While no doubt OWASP has earned the prestige of being the #1 AppSec resource, there are many other good information sources across the web that I have collected over the years that have been very helpful to me and to others whom I have shared with. I especially enjoy a blog that explains things simply and clearly while at the same time being technically correct. Below is a list of my favourite such resources. I am greatly appreciative to those who can reciprocate with their own list.
Blogs / General AppSec
- The Basics of Web Application Security – From Martin Fowler
- Reddit’s netsec – Blogs on security from many sources, many of them on AppSec
- A Few Thoughts on Cryptographic Engineering – Nobody explains crypto better than Matthew Green
- Security Training for Engineers – From PagerDuty
- Paragon Initiative Enterprises Blog
- Troy Hunt
- The Book of Secret Knowledge
Certificate Pinning
- Prevent bypassing of SSL certificate pinning in iOS applications – This is actually more about bypassing than preventing the bypass
- Four Ways to Bypass iOS SSL Verification and Certificate Pinning
- Four Ways to Bypass Android SSL Verification and Certificate Pinning
-
How to bypass Android certificate pinning and intercept SSL traffic
Cookie Security
CORS
- Do you Really Know CORS? – The best description of CORS that I have seen
Cross Site Scripting
- DOM-based XSS – The 3 Sinks – Best explanation of how writing untrusted data to document.location can lead to XSS
Cryptography
- Crypto 101 – This is the most practical, down-to-earth crypto guide I have seen
- Secure Compatible Encryption Examples – Lots of people are having problems encrypting in one language and decrypting in another. Luke Joshua Park shows us how to do it
- Top 10 Developer Crypto Mistakes
-
How to Generate Secure Random Numbers in Various Programming Languages
Deserialization
- What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability – Very insightful explanation to Java Deserialization vulnerabilities, how to identify them, and how to exploit them
DevSecOps
Http Security Headers
Input Validation
- Validating Input – This is old, but is a classic. For more recent guidance, see the Martin Fowler website blog on The Basics of Web Application Security (linked above)
JWTs
- JWT, JWS and JWE for Not So Dummies! – If you really want to understand JWTs, read and understand this
- Critical vulnerabilities in JSON Web Token libraries – The classic JWT vulnerabilities and how to exploit them
- Managing a Secure JSON Web Token Implementation
Logging
- Application Security Logging and Monitoring – The Next Frontier – Not only tells you what not to do, but also what to do
Mobile Security
- OWASP Mobile Security Test Guide – Extensive and thorough, really helps to understand mobile security
- Android WebView: Secure Coding Practices – Excellent guide on the dangers of Android WebViews and how to protect against various abuses
Oauth
-
An Illustrated Guide to OAuth and OpenID Connect – Most people want to dive into the technical details of Oauth before they really understand its purpose. Slow down, read this, and then you will have a better insight to the complex protocol
Passwords
- Our password hashing has no clothes – It’s amazing that so many websites still have no idea of the proper way to hash a password. This blog makes it crystal clear on what is wrong versus what is right
- How to Safely Store Your Users’ Passwords in 2016
- Passwords Evolved: Authentication Guidance for the Modern Era
- Hashes.org – Recovering passwords from leaked databases
PHP
Race Conditions
Server Side Request Forgery
- How To: Server-Side Request Forgery (SSRF)
- Abusing the AWS metadata service using SSRF vulnerabilities
- Server Side Request Forgery via Request Splitting
- Simple & Interactive SSRF Tutorial – Shows how Capital One security breach happened (or might have happened — given that the true anatomy of the attack has never been confirmed), including the hack and the code level vulnerabilities
SSL/TLS
- SSL/TLS for dummies part 1 : Ciphersuite, Hashing,Encryption
- SSL/TLS for dummies part 2 – Understanding key exchange algorithm
- SSL/TLS for dummies part 3 – Understanding Certificate Authority – This is the most important part of the series to truly understanding the PKI
- SSL/TLS for dummies part 4 – Understanding the TLS Handshake Protocol
SQL Injection
- SQL Injection Attacks by Example
- Bobby Tables: A guide to preventing SQL injection – It’s shame that the punch line of the comic is wrong, but the resources on the left column show the proper way to code SQL queries for various languages – very useful for developers
- Beginner’s Guide to SQL Injection (Part 1)