Security Resources

A lot of people ask us “where to get started” with security. Here are some suggestions, broken down into some rough categories.

Resource sites for web application security:

OWASP (Open Web Application Security Project)

WASC (Web Application Security Consortium)

WASC Web Security Mailing List

SANS Software Security Institute

Web Application security personality blogs:

RSnake’s Hackers dot org blog

Jeremiah Grossman’s blog, CEO of White Hat Security

PDP‘s blog

Other security personality blogs:

Bruce Schneier‘s Blog

Brian Krebs Security Fix Column for the Washington Post newspaper

Jesper Johansson, ex-Microsoft Security guru, now top Amazon Security staffer

Martin Roesch — local DC Area security guru, author of “Snort” software package and founder of Sourcefire Inc.

Richard Bejtlich — local DC Area security guru

Security news aggregation sites:

Security Focus

First dot Org’s Newsroom

Dark Reading

Alert sites:

SANS Internet Storm Center

Microsoft Technet Security

Apple Security Updates

Secunia

Security company blogs:

Microsoft Security Response Center Blog

The F-Secure Blog

Matasano’s blog

Sunbelt Software Blog

Mailing lists and newsletters:

SANS newsletters

Bruce Schneier’s Crypto-Gram newsletter

Security Focus Newsletters andBugtraq (one of the “original” security mailing lists)

The “Full Disclosure” mailing list — sponsored by Secunia, not for the faint of heart. Archived here.

WASC’s Web Security mailing list

Some Books on Web Application Security:

How to Break Web Software a good introductory volume

Web Applications Hacking Exposed a bit more in depth, but more technical in scope

XSS Exploits a book highly specialized in XSS, showing what some of the experts in the field are doing and the depth of XSS.

The Web Application Hacker’s Handbook just released, probably the most comprehensive “in one volume” book on Web Application Security

Information Security Books by some of my heroes (Doug’s list):

Counter Hack Reloaded – Ed Skoudis with Tom Liston

Malware: Fighting Malicious Code - Ed Skoudis with Lennzy Zeltzer

Secrets & Lies – Bruce Schneier

Beyond Fear – Bruce Schneier

Art of Deception – Kevin Mitnick and William L. Simon

Art of Intrustion – Kevin Mitnick and William L. Simon (forward by Steve Wozniak)

Kevin Liston’s Holiday/Family Incident Response Post

2 Responses to “Security Resources”

  1. Lee says:
    November 16, 2007 at 10:27 am

    Superb presentation and very insightful. Actually I’m attempting your hacks in this reply. Big thanks and hope to see you two present the entire top ten some time.

  2. onelittlewindow » Blog Archive » Hello (owasp) World! says:
    February 5, 2008 at 10:11 pm

    [...] The OWASP DC Wiki Page The OWASP DC Mailing List The presentation Mark was showing slides from Some other resources you may wish to peruse [...]

Leave a Reply