May 1, 2019

Some useful application security resources

Some useful application security resources

Regularly people ask me how to get into application security. That's why I though it would be a good idea to write down an overview of resources where I can refer interested people to in the future.

How I rolled into Appsec

I have a development background. I started with developing desktop applications, in my early professional career C++, then made the switch to C# development (Winforms and WPF applications) and later web development (ASP.NET MVC, ASP.NET web API,…).

With the shift to web applications the need for security increased and it was one of the things that really interested me. But the real trigger to make the switch to application security was the Hack Yourself First workshop from Troy Hunt that I followed several years ago. Not only the content of the course but also the knowledge and passion of Troy really inspired me. From then on it has been Appsec all the way :)

Resources

If you’re active in the application security domain, I really advice you to not limit yourself to reading and learning about Appsec. I know Information Security is very broad, but at least try to have a good overview of what’s going on in other domains, certainly the ones that touch Appsec.

That said, here are some things that work for me:

  • Twitter is often my starting point (follow me there), because it’s the medium where in my opinion the most Infosec people are sharing a lot of knowledge, best practices and resources. Don’t limit yourself by following Infosec people only, it will narrow your view. Follow people that help you become better at AppSec. As an example, consider following some UX experts and learn about what good user experience is about. The next time you have to take security measures you can do so with usability best practices in the back of your mind. I recently also created a Mastodon account. Not very active on it yet, but seems promising. It’s a free, open source, decentralized micro-blogging network, comparable with Twitter but without all the ads and more privacy friendly in general. Check it out!
  • Read security news. This often starts with clicking links on twitter. But I have several online security news sites I look at in the morning and at night and read what’s interesting me.
  • Read blogs. Blogs are a great way to learn. While there certainly are news articles that give good insights, blogs are mostly more detailed. See appendix A for blogs that I often read. I plan to update the appendices with resources regularly.
  • Write blogs: It doesn’t matter in which stage of your career you are. When you researched or implemented something, or just have particular insights about a certain topic, write about it. By doing so, you’ll notice that you’ll give more thought about the topic you’re covering, because you want to get your facts right. You’ll also expose yourself to feedback, people will tell you when you got something wrong. As far as I experienced, most people are constructive and their comments helped me to improve. So no need to fear. The first click on the ‘publish’ button is the hardest, afterwards it becomes natural.
    I have still some blogs on Medium - that are not yet migrated to my website - and you can find some articles on Peerlyst as well.
  • Chime in to posts from other people, not to show others “how good” you are at something, but give honest and constructive feedback. And again by doing so you’ll get discussions and feedback you’d otherwise wouldn’t get.
  • Go to conferences, user groups, events,… Not only beneficial for the technical knowledge but certainly to get in touch with people in the same (and possibly other) domain(s). They can give you very valuable insights and often face the same challenges as you. Keep in mind that strong connections bring you a lot further in your career. If you don’t have enough money for the bigger conferences, local events like Bsides conferences or OWASP meetups are ideal because they’re inexpensive (or even free). See Appendix E.
  • Watch conference talks online. On the sites of security conferences or on youtube you find heaps of good conference videos. See appendix F
  • Watch screencasts, online training. See appendix B
  • Exercise: To be a good defender you must know the weaknesses that can exist in applications and how to exploit them. There are sites specially developed for this. One I regularly use is Hack Yourself First, but there are many others (see appendix C).
  • Listen to podcasts (see appendix D)
  • Join online communities like Peerlyst or The Many Hats Club or the OWASP slack channel.

Appendix A: List of blogs

Troy Hunt: https://www.troyhunt.com

Graham Cluley: https://www.grahamcluley.com/

Tanya Janca: https://medium.com/@shehackspurple. Certainly check this one about Appsec resources

Scott Helme: https://scotthelme.co.uk/

Sean Wright: https://blog.sean-wright.com/

Mike Thompson: https://appsecbloke.com/

Kevin Beaumont: https://doublepulsar.com/ and https://medium.com/@GossiTheDog

Lesley Carhart: https://tisiphone.net/

Bruce Schneier: https://www.schneier.com/

Robert Baptiste aka Elliot Alderson: https://medium.com/@fs0c131y

Bram Patelski: https://github.com/brampat/security

Francesco Cipollone: https://medium.com/@FrankSEC42

Audrey Bentley: https://www.bentleybiosec.com/

Daniel Miessler: https://danielmiessler.com (Also subscribe for his free newsletter “unsupervised learning” it’s really good)

Michal Spacek: https://www.michalspacek.com/

Xavier Mertens: https://blog.rootshell.be/

Troy Mursch: https://badpackets.net/

Chad Calease: https://chad.ch

Andy Gill: https://blog.zsec.uk/

Gary Williams: https://www.gdwnet.com/

Kim Crawley: Writes for different Infosec related sites. https://twitter.com/kim_crawley

Random Robbie: https://medium.com/@Random_Robbie

The AntiSocial Engineer: https://theantisocialengineer.com/blog/

Infosec Sherpa: https://medium.com/@InfoSecSherpa

Lisa Forte: https://red-goat.com/news/

F-Secure blog: https://blog.f-secure.com/

Cloudflare: https://blog.cloudflare.com

Read resources from trusted organizations like OWASP, NIST, NCSC UK

Appendix B: Online training

Pluralsight: www.pluralsight.com. Note: if you have a MSDN subscription you might be eligible for some free months Pluralsight access. Check it here.

Youtube: contains a lot of good Appsec training material.

Philippe Deryck’s site: you can find a lot of really good training material there. He often updates with slides from the web application security training he gives and videos of his talks.

Appendix C: Train your hacking skills

Hack Yourself First

Here you can find an overview of sites where you can legally practice your hacking skills.

Appendix D: Podcasts

Smashing Security Podcast by Graham Cluley and Carole Theriault

Weekly overview by Troy Hunt (both available as podcast or in video)

Sans Daily Stormcast: daily overview of Infosec actuality, max 10 minutes

Risky Business by Patrick Gray

Reply All Podcast by PJ Vogt and Alex Goldman

Defensive Security Podcast by Jerry Bell

Darknet Diaries by Jack Rhysider

The Many Hats Club Podcast

The Human Factor Podcast by Jenny Radcliffe

Purple Squad Security by John Svazic

Appendix E: conferences

SecAppdev: Review 2019

Hack In The Box: Review 2018 day 1 and day 2

Appendix F: conference videos

https://administraitor.video/ by Ministraitor

https://www.irongeek.com/ by Irongeek