls on serverless runtimes.
Books and ebooks
1_ENTRIESA community-maintained Wiki detailing secure coding standards for Android development.
- SEI CERT Android Secure Coding Standard
Released: February 24, 2015
Books and ebooks
2_ENTRIESA community-maintained Wiki detailing secure coding standards for C programming.
Provides guidelines for improving software security through secure coding. Covers common programming languages and libraries, and focuses on concrete recommendations.
- SEI CERT C Coding Standard
Released: May 24, 2006
- Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team
Released: February 22, 2025
Books and ebooks
1_ENTRIESA community-maintained Wiki detailing secure coding standards for C++ programming.
- SEI CERT C++ Coding Standard
Released: July 18, 2006
Books and ebooks
1_ENTRIESAn introduction to developing secure applications targeting version 4.5 of the .NET Framework, specifically covering cryptography and security engineering topics.
- Security Driven .NET
Released: July 14, 2015
Repositories
1_ENTRIESRepository with Clojure examples of OWASP top 10 vulnerabilities.
- Clojure OWASP
Released: May 5, 2020
Articles
1_ENTRIESA guide to managing sensitive data in memory.
- Memory Security in Go - spacetime.dev
Released: August 3, 2017
Books and ebooks
2_ENTRIESA community-maintained Wiki detailing secure coding standards for Java programming.
Secure Java programming guidelines straight from Oracle.
- SEI CERT Java Coding Standard
Released: January 12, 2007
- Secure Coding Guidelines for Java SE
Released: April 2, 2014
Articles
2_ENTRIESCovers a lot of useful information for developing secure Node.js applications.
A curated list of resources to secure Electron.js-based applications.
- Node.js Security Checklist - Rising Stack Blog
Released: October 13, 2015
- Awesome Electron.js hacking & pentesting resources
Released: June 17, 2020
Books and ebooks
1_ENTRIESHands-on and abundant with source code for a practical guide to Securing Node.js web applications.
- Essential Node.js Security
Released: July 19, 2017
Training
2_ENTRIES- Security Training by ^Lift Security
Learn from the team that spearheaded the Node Security Project
- Security Training from BinaryMist
We run many types of info-sec security training, covering Physical, People, VPS, Networs, Cloud, Web Applications. Most of the content is sourced from the book series Kim has been working on for several years. More info can be found here
Articles
9_ENTRIESA gentle introduction to timing attacks in PHP applications
Discusses password policies, password storage, "remember me" cookies, and account recovery.
Padriac Brady's advice on building software that isn't vulnerable to XSS
Though this article is a few years old, much of its advice is still relevant as we veer around the corner towards PHP 7.
@timoh6 explains implementing data encryption in PHP
TL;DR - don't escape, use prepared statements instead!
A human-readable overview of commonly misused cryptography terms and fundamental concepts, with example code in PHP.
If you're confused about cryptography terms, start here.
Discusses the importance of end-to-end network-layer encryption (HTTPS) as well as secure encryption for data at rest, then introduces the specific cryptography tools that developers should use for specific use cases, whether they use libsodium, [Defuse Security's secure PHP encryption library](https://github.com/de…
- It's All About Time
Released: November 28, 2014
- Secure Authentication in PHP with Long-Term Persistence
Released: April 21, 2015
- 20 Point List For Preventing Cross-Site Scripting In PHP
Released: April 22, 2013
- 25 PHP Security Best Practices For Sys Admins
Released: November 23, 2011
- PHP data encryption primer
Released: June 16, 2014
- Preventing SQL Injection in PHP Applications - the Easy and Definitive Guide
Released: May 26, 2014
- You Wouldn't Base64 a Password - Cryptography Decoded
Released: August 7, 2015
- A Guide to Secure Data Encryption in PHP Applications
Released: August 2, 2015
- The 2018 Guide to Building Secure PHP Software
Released: December 12, 2017
Books and ebooks
2_ENTRIES- Securing PHP: Core Concepts
Securing PHP: Core Concepts acts as a guide to some of the most common security terms and provides some examples of them in every day PHP.
- Using Libsodium in PHP Projects
You shouldn't need a Ph.D in Applied Cryptography to build a secure web application. Enter libsodium, which allows developers to develop fast, secure, and reliable applications without needing to know what a stream cipher even is.
Useful libraries
7_ENTRIES- defuse/php-encryption
Symmetric-key encryption library for PHP applications. (Recommended over rolling your own!)
- ircmaxell/password_compat
If you're using PHP 5.3.7+ or 5.4, use this to hash passwords
- ircmaxell/RandomLib
Useful for generating random strings or numbers
- thephpleague/oauth2-server
A secure OAuth2 server implementation
- paragonie/random_compat
PHP 7 offers a new set of CSPRNG functions:
random_bytes()andrandom_int(). This is a community effort to expose the same API in PHP 5 projects (forward compatibility layer). Permissively MIT licensed. - psecio/gatekeeper
A secure authentication and authorization library that implements Role-Based Access Controls and Paragon Initiative Enterprises' recommendaitons for secure "remember me" checkboxes.
- openwall/phpass
A portable public domain password hashing framework for use in PHP applications.
Websites
1_ENTRIES- websec.io
websec.io is dedicated to educating developers about security with topics relating to general security fundamentals, emerging technologies and PHP-specific information
Blogs
3_ENTRIES- Paragon Initiative Enterprises Blog
The blog of our technology and security consulting firm based in Orlando, FL
- ircmaxell's blog
A blog about PHP, Security, Performance and general web application development.
- Pádraic Brady's Blog
Pádraic Brady is a Zend Framework security expert
Mailing lists
1_ENTRIES- Securing PHP Weekly
A weekly newsletter about PHP, security, and the community.
Books and ebooks
1_ENTRIESA community-maintained Wiki detailing secure coding standards for Perl programming.
- SEI CERT Perl Coding Standard
Released: January 10, 2011
Books and ebooks
3_ENTRIES- Python chapter of Fedora Defensive Coding Guide
Lists standard library features that should be avoided, and references sections of other chapters that are Python-specific.
- Black Hat Python: Python Programming for Hackers and Pentesters
Black Hat Python by Justin Seitz from NoStarch Press is a great book for the offensive security minds
- Violent Python
Violent Python shows you how to move from a theoretical understanding of offensive computing concepts to a practical implementation.
Websites
1_ENTRIESA wiki maintained by the OWASP Python Security project.
- OWASP Python Security Wiki
Released: June 21, 2014
Books and ebooks
1_ENTRIESA guide to secure Ruby development by the Fedora Security Team. Also available on Github.
- Secure Ruby Development Guide
Released: March 10, 2014