└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # Resources for learning about application security 2 | [![Awesome](https://4.bp.blogspot.com/-F0eugSId8HA/WHtcvsZw6_I/AAAAAAAABzc/rz_9AZdIVFUKmIvC7yHaSRi1KzqdrKvXACLcB/s1600/Application-Security.png)](http://www.kalitut.com) 3 | 4 | A curated list of resources for learning about application security. Contains books, 5 | websites, blog posts, and self-assessment quizzes. 6 | 7 | 8 | If you are an absolute beginner to the topic of software security, you may benefit 9 | from reading 10 | [A Gentle Introduction to Application Security](https://paragonie.com/blog/2015/08/gentle-introduction-application-security). 11 | 12 | # Application Security Learning Resources 13 | 14 | * [General](#general) 15 | * [Articles](#articles) 16 | * [How to Safely Generate a Random Number](#how-to-safely-generate-a-random-number-2014) (2014) 17 | * [Salted Password Hashing - Doing it Right](#salted-password-hashing-doing-it-right-2014) (2014) 18 | * [A good idea with bad usage: /dev/urandom](#a-good-idea-with-bad-usage-devurandom-2014) (2014) 19 | * [Why Invest in Application Security?](#why-invest-in-application-security-2015) (2015) 20 | * [Be wary of one-time pads and other crypto unicorns](#be-wary-of-one-time-pads-and-other-crypto-unicorns-2015) (2015) 21 | * [Books](#books) 22 | * [Web Application Hacker's Handbook](#-web-application-hackers-handbook-2011) (2011) 23 | * [Cryptography Engineering](#-cryptography-engineering-2010) (2010) 24 | * [Gray Hat Python: Programming for Hackers and Reverse Engineers](#-gray-hat-python-programming-for-hackers-and-reverse-engineers-2009) (2009) 25 | * [The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities](#-the-art-of-software-security-assessment-identifying-and-preventing-software-vulnerabilities-2006) (2006) 26 | * [C Interfaces and Implementations: Techniques for Creating Reusable Software](#-c-interfaces-and-implementations-techniques-for-creating-reusable-software-1996) (1996) 27 | * [Reversing: Secrets of Reverse Engineering](#-reversing-secrets-of-reverse-engineering-2005) (2005) 28 | * [JavaScript: The Good parts](#-javascript-the-good-parts-2008) (2008) 29 | * [Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition ](#-windows-internals-including-windows-server-2008-and-windows-vista-fifth-edition-2007) (2007) 30 | * [The Mac Hacker's Handbook](#-the-mac-hackers-handbook-2009) (2009) 31 | * [The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler](#-the-ida-pro-book-the-unofficial-guide-to-the-worlds-most-popular-disassembler-2008) (2008) 32 | * [Internetworking with TCP/IP Vol. II: ANSI C Version: Design, Implementation, and Internals (3rd Edition)](#-internetworking-with-tcpip-vol-ii-ansi-c-version-design-implementation-and-internals-3rd-edition-1998) (1998) 33 | * [Network Algorithmics,: An Interdisciplinary Approach to Designing Fast Networked Devices](#-network-algorithmics-an-interdisciplinary-approach-to-designing-fast-networked-devices-2004) (2004) 34 | * [Computation Structures (MIT Electrical Engineering and Computer Science)](#-computation-structures-mit-electrical-engineering-and-computer-science-1989) (1989) 35 | * [Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection](#-surreptitious-software-obfuscation-watermarking-and-tamperproofing-for-software-protection-2009) (2009) 36 | * [Secure Programming HOWTO](#secure-programming-howto-2015) (2015) 37 | * [Security Engineering - Second Edition](#security-engineering-second-edition-2008) (2008) 38 | * [Bulletproof SSL and TLS](#-bulletproof-ssl-and-tls-2014) (2014) 39 | * [Classes](#classes) 40 | * [Offensive Computer Security (CIS 4930) FSU](#offensive-computer-security-cis-4930-fsu) 41 | * [Hack Night](#hack-night) 42 | * [Websites](#websites) 43 | * [Hack This Site!](#hack-this-site) 44 | * [Enigma Group](#enigma-group) 45 | * [Web App Sec Quiz](#web-app-sec-quiz) 46 | * [SecurePasswords.info](#securepasswords-info) 47 | * [Security News Feeds Cheat-Sheet](#security-news-feeds-cheat-sheet) 48 | * [Open Security Training](#open-security-training) 49 | * [MicroCorruption](#microcorruption) 50 | * [The Matasano Crypto Challenges](#the-matasano-crypto-challenges) 51 | * [PentesterLab](#pentesterlab) 52 | * [Juice Shop](#juice-shop) 53 | * [Supercar Showdown](#supercar-showdown) 54 | * [Blogs](#blogs) 55 | * [Crypto Fails](#crypto-fails) 56 | * [NCC Group - Blog](#ncc-group-blog) 57 | * [Scott Helme](#scott-helme) 58 | * [Wiki pages](#wiki-pages) 59 | * [OWASP Top Ten Project](#owasp-top-ten-project) 60 | * [Tools](#tools) 61 | * [Qualys SSL Labs](#qualys-ssl-labs) 62 | * [securityheaders.io](#securityheaders-io) 63 | * [report-uri.io](#report-uri-io) 64 | * [Android](#android) 65 | * [Books and ebooks](#books-and-ebooks) 66 | * [SEI CERT Android Secure Coding Standard](#sei-cert-android-secure-coding-standard-2015) (2015) 67 | * [C](#c) 68 | * [Books and ebooks](#books-and-ebooks-1) 69 | * [SEI CERT C Coding Standard](#sei-cert-c-coding-standard-2006) (2006) 70 | * [Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team](#defensive-coding-a-guide-to-improving-software-security-by-the-fedora-security-team-2016) (2016) 71 | * [C++](#c-1) 72 | * [Books and ebooks](#books-and-ebooks-2) 73 | * [SEI CERT C++ Coding Standard](#sei-cert-c-coding-standard-2006-1) (2006) 74 | * [C Sharp](#c-sharp) 75 | * [Books and ebooks](#books-and-ebooks-3) 76 | * [Security Driven .NET](#-security-driven-net-2015) (2015) 77 | * [Java](#java) 78 | * [Books and ebooks](#books-and-ebooks-4) 79 | * [SEI CERT Java Coding Standard](#sei-cert-java-coding-standard-2007) (2007) 80 | * [Secure Coding Guidelines for Java SE](#secure-coding-guidelines-for-java-se-2014) (2014) 81 | * [Node.js](#node-js) 82 | * [Articles](#articles-1) 83 | * [Node.js Security Checklist - Rising Stack Blog](#node-js-security-checklist-rising-stack-blog-2015) (2015) 84 | * [Training](#training) 85 | * [Security Training by ^Lift Security](#-security-training-by-lift-security) 86 | * [PHP](#php) 87 | * [Articles](#articles-2) 88 | * [It's All About Time](#its-all-about-time-2014) (2014) 89 | * [Secure Authentication in PHP with Long-Term Persistence](#secure-authentication-in-php-with-long-term-persistence-2015) (2015) 90 | * [20 Point List For Preventing Cross-Site Scripting In PHP](#20-point-list-for-preventing-cross-site-scripting-in-php-2013) (2013) 91 | * [25 PHP Security Best Practices For Sys Admins](#25-php-security-best-practices-for-sys-admins-2011) (2011) 92 | * [PHP data encryption primer](#php-data-encryption-primer-2014) (2014) 93 | * [Preventing SQL Injection in PHP Applications - the Easy and Definitive Guide](#preventing-sql-injection-in-php-applications-the-easy-and-definitive-guide-2014) (2014) 94 | * [You Wouldn't Base64 a Password - Cryptography Decoded](#you-wouldnt-base64-a-password-cryptography-decoded-2015) (2015) 95 | * [A Guide to Secure Data Encryption in PHP Applications](#a-guide-to-secure-data-encryption-in-php-applications-2015) (2015) 96 | * [Books and ebooks](#books-and-ebooks-5) 97 | * [Securing PHP: Core Concepts](#-securing-php-core-concepts) 98 | * [Using Libsodium in PHP Projects](#using-libsodium-in-php-projects) 99 | * [Useful libraries](#useful-libraries) 100 | * [defuse/php-encryption](#defusephp-encryption) 101 | * [ircmaxell/password_compat](#ircmaxellpassword-compat) 102 | * [ircmaxell/RandomLib](#ircmaxellrandomlib) 103 | * [thephpleague/oauth2-server](#thephpleagueoauth2-server) 104 | * [paragonie/random_compat](#paragonierandom-compat) 105 | * [psecio/gatekeeper](#pseciogatekeeper) 106 | * [openwall/phpass](#openwallphpass) 107 | * [Websites](#websites-1) 108 | * [websec.io](#websec-io) 109 | * [Blogs](#blogs-1) 110 | * [Paragon Initiative Enterprises Blog](#paragon-initiative-enterprises-blog) 111 | * [ircmaxell's blog](#ircmaxells-blog) 112 | * [Pádraic Brady's Blog](#p%C3%A1draic-bradys-blog) 113 | * [Mailing lists](#mailing-lists) 114 | * [Securing PHP Weekly](#securing-php-weekly) 115 | * [Perl](#perl) 116 | * [Books and ebooks](#books-and-ebooks-6) 117 | * [SEI CERT Perl Coding Standard](#sei-cert-perl-coding-standard-2011) (2011) 118 | * [Python](#python) 119 | * [Books and ebooks](#books-and-ebooks-7) 120 | * [Python chapter of Fedora Defensive Coding Guide](#python-chapter-of-fedora-defensive-coding-guide) 121 | * [Violent Python](#-violent-python) 122 | * [Websites](#websites-2) 123 | * [OWASP Python Security Wiki](#owasp-python-security-wiki-2014) (2014) 124 | * [Ruby](#ruby) 125 | * [Books and ebooks](#books-and-ebooks-8) 126 | * [Secure Ruby Development Guide](#secure-ruby-development-guide-2014) (2014) 127 | 128 | 129 | # General 130 | 131 | ## Articles 132 | 133 | ### [How to Safely Generate a Random Number](http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/) (2014) 134 | 135 | **Released**: February 25, 2014 136 | 137 | Advice on cryptographically secure pseudo-random number generators. 138 | 139 | ### [Salted Password Hashing - Doing it Right](https://crackstation.net/hashing-security.htm) (2014) 140 | 141 | **Released**: August 6, 2014 142 | 143 | A post on [Crackstation](https://crackstation.net), a project by [Defuse Security](https://defuse.ca) 144 | 145 | ### [A good idea with bad usage: /dev/urandom](http://insanecoding.blogspot.co.uk/2014/05/a-good-idea-with-bad-usage-devurandom.html) (2014) 146 | 147 | **Released**: May 3, 2014 148 | 149 | Mentions many ways to make `/dev/urandom` fail on Linux/BSD. 150 | 151 | ### [Why Invest in Application Security?](https://paragonie.com/white-paper/2015-why-invest-application-security) (2015) 152 | 153 | **Released**: June 21, 2015 154 | 155 | Running a business requires being cost-conscious and minimizing unnecessary spending. The benefits of ensuring in the security of your application are invisible to most companies, so often times they neglect to invest in secure software development as a cost-saving measure. What these companies don't realize is the potential cost (both financial and to brand reputation) a preventable data compromise can incur. 156 | 157 | **The average data breach costs millions of dollars in damage.** 158 | 159 | Investing more time and personnel to develop secure software is, for most companies, worth it to minimize this unnecessary risk to their bottom line. 160 | 161 | ### [Be wary of one-time pads and other crypto unicorns](https://freedom-to-tinker.com/blog/jbonneau/be-wary-of-one-time-pads-and-other-crypto-unicorns/) (2015) 162 | 163 | **Released**: March 25, 2015 164 | 165 | A **must-read** for anyone looking to build their own cryptography features. 166 | 167 | ## Books 168 | # Books from Amazon.com 169 | ### [Web Application Hacker's Handbook](http://amzn.to/2jM2BvG) (2011) 170 | **Released**: September 27, 2011 171 | Great introduction to Web Application Security; though slightly dated. 172 | 173 | ### [Cryptography Engineering](http://amzn.to/2jLVZ0m) (2010) 174 | **Released**: March 15, 2010 175 | Develops a sense of professional paranoia while presenting crypto design techniques. 176 | 177 | ### [Gray Hat Python: Programming for Hackers and Reverse Engineers](http://amzn.to/2jkIA2M) (2009) 178 | **Released**: May 3, 2009 179 | 180 | ### [The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities](http://amzn.to/2jkMp8j) (2006) 181 | 182 | **Released**: November 30, 2006 183 | 184 | ### [C Interfaces and Implementations: Techniques for Creating Reusable Software](http://amzn.to/2jmK4Jy) (1996) 185 | **Released**: August 30, 1996 186 | 187 | ### [Reversing: Secrets of Reverse Engineering](http://amzn.to/2jM5lJB) (2005) 188 | **Released**: April 15, 2005 189 | 190 | ### [JavaScript: The Good parts](http://amzn.to/2iqbkra) (2008) 191 | **Released**: May 1, 2008 192 | 193 | ### [Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition ](http://amzn.to/2itUJy7) (2007) 194 | **Released**: June 17, 2007 195 | 196 | ### [The Mac Hacker's Handbook](http://amzn.to/2jmPqVg) (2009) 197 | **Released**: March 3, 2009 198 | 199 | ### [The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler](http://amzn.to/2jmMWGv) (2008) 200 | **Released**: August 22, 2008 201 | 202 | ### [Internetworking with TCP/IP Vol. II: ANSI C Version: Design, Implementation, and Internals (3rd Edition)](http://amzn.to/2jSAuPv) (1998) 203 | **Released**: June 25, 1998 204 | 205 | ### [Network Algorithmics,: An Interdisciplinary Approach to Designing Fast Networked Devices](http://amzn.to/2jLXEmS) (2004) 206 | **Released**: December 29, 2004 207 | 208 | ### [Computation Structures (MIT Electrical Engineering and Computer Science)](http://amzn.to/2iqaTgs) (1989) 209 | **Released**: December 13, 1989 210 | 211 | ### [Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection](http://amzn.to/2iyZ3PP) (2009) 212 | **Released**: August 3, 2009 213 | 214 | ### [Secure Programming HOWTO](http://www.dwheeler.com/secure-programs/) (2015) 215 | **Released**: March 1, 2015 216 | 217 | ### [Security Engineering - Second Edition](http://amzn.to/2jM2twp) (2008) 218 | **Released**: April 14, 2008 219 | 220 | ### [Bulletproof SSL and TLS](http://amzn.to/2jLW5VY) (2014) 221 | **Released**: August 1, 2014 222 | 223 | ## Classes 224 | 225 | ### [Offensive Computer Security (CIS 4930) FSU](https://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/) 226 | 227 | A vulnerability research and exploit development class by Owen Redwood of Florida State University. 228 | 229 | **Be sure to check out the [lectures](https://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html)!** 230 | 231 | ### [Hack Night](https://github.com/isislab/Hack-Night) 232 | 233 | Developed from the materials of NYU Poly's old Penetration Testing and Vulnerability Analysis course, Hack Night is a sobering introduction to offensive security. A lot of complex technical content is covered very quickly as students are introduced to a wide variety of complex and immersive topics over thirteen weeks. 234 | 235 | ## Websites 236 | 237 | ### [Hack This Site!](http://www.hackthissite.org) 238 | 239 | Learn about application security by attempting to hack this website. 240 | 241 | ### [Enigma Group](http://www.enigmagroup.org) 242 | 243 | Where hackers and security experts come to train. 244 | 245 | ### [Web App Sec Quiz](https://timoh6.github.io/WebAppSecQuiz/) 246 | 247 | Self-assessment quiz for web application security 248 | 249 | ### [SecurePasswords.info](https://securepasswords.info) 250 | 251 | Secure passwords in several languages/frameworks. 252 | 253 | ### [Security News Feeds Cheat-Sheet](http://lzone.de/cheat-sheet/Security-News-Feeds) 254 | 255 | A list of security news sources. 256 | 257 | ### [Open Security Training](http://opensecuritytraining.info/) 258 | 259 | Video courses on low-level x86 programming, hacking, and forensics. 260 | 261 | ### [MicroCorruption](https://microcorruption.com/login) 262 | 263 | Capture The Flag - Learn Assembly and Embedded Device Security 264 | 265 | ### [The Matasano Crypto Challenges](http://cryptopals.com) 266 | 267 | A series of programming exercises for teaching oneself cryptography by [Matasano Security](http://matasano.com). [The introduction](https://blog.pinboard.in/2013/04/the_matasano_crypto_challenges) by Maciej Ceglowski explains it well. 268 | 269 | ### [PentesterLab](https://pentesterlab.com) 270 | 271 | PentesterLab provides [free Hands-On exercises](https://pentesterlab.com/exercises/) and a [bootcamp](https://pentesterlab.com/bootcamp/) to get started. 272 | 273 | ### [Juice Shop](https://bkimminich.github.io/juice-shop) 274 | 275 | An intentionally insecure Javascript Web Application. 276 | 277 | ### [Supercar Showdown](http://hackyourselffirst.troyhunt.com/) 278 | 279 | How to go on the offence before online attackers do. 280 | 281 | ### Blogs 282 | 283 | #### [Crypto Fails](http://cryptofails.com) 284 | 285 | Showcasing bad cryptography 286 | 287 | #### [NCC Group - Blog](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/) 288 | 289 | The blog of NCC Group, formerly Matasano, iSEC Partners, and NGS Secure. 290 | 291 | #### [Scott Helme](https://scotthelme.co.uk) 292 | 293 | Learn about security and performance. 294 | 295 | ### Wiki pages 296 | 297 | #### [OWASP Top Ten Project](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) 298 | 299 | The top ten most common and critical security vulnerabilities found in web applications. 300 | 301 | ### Tools 302 | 303 | #### [Qualys SSL Labs](https://www.ssllabs.com/) 304 | 305 | The infamous suite of SSL and TLS tools. 306 | 307 | #### [securityheaders.io](https://securityheaders.io/) 308 | 309 | Quickly and easily assess the security of your HTTP response headers. 310 | 311 | #### [report-uri.io](https://report-uri.io) 312 | 313 | A free CSP and HPKP reporting service. 314 | 315 | # Android 316 | 317 | ## Books and ebooks 318 | 319 | ### [SEI CERT Android Secure Coding Standard](https://www.securecoding.cert.org/confluence/display/android/Android+Secure+Coding+Standard) (2015) 320 | 321 | **Released**: February 24, 2015 322 | 323 | A community-maintained Wiki detailing secure coding standards for Android development. 324 | 325 | # C 326 | 327 | ## Books and ebooks 328 | 329 | ### [SEI CERT C Coding Standard](https://www.securecoding.cert.org/confluence/display/c/SEI+CERT+C+Coding+Standard) (2006) 330 | **Released**: May 24, 2006 331 | A community-maintained Wiki detailing secure coding standards for C programming. 332 | 333 | ### [The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems (2nd Edition) (SEI Series in Software Engineering)](http://amzn.to/2jFJvbM) (2016) 334 | 335 | ### [Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team](https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/index.html) (2016) 336 | 337 | **Released**: September 28, 2016 338 | 339 | Provides guidelines for improving software security through secure coding. Covers common programming languages and libraries, and focuses on concrete recommendations. 340 | 341 | # C++ 342 | 343 | ## Books and ebooks 344 | 345 | ### [SEI CERT C++ Coding Standard](https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637) (2006) 346 | 347 | **Released**: July 18, 2006 348 | A community-maintained Wiki detailing secure coding standards for C++ programming. 349 | # Books from Amazon.com 350 | ### [Secure Coding in C and C++ (2nd Edition) (SEI Series in Software Engineering)](http://amzn.to/2kfIx51) (April 12, 2013) 351 | 352 | # C Sharp 353 | 354 | ## Books and ebooks 355 | 356 | ### [Security Driven .NET](http://securitydriven.net/) (2015) 357 | 358 | **Released**: July 14, 2015 359 | 360 | An introduction to developing secure applications targeting version 4.5 of the .NET Framework, specifically covering cryptography and security engineering topics. 361 | 362 | # Java 363 | 364 | ## Books and ebooks 365 | 366 | ### [SEI CERT Java Coding Standard](https://www.securecoding.cert.org/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java) (2007) 367 | 368 | **Released**: January 12, 2007 369 | 370 | A community-maintained Wiki detailing secure coding standards for Java programming. 371 | 372 | ### [Secure Coding Guidelines for Java SE](http://www.oracle.com/technetwork/java/seccodeguide-139067.html) (2014) 373 | 374 | **Released**: April 2, 2014 375 | 376 | Secure Java programming guidelines straight from Oracle. 377 | 378 | # Books from Amazon.com 379 | ### [The CERT Oracle Secure Coding Standard for Java (SEI Series in Software Engineering)](http://amzn.to/2jNvFpX)(2011) 380 | 381 | ### [Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (SEI Series in Software Engineering)](http://amzn.to/2j1JbCg) (2013) 382 | 383 | 384 | # Node.js 385 | 386 | ## Books 387 | Links lead to Amazon.com 388 | ### [Secure Your Node.js Web Application: Keep Attackers Out and Users Happy](http://amzn.to/2khbt0V) (2016) 389 | ## Articles 390 | 391 | ### [Node.js Security Checklist - Rising Stack Blog](https://blog.risingstack.com/node-js-security-checklist/) (2015) 392 | 393 | **Released**: October 13, 2015 394 | 395 | Covers a lot of useful information for developing secure Node.js applications. 396 | 397 | ## Training 398 | 399 | ### [Security Training by ^Lift Security](https://liftsecurity.io/training) 400 | 401 | Learn from the team that spearheaded the [Node Security Project](https://nodesecurity.io) 402 | 403 | # PHP 404 | 405 | ## Articles 406 | 407 | ### [It's All About Time](http://blog.ircmaxell.com/2014/11/its-all-about-time.html) (2014) 408 | 409 | **Released**: November 28, 2014 410 | 411 | A gentle introduction to timing attacks in PHP applications 412 | 413 | ### [Secure Authentication in PHP with Long-Term Persistence](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence) (2015) 414 | 415 | **Released**: April 21, 2015 416 | 417 | Discusses password policies, password storage, "remember me" cookies, and account recovery. 418 | 419 | ### [20 Point List For Preventing Cross-Site Scripting In PHP](http://blog.astrumfutura.com/2013/04/20-point-list-for-preventing-cross-site-scripting-in-php) (2013) 420 | 421 | **Released**: April 22, 2013 422 | 423 | Padriac Brady's advice on building software that isn't vulnerable to XSS 424 | 425 | ### [25 PHP Security Best Practices For Sys Admins](http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html) (2011) 426 | 427 | **Released**: November 23, 2011 428 | 429 | Though this article is a few years old, much of its advice is still relevant as we veer around the corner towards PHP 7. 430 | 431 | ### [PHP data encryption primer](https://timoh6.github.io/2014/06/16/PHP-data-encryption-cheatsheet.html) (2014) 432 | 433 | **Released**: June 16, 2014 434 | 435 | @timoh6 explains implementing data encryption in PHP 436 | 437 | ### [Preventing SQL Injection in PHP Applications - the Easy and Definitive Guide](https://paragonie.com/blog/2015/05/preventing-sql-injection-in-php-applications-easy-and-definitive-guide) (2014) 438 | 439 | **Released**: May 26, 2014 440 | 441 | **TL;DR** - don't escape, use prepared statements instead! 442 | 443 | ### [You Wouldn't Base64 a Password - Cryptography Decoded](https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded) (2015) 444 | 445 | **Released**: August 7, 2015 446 | 447 | A human-readable overview of commonly misused cryptography terms and fundamental concepts, with example code in PHP. 448 | 449 | If you're confused about cryptography terms, start here. 450 | 451 | ### [A Guide to Secure Data Encryption in PHP Applications](https://paragonie.com/white-paper/2015-secure-php-data-encryption) (2015) 452 | 453 | **Released**: August 2, 2015 454 | 455 | Discusses the importance of end-to-end network-layer encryption (HTTPS) as well as secure encryption for data at rest, then introduces the specific cryptography tools that developers should use for specific use cases, whether they use [libsodium](https://pecl.php.net/package/libsodium), [Defuse Security's secure PHP encryption library](https://github.com/defuse/php-encryption), or OpenSSL. 456 | 457 | ## Books and ebooks 458 | 459 | ### [Securing PHP: Core Concepts](https://leanpub.com/securingphp-coreconcepts) 460 | 461 | *Securing PHP: Core Concepts* acts as a guide to some of the most common security terms and provides some examples of them in every day PHP. 462 | 463 | ### [Using Libsodium in PHP Projects](https://paragonie.com/book/pecl-libsodium) 464 | You shouldn't need a Ph.D in Applied Cryptography to build a secure web application. Enter libsodium, which allows developers to develop fast, secure, and reliable applications without needing to know what a stream cipher even is. 465 | 466 | # Books From amazon.com 467 | ### [Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses](http://amzn.to/2j1Tnuq) (December 8, 2010) 468 | 469 | 470 | 471 | ## Useful libraries 472 | 473 | ### [defuse/php-encryption](https://github.com/defuse/php-encryption) 474 | 475 | Symmetric-key encryption library for PHP applications. (**Recommended** over rolling your own!) 476 | 477 | ### [ircmaxell/password_compat](https://github.com/ircmaxell/password_compat) 478 | 479 | If you're using PHP 5.3.7+ or 5.4, use this to hash passwords 480 | 481 | ### [ircmaxell/RandomLib](https://github.com/ircmaxell/RandomLib) 482 | 483 | Useful for generating random strings or numbers 484 | 485 | ### [thephpleague/oauth2-server](https://github.com/thephpleague/oauth2-server) 486 | 487 | A secure OAuth2 server implementation 488 | 489 | ### [paragonie/random_compat](https://github.com/paragonie/random_compat) 490 | 491 | PHP 7 offers a new set of CSPRNG functions: `random_bytes()` and `random_int()`. This is a community effort to expose the same API in PHP 5 projects (forward compatibility layer). Permissively MIT licensed. 492 | 493 | ### [psecio/gatekeeper](https://github.com/psecio/gatekeeper) 494 | 495 | A secure authentication and authorization library that implements Role-Based Access Controls and Paragon Initiative Enterprises' recommendaitons for [secure "remember me" checkboxes](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2). 496 | 497 | ### [openwall/phpass](http://www.openwall.com/phpass/) 498 | 499 | A portable public domain password hashing framework for use in PHP applications. 500 | 501 | ## Websites 502 | 503 | ### [websec.io](http://websec.io) 504 | 505 | **websec.io** is dedicated to educating developers about security with topics relating to general security fundamentals, emerging technologies and PHP-specific information 506 | 507 | ### Blogs 508 | 509 | #### [Paragon Initiative Enterprises Blog](https://paragonie.com/blog/) 510 | 511 | The blog of our technology and security consulting firm based in Orlando, FL 512 | 513 | #### [ircmaxell's blog](http://blog.ircmaxell.com) 514 | 515 | A blog about PHP, Security, Performance and general web application development. 516 | 517 | #### [Pádraic Brady's Blog](http://blog.astrumfutura.com) 518 | 519 | Pádraic Brady is a Zend Framework security expert 520 | 521 | ### Mailing lists 522 | 523 | #### [Securing PHP Weekly](http://securingphp.com) 524 | 525 | A weekly newsletter about PHP, security, and the community. 526 | 527 | # Perl 528 | 529 | ## Books and ebooks 530 | 531 | ### [SEI CERT Perl Coding Standard](https://www.securecoding.cert.org/confluence/display/perl/SEI+CERT+Perl+Coding+Standard) (2011) 532 | 533 | **Released**: January 10, 2011 534 | 535 | A community-maintained Wiki detailing secure coding standards for Perl programming. 536 | 537 | # Python 538 | 539 | ## Books and ebooks 540 | 541 | ### [Python chapter of Fedora Defensive Coding Guide](https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/chap-Defensive_Coding-Python.html) 542 | 543 | Lists standard library features that should be avoided, and references sections of other chapters that are Python-specific. 544 | 545 | ### [Violent Python : Amazon link](http://amzn.to/2jFURg0) 546 | 547 | Violent Python shows you how to move from a theoretical understanding of offensive computing concepts to a practical implementation. 548 | 549 | ## Websites 550 | 551 | ### [OWASP Python Security Wiki](https://github.com/ebranca/owasp-pysec/wiki) (2014) 552 | 553 | **Released**: June 21, 2014 554 | 555 | A wiki maintained by the OWASP Python Security project. 556 | 557 | # Ruby 558 | 559 | ## Books and ebooks 560 | 561 | ### [Secure Ruby Development Guide](https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Secure_Ruby_Development_Guide/index.html) (2014) 562 | 563 | **Released**: March 10, 2014 564 | 565 | A guide to secure Ruby development by the Fedora Security Team. Also available on [Github](https://github.com/jrusnack/secure-ruby-development-guide). 566 | 567 | Please have a look at 568 | * [Top Hacking Books](http://www.kalitut.com/2016/12/best-ethical-hacking-books.html) 569 | * [Top Reverse Engineering Books](http://www.kalitut.com/2017/01/Best-reverse-engineering-books.html) 570 | * [Top Machine learning Books](http://www.kalitut.com/2017/01/machine-learning-book.html) 571 | * [Top 5 books Programming Books](http://www.kalitut.com/2017/01/Top-Programming-Books.html) 572 | * [Top Java Books](http://www.kalitut.com/2017/01/Best-Java-Programming-Books.html) 573 | 574 | 575 | Credits to [paragonie-scott](https://github.com/paragonie/awesome-appsec) 576 | --------------------------------------------------------------------------------