Some Useful AppSec Resources

While no doubt OWASP has earned the prestige of being the #1 AppSec resource, there are many other good information sources across the web that I have collected over the years that have been very helpful to me and to others whom I have shared with.  I especially enjoy a blog that explains things simply and clearly while at the same time being technically correct.  Below is a list of my favourite such resources.  I am greatly appreciative to those who can reciprocate with their own list.

Blogs / General AppSec

• The Basics of Web Application Security – From Martin Fowler
• Reddit’s netsec – Blogs on security from many sources, many of them on AppSec
• A Few Thoughts on Cryptographic Engineering – Nobody explains crypto better than Matthew Green
• Security Training for Engineers – From PagerDuty
• Paragon Initiative Enterprises Blog
• Troy Hunt
• The Book of Secret Knowledge

Certificate Pinning

• Prevent bypassing of SSL certificate pinning in iOS applications – This is actually more about bypassing than preventing the bypass
• Four Ways to Bypass iOS SSL Verification and Certificate Pinning
• Four Ways to Bypass Android SSL Verification and Certificate Pinning

• How to bypass Android certificate pinning and intercept SSL traffic

Cookie Security

• Cookies for dummies Part 3: Understanding security flags – Secure, HttpOnly and SameSite

CORS

• Do you Really Know CORS? – The best description of CORS that I have seen

Cross Site Scripting

• DOM-based XSS – The 3 Sinks – Best explanation of how writing untrusted data to document.location can lead to XSS

Cryptography

• Crypto 101 – This is the most practical, down-to-earth crypto guide I have seen
• Secure Compatible Encryption Examples – Lots of people are having problems encrypting in one language and decrypting in another. Luke Joshua Park shows us how to do it
• Top 10 Developer Crypto Mistakes

• How to Generate Secure Random Numbers in Various Programming Languages

Deserialization

• What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability – Very insightful explanation to Java Deserialization vulnerabilities, how to identify them, and how to exploit them

DevSecOps

• Awesome-devsecops

Http Security Headers

• HTTP Security Headers – A Complete Guide

Input Validation

• Validating Input – This is old, but is a classic.  For more recent guidance, see the Martin Fowler website blog on The Basics of Web Application Security (linked above)

JWTs

• JWT, JWS and JWE for Not So Dummies! – If you really want to understand JWTs, read and understand this
• Critical vulnerabilities in JSON Web Token libraries – The classic JWT vulnerabilities and how to exploit them
• Managing a Secure JSON Web Token Implementation

Logging

• Application Security Logging and Monitoring – The Next Frontier – Not only tells you what not to do, but also what to do

Mobile Security

• OWASP Mobile Security Test Guide – Extensive and thorough, really helps to understand mobile security
• Android WebView: Secure Coding Practices – Excellent guide on the dangers of Android WebViews and how to protect against various abuses

Oauth

• An Illustrated Guide to OAuth and OpenID Connect – Most people want to dive into the technical details of Oauth before they really understand its purpose. Slow down, read this, and then you will have a better insight to the complex protocol

Passwords

• Our password hashing has no clothes – It’s amazing that so many websites still have no idea of the proper way to hash a password.  This blog makes it crystal clear on what is wrong versus what is right
• How to Safely Store Your Users’ Passwords in 2016
• Passwords Evolved: Authentication Guidance for the Modern Era
• Hashes.org – Recovering passwords from leaked databases

PHP

• The 2018 Guide to Building Secure PHP Software

Race Conditions

• Exploiting and Protecting Against Race Conditions
• Hacking Starbucks for unlimited coffee

Server Side Request Forgery

• How To: Server-Side Request Forgery (SSRF)
• Abusing the AWS metadata service using SSRF vulnerabilities
• Server Side Request Forgery via Request Splitting
• Simple & Interactive SSRF Tutorial – Shows how Capital One security breach happened (or might have happened — given that the true anatomy of the attack has never been confirmed), including the hack and the code level vulnerabilities

SSL/TLS

• SSL/TLS for dummies part 1 : Ciphersuite, Hashing,Encryption
• SSL/TLS for dummies part 2 – Understanding key exchange algorithm
• SSL/TLS for dummies part 3 – Understanding Certificate Authority – This is the most important part of the series to truly understanding the PKI
• SSL/TLS for dummies part 4 – Understanding the TLS Handshake Protocol

SQL Injection

• SQL Injection Attacks by Example
• Bobby Tables: A guide to preventing SQL injection – It’s shame that the punch line of the comic is wrong, but the resources on the left column show the proper way to code SQL queries for various languages – very useful for developers
• Beginner’s Guide to SQL Injection (Part 1)