Security

Diving deeper into all things security, I have found the following resources to be valuable.

• InfoSec
• ProdSec
• AppSec
• Security Champions
• Usable Security
• Threat Modeling
• Mobile
• Exploits
• Personal Security
• Practice
• Vulnerable Apps
• Labs
• Communities
• Newsletters

InfoSec

• We Hack Purple Podcast Episode 78 with Jason Haddix
• Red vs Blue – A write-up of our SkillSec workshop
• The InfoSec Color Wheel by Dan Covic
• Jobs in Information Security (InfoSec) by Tanya Janca
• So You Want To Be a Pentester? (Updated 2023) by Jack Halon
• So, You Want to CTF? (A Beginner’s Guide to CTFing) by Jaime Lightfoot
• Shooting the messenger. A story about vulnerability disclosure by Jahmel Harris
• Giggle; laughable security
• All you need to know about user session security
• When is a vulnerability not a vulnerability? by Tanya Janca
• The Effectiveness of Publicly Shaming Bad Security by Troy Hunt
• Getting Into Information Security by Mike Sass
• Book Confident Cyber Security: How to Get Started in Cyber Security and Futureproof Your Career by Jessica Barker
  
• OT Threat Hunting: More Critical Than Ever by Lesley Carhart
• Security Zines
• all InfoSec news - Your InfoSec news aggregator  
• How to Say "No" Well by Rami McCarthy
  

ProdSec

• What’s the difference between Product Security and Application Security? by Tanya Janca
• How CISOs can shift from application security to product security by Ericka Chickowski
• The Security Table: AppSec vs. ProdSec
• The Application Security Podcast: Jay Bobo & Darylynn Ross - App Sec Is Dead. Product Security Is the Future. 

 

AppSec

• Book "Alice and Bob Learn Application Security" by Tanya Janca
• The OWASP Application Security Program Quick Start Guide
• OWASP Cheat Sheet Series 
• Continuous Learning by Tanya Janca
• Three layers to secure a software development organization
• Behavior-Driven Development (BDD) goes rogue by Laura Bell Main
• You Do Not Need to do DAST in a Pipeline to do DevSecOps by Tanya Janca
• Manual Code Reviews - Is It Time to Move On? by Sean Wright
• Tanya Janca on Cyber Mentorship, “Shifting Left” and Punk Rock
• Continuous delivery, meet continuous security by Tanya Janca
• Security is Everybody's Job Series by Tanya Janca
• BeerSecOps #10: Tanya Janca – AppSec Education
• We Hack Purple Podcast Episode 70 with Meghan Jacquot
• We Hack Purple Podcast Episode 72 with Scott Helme AGAIN
• We Hack Purple Podcast Episode 73 with Amanda Crawley
• We Hack Purple Podcast Episode 74 with Ray Espinoza
• We Hack Purple Podcast Episode 77 with Brendan Sheairs
• We Hack Purple Podcast Episode 79 with Isabelle Mauny
• The Route to Networking Podcast: E21- Tanya Janca at We Hack Purple
• The Security Repo Podcast: Getting started in AppSec with Tanya Janca SheHacksPurple
• The Application Security Podcast: Maril Vernon - You Get What You Inspect, Not What You Expect
• The Application Security Podcast: Harshil Parikh - Deep Environmental and Organizational Context in Application Security
• The Application Security Podcast: Tanya Janca - What Secure Coding Really Means
• The Application Security Podcast: Mukund Sarma - Developer Tools that Solve Security Problems   
• The Application Security Podcast: Jeevan Singh - The Future of Application Security Engineers
  
• A Career in AppSec by Sean Wright
• Cybersecurity Isn’t Special by Kelly Shortridge
• What Is an Application Security Engineer?
  
• How Spoutible’s Leaky API Spurted out a Deluge of Personal Data by Troy Hunt
• Docker Security – Step-by-Step Hardening (Docker Hardening)
• OWASP Top 10 OSS Risks: A guide to better open source security by Chris Hughes
• Semgrep Academy
  
• Attack Trees for Robust and Secure Design by Derek Fisher
• 7 Deadly Sins of API Security Testing by Dana Epp
• OWASP Application Security Verification Standard
• Security Training for Engineers by Rich Adams
• Microsoft's Cybersecurity for Beginners  
• OWASP Developer Guide
• Why Shadow APIs provide a defenseless path for threat actors by Dana Epp
• The Application Security Podcast: David Quisenberry - Building Security, People, and Programs
  
• The Application Security Podcast: Tanya Janca - Secure Guardrails
• The Application Security Podcast: Maril Vernon - You Get What You Inspect, Not What You Expect
• Building An Appsec Program From Scratch by Mireia Cano
• Cyber Pulse Podcast: Secure Coding with Alice and Bob - featuring guest Tanya Janca
  

Security Champions

• Building Security Champions by Tanya Janca
• Security Champions (OWASP)
• OWASP Security Champions Guide 
• Security champions series by Snyk
• The Security Champion Framework by Chris Romeo, Izar Tarandach and Brook Schoenfield
• The Security Champion Program Success Guide by Dustin Lehr
• The Security Champions Podcast: Tanya Janca - A Recipe for Security Champions
• The Application Security Podcast: Dustin Lehr -- Culture Change through Champions and Gamification
• Building a Successful Security Champions Program: What does it take?  
• OWASP Top 10 Maturity Categories for Security Champions
  
• Security Champions Playbook  
• Software Security Takes a Champion (pdf)
• Security Champion!
• How AWS built the Security Guardians program, a mechanism to distribute security ownership by Ana Malhotra & Mitch Beaumont
• Top 10 Security Champion Program Blunders by Marisa Fagan 
• The TTPs of a Security Champions Program (with Dustin Lehr)
  

Usable Security

• Insecure & Unintuitive: How We Need to Fix the UX of Security by Jared Spool
• Secure Design Concepts w/ Tanya Janca
• Security and usability: you CAN have it all!
• How good UX leads to great security by Josh Ben-David

Threat Modeling

• Threat Modeling Manifesto
• Threat Model (Wikipedia)
• Threat Modeling Cheat Sheet
• Threat Modeling in Practice 
• Who is Threat Modeling? by Aaron Lord
• Advanced Threat Modeling
• Pushing Left, Like a Boss – Part 6: Threat Modelling by Tanya Janca
• The Threat Modeling Podcast: A Comprehensive Threat Modeling Strategy
• Elevation of Privilege (EoP) Threat Modeling Card Game
• OWASP Threat Dragon
• The Threat Modeling Podcast: Akira Brand - Gaining Experience by Threat Modeling
• Threat Modeling for Developers by Adam Shostack
• Shostack's 4 Question Frame for Threat Modeling by Adam Shostack  
• The Threat Modeling Podcast: The Four Question Framework with Adam Shostack
• Threat Modeling with ATT&CK v1.0.1  
• Threat Modeling HowTo
• Ultimate Threat Modeling Example using Multiple Methods by Nick Kirtley
  

Mobile

• OWASP Mobile Application Security
• Mobile Security Framework (MobSF) 
• MOBEXLER - A Mobile Application Penetration Testing Platform 
• IOS Deep Link Attacks Part 1 – Introduction & IOS Deep Link Attacks Part 2 – Exploitation
• One Scheme to Rule Them All: OAuth Account Takeover by Mohamed Benchikh
• Element Android CVE-2024-26131, CVE-2024-26132 - Never Take Intents From Strangers by suidpit & TheZero
• Vulnerable Android Broadcast Receivers by Rostik 
• Vulnerabilities in CocoaPods Open the Door to Supply Chain Attacks Against Thousands of iOS and MacOS Applications by Reef Spektor & Eran Vaknin
• BSides Munich 2023 Workshop "The Hitchhacker's Guide to the Mobile Galaxy" Slides by Claudia Ully
• How I Leak Other’s Access Token by Exploiting Evil Deeplink Flaw by Crisdeo Nuel Siahaan
  

Exploits

• Practical Example Of Client Side Path Manipulation by Antoine Roly
• Stealing passwords from infosec Mastodon - without bypassing CSP by Gareth Heyes
• The inception bar: a new phishing method by Jim Fisher
• How to win at CORS by Jake Archibald
• Cross Site Scripting (in less than 2 minutes)
• Smashing the state machine: the true potential of web race conditions by James Kettle
• SecLists by Daniel Miessler, Jason Haddix, and g0tmi1k.
• How to stay safe from repo-jacking by Kevin Backhouse
• Darknet Diaries EP 144: Rachel on social engineering with Rachel Tobac
• TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak by Lizzie Moratti and Dani Cronce
• What Is Pretexting in Cyber Security? [Easy Guide & Examples] by Spencer Abel
• This is how hackers hack you using simple social engineering
• SQL Injection Cheatsheet by Tib3rius 
• 3 ways to use Common Attack Patterns to abuse an API by Dana Epp
• Mapping Attack Patterns to your Threat Model by Dana Epp
• I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny by Eaton Zveare
• WorstFit: Unveiling Hidden Transformers in Windows ANSI! by Orange Tsai
• Elicitation Techniques - Covert Information Collection From Human Sources by Christina Lekati
• Hijacking OAUTH flows via Cookie Tossing by Elliot Ward 
• Reconsidering Self-XSS And Exploring Novel Attacks With Cookie Tossing - Thomas Houhou
• We hacked Google’s A.I Gemini and leaked its source code (at least some part) 
  

Personal Security

• Security Planner
• Personal Security Checklist
• You Don't Need To Buy a VPN To Stay Secure On Public Wi-Fi by Marcus Hutchins
  

Practice

Vulnerable Apps

• OWASP Juice Shop
• OWASP WebGoat
• TicketMagpie
• Damn-Vulnerable-RESTaurant-API-Game
• Damn Vulnerable Web Services
• OWASP Vulnerable Web Applications Directory 
  
• vulnerable-apps: over 100 forks of deliberately vulnerable web applications and APIs
• Pentest Ground

Labs

• TryHackMe
• Hack The Box
• PortSwigger's Web Security Academy
• PentesterLab

Communities

• We Hack Purple
• OWASP
• BSides
• DEF CON
• DevSecCon's DevSecOps Community Discord
• InfoSec Community Discord
• Laptop Hacking Coffee Discord
• HackTheBox Discord
• TryHackMe Discord
• TCM Security Discord
• Threat Hunter Community Discord
• PentesterLab Discord
• Women of Security (WoSEC)
• Women's Society of Cyberjutsu
• WiCyS
• Cyversity

Newsletters

• [tl;dr sec] by Clint Gibler
• Reasonable Application Security by Chris Romeo
• ~this week in security~ by Zack Whittaker
• AppSec Ezine by Renato Rodrigues