Awesome AppSec
A curated list of resources for learning about application security. Contains books, websites, blog posts, and self-assessment quizzes.
More curated lists can be found at sindresorhus/awesome.
Maintained by Paragon Initiative Enterprises with contributions from the application security and developer communities. We also have other community projects which might be useful for tomorrow's application security experts.
Contributing
Please refer to the contributing guide for details.
Application Security Learning Resources
- General
- Articles
- Books
- Web Application Hacker's Handbook (2011)
- Cryptography Engineering (2010)
- Gray Hat Python: Programming for Hackers and Reverse Engineers (2009)
- The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (2006)
- C Interfaces and Implementations: Techniques for Creating Reusable Software (1996)
- Reversing: Secrets of Reverse Engineering (2005)
- JavaScript: The Good parts (2008)
- Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition (2007)
- The Mac Hacker's Handbook (2009)
- The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler (2008)
- Internetworking with TCP/IP Vol. II: ANSI C Version: Design, Implementation, and Internals (3rd Edition) (1998)
- Network Algorithmics,: An Interdisciplinary Approach to Designing Fast Networked Devices (2004)
- Computation Structures (MIT Electrical Engineering and Computer Science) (1989)
- Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection (2009)
- Secure Programming HOWTO (2015)
- Classes
- Websites
- PHP
- Articles
- It's All About Time (2014)
- Secure Authentication in PHP with Long-Term Persistence (2015)
- 20 Point List For Preventing Cross-Site Scripting In PHP (2013)
- 25 PHP Security Best Practices For Sys Admins (2011)
- PHP data encryption primer (2014)
- Preventing SQL Injection in PHP Applications - the Easy and Definitive Guide
- Books and ebooks
- Useful libraries
- Websites
- Articles
- Node.js
General
Articles
How to Safely Generate a Random Number (2014)
Released: February 25, 2014
Advice on cryptographically secure pseudo-random number generators.
Salted Password Hashing - Doing it Right (2014)
Released: August 6, 2014
A post on Crackstation, a projecy by Defuse Security
A good idea with bad usage: /dev/urandom (2014)
Released: May 3, 2014
Mentions many ways to make /dev/urandom
fail on Linux/BSD.
Books
Web Application Hacker's Handbook (2011)
Released: September 27, 2011
Great introduction to Web Application Security; though slightly dated.
Cryptography Engineering (2010)
Released: March 15, 2010
Develops a sense of professional paranoia while presenting crypto design techniques.
Gray Hat Python: Programming for Hackers and Reverse Engineers (2009)
Released: May 3, 2009
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (2006)
Released: November 30, 2006
C Interfaces and Implementations: Techniques for Creating Reusable Software (1996)
Released: August 30, 1996
Reversing: Secrets of Reverse Engineering (2005)
Released: April 15, 2005
JavaScript: The Good parts (2008)
Released: May 1, 2008
Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition (2007)
Released: June 17, 2007
The Mac Hacker's Handbook (2009)
Released: March 3, 2009
The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler (2008)
Released: August 22, 2008
Internetworking with TCP/IP Vol. II: ANSI C Version: Design, Implementation, and Internals (3rd Edition) (1998)
Released: June 25, 1998
Network Algorithmics,: An Interdisciplinary Approach to Designing Fast Networked Devices (2004)
Released: December 29, 2004
Computation Structures (MIT Electrical Engineering and Computer Science) (1989)
Released: December 13, 1989
Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection (2009)
Released: August 3, 2009
Secure Programming HOWTO (2015)
Released: March 1, 2015
Classes
Offensive Computer Security (CIS 4930) FSU
A vulnerability research and exploit development class by Owen Redwood of Florida State University.
Be sure to check out the lectures!
Hack Night
Developed from the materials of NYU Poly's old Penetration Testing and Vulnerability Analysis course, Hack Night is a sobering introduction to offensive security. A lot of complex technical content is covered very quickly as students are introduced to a wide variety of complex and immersive topics over thirteen weeks.
Websites
Hack This Site!
Learn about application security by attempting to hack this website.
Web App Sec Quiz
Self-assessment quiz for web application security
SecurePasswords.info
Secure passwords in several languages/frameworks.
Security News Feeds Cheat-Sheet
A list of security news sources.
Open Security Training
Video courses on low-level x86 programming, hacking, and forensics.
MicroCorruption
Capture The Flag - Learn Assembly and Embedded Device Security
The Matasano Crypto Challenges
A series of programming exercises for teaching oneself cryptography by Matasano Security. The introduction by Maciej Ceglowski explains it well.
PentesterLab
PentesterLab provides free Hands-On exercises and a bootcamp to get started.
Blogs
Crypto Fails
Showcasing bad cryptography
Chargen: The Matasano Blog
The blog of Matasano Security, part of NCC Group.
Wiki pages
OWASP Top Ten Project
The top ten most common and critical security vulnerabilities found in web applications.
PHP
Articles
It's All About Time (2014)
Released: November 28, 2014
A gentle introduction to timing attacks in PHP applications
Secure Authentication in PHP with Long-Term Persistence (2015)
Released: April 21, 2015
Discusses password policies, password storage, "remember me" cookies, and account recovery.
20 Point List For Preventing Cross-Site Scripting In PHP (2013)
Released: April 22, 2013
Padriac Brady's advice on building software that isn't vulnerable to XSS
25 PHP Security Best Practices For Sys Admins (2011)
Released: November 23, 2011
Though this article is a few years old, much of its advice is still relevant as we veer around the corner towards PHP 7.
PHP data encryption primer (2014)
Released: June 16, 2014
@timoh6 explains implementing data encryption in PHP
Preventing SQL Injection in PHP Applications - the Easy and Definitive Guide
TL;DR - don't escape, use prepared statements instead!
Books and ebooks
Securing PHP: Core Concepts
Securing PHP: Core Concepts acts as a guide to some of the most common security terms and provides some examples of them in every day PHP.
Useful libraries
defuse/php-encryption
Symmetric-key encryption library for PHP applications. (Recommended over rolling your own!)
ircmaxell/password_compat
If you're using PHP 5.3.7+ or 5.4, use this to hash passwords
ircmaxell/RandomLib
Useful for generating random strings or numbers
thephpleague/oauth2-server
A secure OAuth2 server implementation
Websites
websec.io
websec.io is dedicated to educating developers about security with topics relating to general security fundamentals, emerging technologies and PHP-specific information
Blogs
Paragon Initiative Enterprises Blog
The blog of our technology and security consulting firm based in Orlando, FL
ircmaxell's blog
A blog about PHP, Security, Performance and general web application development.
Pádraic Brady's Blog
Pádraic Brady is a Zend Framework security expert
Mailing lists
Securing PHP Weekly
A weekly newsletter about PHP, security, and the community.
Node.js
Training
Security Training by ^Lift Security
Learn from the team that spearheaded the Node Security Project