Awesome AppSec

A curated list of resources for learning about application security. More curated lists can be found at sindresorhus/awesome.

Maintained by Paragon Initiative Enterprises with contributions from the application security and developer communities.

Contributing

Please refer to the contributing guide for details.

The Awesome Application Security Readling List

• General
  • Articles
    • How to Safely Generate a Random Number (2014)
    • Salted Password Hashing - Doing it Right (2014)
    • A good idea with bad usage: /dev/urandom (2014)
  • Books
    • Web Application Hacker's Handbook (2011)
    • Cryptography Engineering (2010)
    • Gray Hat Python: Programming for Hackers and Reverse Engineers (2009)
    • The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (2006)
    • The Practice of Programming (1999)
    • C Interfaces and Implementations: Techniques for Creating Reusable Software (1996)
    • Reversing: Secrets of Reverse Engineering (2005)
    • JavaScript: The Good parts (2008)
    • SQL For Dummies (2010)
    • Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition (2007)
    • The Mac Hacker's Handbook (2009)
    • The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler (2008)
    • Internetworking with TCP/IP Vol. II: ANSI C Version: Design, Implementation, and Internals (3rd Edition) (1998)
    • Network Algorithmics,: An Interdisciplinary Approach to Designing Fast Networked Devices (2004)
    • Computation Structures (MIT Electrical Engineering and Computer Science) (1989)
    • Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection (2009)
    • Secure Programming HOWTO (2015)
  • Classes
    • Offensive Computer Security (CIS 4930) FSU
  • Websites
    • Hack This Site!
    • Enigma Group
    • Web App Sec Quiz
    • SecurePasswords.info
    • Security News Feeds Cheat-Sheet
    • Open Security Training
    • MicroCorruption
    • The Matasano Crypto Challenges
    • PentesterLab
    • Blogs
      • Crypto Fails
      • Chargen: The Matasano Blog
    • Wiki pages
      • OWASP Top Ten Project
• PHP
  • Articles
    • It's All About Time (2014)
    • Secure Authentication in PHP with Long-Term Persistence (2015)
    • 20 Point List For Preventing Cross-Site Scripting In PHP (2013)
    • 25 PHP Security Best Practices For Sys Admins (2011)
    • PHP data encryption primer (2014)
    • Preventing SQL Injection in PHP Applications - the Easy and Definitive Guide
  • Books and ebooks
    • Securing PHP: Core Concepts
  • Useful libraries
    • defuse/php-encryption
    • ircmaxell/password_compat
    • ircmaxell/RandomLib
    • thephpleague/oauth2-server
  • Websites
    • websec.io
    • Blogs
      • Paragon Initiative Enterprises Blog
      • ircmaxell's blog
      • Pádraic Brady's Blog
    • Mailing lists
      • Securing PHP Weekly
• Node.js
  • Training
    • Security Training by ^Lift Security

General

Articles

How to Safely Generate a Random Number (2014)

Released: February 25, 2014

Advice on cryptographically secure pseudo-random number generators.

Salted Password Hashing - Doing it Right (2014)

Released: August 6, 2014

A post on Crackstation, a projecy by Defuse Security

A good idea with bad usage: /dev/urandom (2014)

Released: May 3, 2014

Mentions many ways to make /dev/urandom fail on Linux/BSD.

Books

Web Application Hacker's Handbook (2011)

Released: September 27, 2011

Great introduction to Web Application Security; though slightly dated.

Cryptography Engineering (2010)

Released: March 15, 2010

Develops a sense of professional paranoia while presenting crypto design techniques.

Gray Hat Python: Programming for Hackers and Reverse Engineers (2009)

Released: May 3, 2009

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"Literally the first book I thought of when I started this list, and I don't even like writing in Python. A headfirst dive into the day-to-day coding all app pentesters end up doing."

The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (2006)

Released: November 30, 2006

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"The same way you can say "TAOCP" on a programming site and everyone knows you mean "Knuth", say "TOASSA" to a security person and they know this book. This is the McGee, the Cormen/Rivest, the "Theory Of Poker" for our industry: how to find vulnerabilities by reading software."

The Practice of Programming (1999)

Released: February 14, 1999

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"Skip it if you've already done dev professionally (and, if you can, try to spend a couple years doing that before coming to app security). Otherwise: you want to (a) get good at busting our reliable, readable security testing tools without losing cycles figuring out how to start, and (b) to know how pro devs think before trying to tear up their software."

C Interfaces and Implementations: Techniques for Creating Reusable Software (1996)

Released: August 30, 1996

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"You need C. This is the single best book on C software development that has ever been written. It takes everything you've been doing in Python, Ruby, or Perl, but have lost in C, and gives it back to you - while explaining each line of code it takes to do that, and making you a competent C API designer in the process."

Reversing: Secrets of Reverse Engineering (2005)

Released: April 15, 2005

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"The best end-to-end treatment of the theory and practice of taking compiled binary software and working it back to its design and internal function. Read this to understand why writing your own version of IDA Pro is more trouble than its worth, or to see why you'd want to do that in the first place."

JavaScript: The Good parts (2008)

Released: May 1, 2008

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"This book is tiny. Most books about Javascript are 18,000 pages long, explain how to write 1000 lines of JS to make rounded corners in IE5, and suck. This book contains nothing but how to write serious code in Javascript, a surprisingly serious language that it turns out owns a surprisingly huge portion of the Internet security model by enforcing the "same origin policy" that secures browsers."

SQL For Dummies (2010)

Released: February 2, 2010

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"You have to know SOME SQL to do web security work. My theory: the less of it you end up knowing, the happier you'll end up being. Thus: this book."

Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition (2007)

Released: June 17, 2007

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"You want to know how modern OS's work on x86. Especially memory management. You want to know why system calls work the way they do. You want to grok IPC. You can learn with Unix or with Windows, but Windows depth has more market value, and there's no comparably good (and modern) Unix internals book."

The Mac Hacker's Handbook (2009)

Released: March 3, 2009

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"Union rules require me to recommend at least one book by Charlie Miller and one book by Dino Dai Zovi, and this book, which is great, kills two birds with one stone."

The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler (2008)

Released: August 22, 2008

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"Don't buy this until you get your IDA Pro license. And if you've been using IDA for years already, borrow it instead. But this book is the manual Hexrays should ship with the IDA, and IDA is the de facto standard binary reversing tool for our industry. Know that if you grok assembly and C, then a week or two, a copy of IDA, and this book combined will get you reversing WinAPI programs reliably."

Internetworking with TCP/IP Vol. II: ANSI C Version: Design, Implementation, and Internals (3rd Edition) (1998)

Released: June 25, 1998

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"Sooner or later you're going to hit a project where the only way to listen to and talk to the target is to bust out libpcap and do IO with raw frames. In TCP/IP books, there's the Comer camp and the W. Richard Stevens camp. I'm a Comer guy. This book is more general than Stevens, and works from a far cleaner codebase (Stevens' 4.4BSD, while venerable, is ugly as sin)."

Network Algorithmics,: An Interdisciplinary Approach to Designing Fast Networked Devices (2004)

Released: December 29, 2004

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"Do any of those tools you wrote with libpcap after reading Comer & Stevens have to work fast? Do they have to deal with more than a couple hundred hosts? This book isn't cheap, and it's somewhat specialized, but it's well written, interesting, and authoritative."

Computation Structures (MIT Electrical Engineering and Computer Science) (1989)

Released: December 13, 1989

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"Eventually you'll get a project that's going to involve an exotic target, maybe synthesized onto an FPGA in some crazy RISC architecture, maybe on an embedded controller you can only talk to with JTAG. You want to know how computer systems are designed and engineered from electrical signals on up. This book starts from circuits and ends with compiler design and may be all you'll ever need."

Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection (2009)

Released: August 3, 2009

Imported from Thomas Ptacek's Application Security Reading List on Amazon

"One branch of binary runtime security work involves software protection, which means "copy protection" and "tamper proofing" and "anti-cheating" and "malware countermeasures" all at this same time. This book is somewhat stuffily written and uses formalisms more than case studies, but if runtime security is your thing, you'll forgive those quirks for the breadth and authority in this book."

Secure Programming HOWTO (2015)

Released: March 1, 2015

Classes

Offensive Computer Security (CIS 4930) FSU

A vulnerability research and exploit development class by Owen Redwood of Florida State University.

Be sure to check out the lectures!

Websites

Hack This Site!

Learn about application security by attempting to hack this website.

Enigma Group

Where hackers and security experts come to train.

Web App Sec Quiz

Self-assessment quiz for web application security

SecurePasswords.info

Secure passwords in several languages/frameworks.

Security News Feeds Cheat-Sheet

A list of security news sources.

Open Security Training

Video courses on low-level x86 programming, hacking, and forensics.

MicroCorruption

Capture The Flag - Learn Assembly and Embedded Device Security

The Matasano Crypto Challenges

A series of programming exercises for teaching oneself cryptography by Matasano Security. The introduction by Maciej Ceglowski explains it well.

PentesterLab

PentesterLab provides free Hands-On exercises and a bootcamp to get started.

Blogs

Crypto Fails

Showcasing bad cryptography

Chargen: The Matasano Blog

The blog of Matasano Security, part of NCC Group.

Wiki pages

OWASP Top Ten Project

The top ten most common and critical security vulnerabilities found in web applications.

PHP

Articles

It's All About Time (2014)

Released: November 28, 2014

A gentle introduction to timing attacks in PHP applications

Secure Authentication in PHP with Long-Term Persistence (2015)

Released: April 21, 2015

Discusses password policies, password storage, "remember me" cookies, and account recovery.

20 Point List For Preventing Cross-Site Scripting In PHP (2013)

Released: April 22, 2013

Padriac Brady's advice on building software that isn't vulnerable to XSS

25 PHP Security Best Practices For Sys Admins (2011)

Released: November 23, 2011

Though this article is a few years old, much of its advice is still relevant as we veer around the corner towards PHP 7.

PHP data encryption primer (2014)

Released: June 16, 2014

@timoh6 explains implementing data encryption in PHP

Preventing SQL Injection in PHP Applications - the Easy and Definitive Guide

TL;DR - don't escape, use prepared statements instead!

Books and ebooks

Securing PHP: Core Concepts

Securing PHP: Core Concepts acts as a guide to some of the most common security terms and provides some examples of them in every day PHP.

Useful libraries

defuse/php-encryption

Symmetric-key encryption library for PHP applications. (Recommended over rolling your own!)

ircmaxell/password_compat

If you're using PHP 5.3.7+ or 5.4, use this to hash passwords

ircmaxell/RandomLib

Useful for generating random strings or numbers

thephpleague/oauth2-server

A secure OAuth2 server implementation

Websites

websec.io

websec.io is dedicated to educating developers about security with topics relating to general security fundamentals, emerging technologies and PHP-specific information

Blogs

Paragon Initiative Enterprises Blog

The blog of our technology and security consulting firm based in Orlando, FL

ircmaxell's blog

A blog about PHP, Security, Performance and general web application development.

Pádraic Brady's Blog

Pádraic Brady is a Zend Framework security expert

Mailing lists

Securing PHP Weekly

A weekly newsletter about PHP, security, and the community.

Node.js

Training

Security Training by ^Lift Security

Learn from the team that spearheaded the Node Security Project