Resources for Getting Started in Security

Resources for Getting Started in Security

Purpose:

This document has been created to provide the reader with materials which may help get you started within the software security industry. Understanding the information presented out in Software Security: Building Security In and in the OWASP top ten will provide a great starting point. Once these concepts are understood, the other, more specialized resources may be used to help increase your knowledge. When reading through these resources, be sure to do the examples and try exploiting and fixing the vulnerabilities you read about. As a note, Cigital is not necessarily affiliated with the companies and organizations below.

Books:

General Software Security

1- Software Security: Building Security In, By Gary McGraw

Web Application Security

1- The Web Application Hacker's Handbook, 2^nd Edition, By Pinto & Stuttard

2- The Tangled Web: A Guide to Securing Modern Web Applications, By Michal Zalewski

Mobile Security

1- The iOS Hacker’s Handbook, By Miller, Blazakis, DaiZovi, et al

Cryptography

1- Applied Cryptography, By Bruce Schneier

Web Links:

1- OWASP -  https://www.owasp.org/index.php/Main_Page

·          https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project – Provides a list of the top ten vulnerabilities we see in the wild. Additionally, it discusses the cause of these problems and ways to remediate them.

·          https://www.owasp.org/index.php/Webgoat - A training program for practicing common web application vulnerabilities

·          https://www.owasp.org/index.php/Secure_Coding_Principles - Basics of secure coding

·          https://www.owasp.org/index.php/Category:OWASP_Chapter – Find a local OWASP Chapter!

2- How To: Perform a Security Code Review for Managed Code -  http://msdn.microsoft.com/en-us/library/ff649315.aspx

This document discusses one methodology, including what to look for, for performing secure source code reviews

3- Smashing the Stack for Fun and Profit -  http://inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf

This paper gives insight into buffer overflows for those interested in thick client security

4- PENETRATION TESTING PRACTICE LAB - VULNERABLE APPS / SYSTEMS -  http://www.amanhardikar.com/mindmaps/PracticewithURLs.html

For those interested in penetration testing, this site points to a large number of training tools for practicing penetration testing.

5- Tuts4You -  http://tuts4you.com/download.php

For those interested in reverse engineering, this forum discusses reverse engineering on many levels.

6- InfoSec Resources – Penetration Testing for iPhone Applications -  http://resources.infosecinstitute.com/pentesting-iphone-applications/

For those interested in mobile security, this provides an introduction to penetration testing iOS applications.

7-  http://bsimm.com