Security

Diving deeper into all things security, I have found the following resources to be valuable.

• InfoSec
• ProdSec
• AppSec
• Security Champions
• Usable Security
• Threat Modeling
• Mobile
• Exploits
• Personal Security
• Practice
• Vulnerable Apps
• Labs
• Communities
• Newsletters

InfoSec

• We Hack Purple Podcast Episode 78 with Jason Haddix
• Red vs Blue – A write-up of our SkillSec workshop
• So You Want To Be a Pentester? (Updated 2023) by Jack Halon
• So, You Want to CTF? (A Beginner’s Guide to CTFing) by Jaime Lightfoot
• Shooting the messenger. A story about vulnerability disclosure by Jahmel Harris
• Giggle; laughable security
• OWASP Cheat Sheet Series
• All you need to know about user session security
• When is a vulnerability not a vulnerability? by Tanya Janca
• The Effectiveness of Publicly Shaming Bad Security by Troy Hunt
• Getting Into Information Security by Mike Sass
• Book Confident Cyber Security: How to Get Started in Cyber Security and Futureproof Your Career by Jessica Barker
  
• OT Threat Hunting: More Critical Than Ever by Lesley Carhart
• Security Zines
• all InfoSec news - Your InfoSec news aggregator 
  

ProdSec

• What’s the difference between Product Security and Application Security? by Tanya Janca
• How CISOs can shift from application security to product security by Ericka Chickowski
• The Security Table: AppSec vs. ProdSec
• The Application Security Podcast: Jay Bobo & Darylynn Ross - App Sec Is Dead. Product Security Is the Future. 

 

AppSec

• Book "Alice and Bob Learn Application Security" by Tanya Janca
• The OWASP Application Security Program Quick Start Guide
• Continuous Learning by Tanya Janca
• Three layers to secure a software development organization
• Behavior-Driven Development (BDD) goes rogue by Laura Bell Main
• You Do Not Need to do DAST in a Pipeline to do DevSecOps by Tanya Janca
• Manual Code Reviews - Is It Time to Move On? by Sean Wright
• Tanya Janca on Cyber Mentorship, “Shifting Left” and Punk Rock
• Continuous delivery, meet continuous security by Tanya Janca
• Security is Everybody's Job Series by Tanya Janca
• BeerSecOps #10: Tanya Janca – AppSec Education
• We Hack Purple Podcast Episode 70 with Meghan Jacquot
• We Hack Purple Podcast Episode 72 with Scott Helme AGAIN
• We Hack Purple Podcast Episode 73 with Amanda Crawley
• We Hack Purple Podcast Episode 74 with Ray Espinoza
• We Hack Purple Podcast Episode 77 with Brendan Sheairs
• We Hack Purple Podcast Episode 79 with Isabelle Mauny
• The Route to Networking Podcast: E21- Tanya Janca at We Hack Purple
• The Security Repo Podcast: Getting started in AppSec with Tanya Janca SheHacksPurple
• The Application Security Podcast: Maril Vernon - You Get What You Inspect, Not What You Expect
• The Application Security Podcast: Harshil Parikh - Deep Environmental and Organizational Context in Application Security
• The Application Security Podcast: Tanya Janca - What Secure Coding Really Means
  
• A Career in AppSec by Sean Wright
• Cybersecurity Isn’t Special by Kelly Shortridge
• What Is an Application Security Engineer?
  
• How Spoutible’s Leaky API Spurted out a Deluge of Personal Data by Troy Hunt
• Docker Security – Step-by-Step Hardening (Docker Hardening)
• OWASP Top 10 OSS Risks: A guide to better open source security by Chris Hughes
• Semgrep Academy
  
• Attack Trees for Robust and Secure Design by Derek Fisher
• 7 Deadly Sins of API Security Testing by Dana Epp
• OWASP Application Security Verification Standard 

Security Champions

• Building Security Champions by Tanya Janca
• Security Champions (OWASP)
• Security champions series by Snyk
• The Security Champion Framework by Chris Romeo, Izar Tarandach and Brook Schoenfield
• The Security Champions Podcast: Tanya Janca - A Recipe for Security Champions

Usable Security

• Insecure & Unintuitive: How We Need to Fix the UX of Security by Jared Spool
• Secure Design Concepts w/ Tanya Janca
• Security and usability: you CAN have it all!
• How good UX leads to great security by Josh Ben-David

Threat Modeling

• Threat Modeling Manifesto
• Threat Model (Wikipedia)
• Threat Modeling Cheat Sheet
• Threat Modeling in Practice 
• Who is Threat Modeling? by Aaron Lord
• Advanced Threat Modeling
• Pushing Left, Like a Boss – Part 6: Threat Modelling by Tanya Janca
• The Threat Modeling Podcast: A Comprehensive Threat Modeling Strategy
• Elevation of Privilege (EoP) Threat Modeling Card Game
• OWASP Threat Dragon
• The Threat Modeling Podcast: Akira Brand - Gaining Experience by Threat Modeling
• Threat Modeling for Developers by Adam Shostack
• Shostack's 4 Question Frame for Threat Modeling by Adam Shostack

Mobile

• OWASP Mobile Application Security
• Mobile Security Framework (MobSF) 
• MOBEXLER - A Mobile Application Penetration Testing Platform 
• IOS Deep Link Attacks Part 1 – Introduction & IOS Deep Link Attacks Part 2 – Exploitation
• One Scheme to Rule Them All: OAuth Account Takeover by Mohamed Benchikh
• Element Android CVE-2024-26131, CVE-2024-26132 - Never Take Intents From Strangers by suidpit & TheZero
• Vulnerable Android Broadcast Receivers by Rostik 
• Vulnerabilities in CocoaPods Open the Door to Supply Chain Attacks Against Thousands of iOS and MacOS Applications by Reef Spektor & Eran Vaknin

Exploits

• Practical Example Of Client Side Path Manipulation by Antoine Roly
• Stealing passwords from infosec Mastodon - without bypassing CSP by Gareth Heyes
• The inception bar: a new phishing method by Jim Fisher
• How to win at CORS by Jake Archibald
• Cross Site Scripting (in less than 2 minutes)
• Smashing the state machine: the true potential of web race conditions by James Kettle
• SecLists by Daniel Miessler, Jason Haddix, and g0tmi1k.
• How to stay safe from repo-jacking by Kevin Backhouse
• Darknet Diaries EP 144: Rachel on social engineering with Rachel Tobac
• TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak by Lizzie Moratti and Dani Cronce
• What Is Pretexting in Cyber Security? [Easy Guide & Examples] by Spencer Abel
• This is how hackers hack you using simple social engineering
• SQL Injection Cheatsheet by Tib3rius
  

Personal Security

• Security Planner
• Personal Security Checklist
  

Practice

Vulnerable Apps

• OWASP Juice Shop
• OWASP WebGoat
• TicketMagpie
• Damn-Vulnerable-RESTaurant-API-Game
• Damn Vulnerable Web Services
• OWASP Vulnerable Web Applications Directory 
  
• vulnerable-apps: over 100 forks of deliberately vulnerable web applications and APIs
• Pentest Ground

Labs

• TryHackMe
• Hack The Box
• PortSwigger's Web Security Academy
• PentesterLab

Communities

• We Hack Purple
• OWASP
• BSides
• DEF CON
• DevSecCon's DevSecOps Community Discord
• InfoSec Community Discord
• Laptop Hacking Coffee Discord
• HackTheBox Discord
• TryHackMe Discord
• TCM Security Discord
• Threat Hunter Community Discord
• PentesterLab Discord
• Women of Security (WoSEC)
• Women's Society of Cyberjutsu
• WiCyS
• Cyversity

Newsletters

• [tl;dr sec] by Clint Gibler
• Reasonable Application Security by Chris Romeo
• ~this week in security~ by Zack Whittaker
• AppSec Ezine by Renato Rodrigues