Diving deeper into all things security, I have found the following resources to be valuable.
InfoSec
- We Hack Purple Podcast Episode 78 with Jason Haddix
- Red vs Blue – A write-up of our SkillSec workshop
- The InfoSec Color Wheel by Dan Covic
- Jobs in Information Security (InfoSec) by Tanya Janca
- So You Want To Be a Pentester? (Updated 2023) by Jack Halon
- So, You Want to CTF? (A Beginner’s Guide to CTFing) by Jaime Lightfoot
- Shooting the messenger. A story about vulnerability disclosure by Jahmel Harris
- Giggle; laughable security
- All you need to know about user session security
- When is a vulnerability not a vulnerability? by Tanya Janca
- The Effectiveness of Publicly Shaming Bad Security by Troy Hunt
- Getting Into Information Security by Mike Sass
-
Book
Confident Cyber Security: How to Get Started in Cyber Security and
Futureproof Your Career
by
Jessica Barker
- OT Threat Hunting: More Critical Than Ever by Lesley Carhart
- Security Zines
-
all InfoSec news - Your InfoSec news aggregator
ProdSec
- What’s the difference between Product Security and Application Security? by Tanya Janca
- How CISOs can shift from application security to product security by Ericka Chickowski
- The Security Table: AppSec vs. ProdSec
- The Application Security Podcast: Jay Bobo & Darylynn Ross - App Sec Is Dead. Product Security Is the Future.
AppSec
- Book "Alice and Bob Learn Application Security" by Tanya Janca
- The OWASP Application Security Program Quick Start Guide
- OWASP Cheat Sheet Series
- Continuous Learning by Tanya Janca
- Three layers to secure a software development organization
- Behavior-Driven Development (BDD) goes rogue by Laura Bell Main
- You Do Not Need to do DAST in a Pipeline to do DevSecOps by Tanya Janca
- Manual Code Reviews - Is It Time to Move On? by Sean Wright
- Tanya Janca on Cyber Mentorship, “Shifting Left” and Punk Rock
- Continuous delivery, meet continuous security by Tanya Janca
- Security is Everybody's Job Series by Tanya Janca
- BeerSecOps #10: Tanya Janca – AppSec Education
- We Hack Purple Podcast Episode 70 with Meghan Jacquot
- We Hack Purple Podcast Episode 72 with Scott Helme AGAIN
- We Hack Purple Podcast Episode 73 with Amanda Crawley
- We Hack Purple Podcast Episode 74 with Ray Espinoza
- We Hack Purple Podcast Episode 77 with Brendan Sheairs
- We Hack Purple Podcast Episode 79 with Isabelle Mauny
- The Route to Networking Podcast: E21- Tanya Janca at We Hack Purple
- The Security Repo Podcast: Getting started in AppSec with Tanya Janca SheHacksPurple
- The Application Security Podcast: Maril Vernon - You Get What You Inspect, Not What You Expect
- The Application Security Podcast: Harshil Parikh - Deep Environmental and Organizational Context in Application Security
- The Application Security Podcast: Tanya Janca - What Secure Coding Really Means
- The Application Security Podcast: Mukund Sarma -- Developer Tools that Solve Security Problems
- A Career in AppSec by Sean Wright
- Cybersecurity Isn’t Special by Kelly Shortridge
-
What Is an Application Security Engineer?
- How Spoutible’s Leaky API Spurted out a Deluge of Personal Data by Troy Hunt
- Docker Security – Step-by-Step Hardening (Docker Hardening)
- OWASP Top 10 OSS Risks: A guide to better open source security by Chris Hughes
-
Semgrep Academy
- Attack Trees for Robust and Secure Design by Derek Fisher
- 7 Deadly Sins of API Security Testing by Dana Epp
- OWASP Application Security Verification Standard
- Security Training for Engineers by Rich Adams
- Microsoft's Cybersecurity for Beginners
- OWASP Developer Guide
Security Champions
- Building Security Champions by Tanya Janca
- Security Champions (OWASP)
- OWASP Security Champions Guide
- Security champions series by Snyk
- The Security Champion Framework by Chris Romeo, Izar Tarandach and Brook Schoenfield
- The Security Champion Program Success Guide by Dustin Lehr
- The Security Champions Podcast: Tanya Janca - A Recipe for Security Champions
- The Application Security Podcast: Dustin Lehr -- Culture Change through Champions and Gamification
- Building a Successful Security Champions Program: What does it take?
- OWASP Top 10 Maturity Categories for Security Champions
- Security Champions Playbook
- Software Security Takes a Champion (pdf)
- Security Champion!
Usable Security
- Insecure & Unintuitive: How We Need to Fix the UX of Security by Jared Spool
- Secure Design Concepts w/ Tanya Janca
- Security and usability: you CAN have it all!
- How good UX leads to great security by Josh Ben-David
Threat Modeling
- Threat Modeling Manifesto
- Threat Model (Wikipedia)
- Threat Modeling Cheat Sheet
- Threat Modeling in Practice
- Who is Threat Modeling? by Aaron Lord
- Advanced Threat Modeling
- Pushing Left, Like a Boss – Part 6: Threat Modelling by Tanya Janca
- The Threat Modeling Podcast: A Comprehensive Threat Modeling Strategy
- Elevation of Privilege (EoP) Threat Modeling Card Game
- OWASP Threat Dragon
- The Threat Modeling Podcast: Akira Brand - Gaining Experience by Threat Modeling
- Threat Modeling for Developers by Adam Shostack
- Shostack's 4 Question Frame for Threat Modeling by Adam Shostack
- The Threat Modeling Podcast: The Four Question Framework with Adam Shostack
Mobile
- OWASP Mobile Application Security
- Mobile Security Framework (MobSF)
- MOBEXLER - A Mobile Application Penetration Testing Platform
- IOS Deep Link Attacks Part 1 – Introduction & IOS Deep Link Attacks Part 2 – Exploitation
- One Scheme to Rule Them All: OAuth Account Takeover by Mohamed Benchikh
- Element Android CVE-2024-26131, CVE-2024-26132 - Never Take Intents From Strangers by suidpit & TheZero
- Vulnerable Android Broadcast Receivers by Rostik
- Vulnerabilities in CocoaPods Open the Door to Supply Chain Attacks Against Thousands of iOS and MacOS Applications by Reef Spektor & Eran Vaknin
- BSides Munich 2023 Workshop "The Hitchhacker's Guide to the Mobile Galaxy" Slides by Claudia Ully
Exploits
- Practical Example Of Client Side Path Manipulation by Antoine Roly
- Stealing passwords from infosec Mastodon - without bypassing CSP by Gareth Heyes
- The inception bar: a new phishing method by Jim Fisher
- How to win at CORS by Jake Archibald
- Cross Site Scripting (in less than 2 minutes)
- Smashing the state machine: the true potential of web race conditions by James Kettle
- SecLists by Daniel Miessler, Jason Haddix, and g0tmi1k.
- How to stay safe from repo-jacking by Kevin Backhouse
- Darknet Diaries EP 144: Rachel on social engineering with Rachel Tobac
- TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak by Lizzie Moratti and Dani Cronce
- What Is Pretexting in Cyber Security? [Easy Guide & Examples] by Spencer Abel
- This is how hackers hack you using simple social engineering
- SQL Injection Cheatsheet by Tib3rius
- 3 ways to use Common Attack Patterns to abuse an API by Dana Epp
- Mapping Attack Patterns to your Threat Model by Dana Epp
Personal Security
Practice
Vulnerable Apps
- OWASP Juice Shop
- OWASP WebGoat
- TicketMagpie
- Damn-Vulnerable-RESTaurant-API-Game
- Damn Vulnerable Web Services
-
OWASP Vulnerable Web Applications Directory
- vulnerable-apps: over 100 forks of deliberately vulnerable web applications and APIs
- Pentest Ground
Labs
Communities
- We Hack Purple
- OWASP
- BSides
- DEF CON
- DevSecCon's DevSecOps Community Discord
- InfoSec Community Discord
- Laptop Hacking Coffee Discord
- HackTheBox Discord
- TryHackMe Discord
- TCM Security Discord
- Threat Hunter Community Discord
- PentesterLab Discord
- Women of Security (WoSEC)
- Women's Society of Cyberjutsu
- WiCyS
- Cyversity