When it comes to all things cybersecurity, I have found the following resources to be valuable.
- General
- Career
- Application Security
- Product Security
- Education
- Security Champions
- Usable Security
- Security Requirements
- Threat Modeling
- Secure Coding
- Security Testing
- Third-Party Dependency Security
- Secure Infrastructure & Delivery
- Mobile
- Vulnerabilities & Exploits
- Personal Security
- Practice
- Communities
- Newsletters
General
- Cyber Security Acronyms and Terms
- Security Zines
- Darknet Diaries by Jack Rhysider
- The Effectiveness of Publicly Shaming Bad Security by Troy Hunt
- How to Say "No" Well by Rami McCarthy
- The volatility of trust: Zero Trust and Distributed Trust as 'post-trust' cybersecurity models by Daniele Pizio & Matt Spencer
- Starting a Security Program from Scratch (or re-starting) by Phil Venables
- On YOLOsec and FOMOsec by Kelly Shortridge
- The New Commandments of Security Teams by Maya Kaczorowski
- OT Threat Hunting: More Critical Than Ever by Lesley Carhart
Career
- The InfoSec Color Wheel by Dan Covic
- Jobs in Information Security (InfoSec) by Tanya Janca
- Red vs Blue – A write-up of our SkillSec workshop
- So You Want To Be a Pentester? (Updated 2023) by Jack Halon
- So, You Want to CTF? (A Beginner’s Guide to CTFing) by Jaime Lightfoot
- How To Get Your First Job In Cybersecurity by Tanya Janca
- Getting Into Information Security by Mike Sass
- Continuous Learning by Tanya Janca
- The Security Repo Podcast: Getting started in AppSec with Tanya Janca SheHacksPurple
- A Career in AppSec by Sean Wright
- What Is an Application Security Engineer?
- The Route to Networking Podcast: E21- Tanya Janca at We Hack Purple
- Book Confident Cyber Security: How to Get Started in Cyber Security and Futureproof Your Career by Jessica Barker
Application Security
- Book "Alice and Bob Learn Application Security" by Tanya Janca
- The OWASP Application Security Program Quick Start Guide
- Semgrep Academy
- OWASP SAMM
- OWASP Developer Guide
- OWASP Cheat Sheet Series
- Three layers to secure a software development organization
- Cybersecurity Isn’t Special by Kelly Shortridge
- Security is Everybody's Job Series by Tanya Janca
- USENIX Enigma 2018 - Insecurity in Information Technology by Tanya Janca
- Building An Appsec Program From Scratch by Mireia Cano
- Security for High Velocity Engineering by Jason Chan
- The Psychology of Bad Code Part 2 – Building Systems That Support Secure Developer Behavior by Tanya Janca
- Threat Modeling Developer Behaviour: The Psychology of Bad Code by Tanya Janca
- Security Is Just Engineering Tech Debt (And That's a Good Thing) by Srajan Gupta
- Security Debt: The Compounding Liability Hiding in Plain Sight by Jacob Combs
- Why Shadow APIs provide a defenseless path for threat actors by Dana Epp
- Millions of Vulnerabilities: One Checklist to Kill The Noise by Patrick Mathieu
- Tanya Janca on Cyber Mentorship, “Shifting Left” and Punk Rock
- We Hack Purple Podcast Episode 73 with Amanda Crawley
- We Hack Purple Podcast 74 with Ray Espinoza
- The Application Security Podcast: Maril Vernon - You Get What You Inspect, Not What You Expect
- The Application Security Podcast: Harshil Parikh - Deep Environmental and Organizational Context in Application Security
- The Application Security Podcast: Jeevan Singh - The Future of Application Security Engineers
- The Application Security Podcast: David Quisenberry - Building Security, People, and Programs
- The Application Security Podcast: Tanya Janca - Secure Guardrails
Product Security
- How CISOs can shift from application security to product security by Ericka Chickowski
- The Security Table: AppSec vs. ProdSec
- The Application Security Podcast: Jay Bobo & Darylynn Ross - App Sec Is Dead. Product Security Is the Future.
Education
- Security Training for Engineers by Rich Adams
- Microsoft's Cybersecurity for Beginners
- Security fundamentals (OWASP)
- Principles of security (OWASP)
- Security-101
- BeerSecOps #10: Tanya Janca – AppSec Education
Security Champions
- Building Security Champions by Tanya Janca
- Security Champions (OWASP)
- OWASP Security Champions Guide
- Security champions series by Snyk
- The Security Champion Framework by Chris Romeo, Izar Tarandach and Brook Schoenfield
- The Security Champion Program Success Guide by Dustin Lehr
- The Security Champions Podcast: Tanya Janca - A Recipe for Security Champions
- The Application Security Podcast: Dustin Lehr - Culture Change through Champions and Gamification
- Building a Successful Security Champions Program: What does it take?
- OWASP Top 10 Maturity Categories for Security Champions
- Security Champions Playbook
- Software Security Takes a Champion (pdf)
- How AWS built the Security Guardians program, a mechanism to distribute security ownership by Ana Malhotra & Mitch Beaumont
- Top 10 Security Champion Program Blunders by Marisa Fagan
- The TTPs of a Security Champions Program (with Dustin Lehr)
- Security Champion Worst Practices - Tanya Janca - NDC Security 2025
- Building a Proactive Security Culture Through Behavioral Science with Dustin Lehr
- Growing A Security Champion Program Into A Security Powerhouse - Bonnie Viteri
- Security Champions at Scale: Transforming Security Culture by Aligning Incentives and Gamification by HernΓ‘n Palombo
- From Soft Skills to Hard Data: Measuring the Impact of Culture and Security Champions by Dustin Lehr
- We Hack Purple Podcast 77 with Brendan Sheairs
Usable Security
- Insecure & Unintuitive: How We Need to Fix the UX of Security by Jared Spool
- Secure Design Concepts w/ Tanya Janca
- Security and usability: you CAN have it all!
- How good UX leads to great security by Josh Ben-David
Security Requirements
Threat Modeling
- Threat Modeling Manifesto
- Threat Modeling for Developers by Adam Shostack
- Shostack's 4 Question Frame for Threat Modeling by Adam Shostack
- The Threat Modeling Podcast: The Four Question Framework with Adam Shostack
- Book Threats: What Every Engineer Should Learn From Star Wars by Adam Shostack
- Threat Model (Wikipedia)
- Threat Modeling Cheat Sheet
- Threat Modeling in Practice
- Who is Threat Modeling? by Aaron Lord
- The Threat Modeling Podcast: A Comprehensive Threat Modeling Strategy
- Elevation of Privilege (EoP) Threat Modeling Card Game
- OWASP Threat Dragon
- The Threat Modeling Podcast: Akira Brand - Gaining Experience by Threat Modeling
- Threat Modeling with ATT&CK v1.0.1
- Threat Modeling HowTo
- Ultimate Threat Modeling Example using Multiple Methods by Nick Kirtley
- Threat Modeling Guide for Software Teams by Gayathri Mohan and Jim Gumbley
- The π Fortunately ⇆ π Unfortunately of π Fortunately ⇆ π Unfortunately #meta by Hendrik Ewerlin
- Continuous Threat Modeling Handbook & Secure Developer Checklist
- Two Scenario Threat Modeling by Jacob Kaplan-Moss
- We Hack Purple Podcast Episode 70 with Meghan Jacquot
- Mapping Attack Patterns to your Threat Model by Dana Epp
Secure Coding
- Book "Alice and Bob Learn Secure Coding" by Tanya Janca
- All you need to know about user session security
- Why XSS Persists in This Frameworks Era? by canalun
- Mastering Security Headers with Scott Helme & Tanya Janca
- Take care secrets and credentials in repositories
- We Hack Purple Podcast 72 with Scott Helme (Part 2)
- We Hack Purple Podcast 79 with Isabelle Mauny
- The Application Security Podcast: Tanya Janca - What Secure Coding Really Means
- The Application Security Podcast: Mukund Sarma - Developer Tools that Solve Security Problems
- Cyber Pulse Podcast: Secure Coding with Alice and Bob - featuring guest Tanya Janca
Security Testing
- Security Testing (OWASP)
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Interactive Application Security Testing
- Continuous delivery, meet continuous security by Tanya Janca
- You Do Not Need to do DAST in a Pipeline to do DevSecOps by Tanya Janca
- Manual Code Reviews - Is It Time to Move On? by Sean Wright
- We Hack Purple Podcast Episode 78 with Jason Haddix
- 7 Deadly Sins of API Security Testing by Dana Epp
- SecLists by Daniel Miessler, Jason Haddix, and g0tmi1k
- SQL Injection Cheatsheet by Tib3rius
- Cross-site scripting (XSS) cheat sheet
Third-Party Dependency Security
- Software Component/Composition Analysis (SCA)
- Vulnerable Dependency Management Cheat Sheet
- OWASP Top 10 OSS Risks: A guide to better open source security by Chris Hughes
- The Complete Guide to Preventing Open Source Malware by James Berthoty
- Inside the breach that broke the internet: The untold story of Log4Shell by Gregg Cochran
Secure Infrastructure & Delivery
- Infrastructure as Code Security Cheatsheet
- Docker Security – Step-by-Step Hardening (Docker Hardening)
- Container Vulnerability Scanning
- Infrastructure Vulnerability Scanning
- Keeping Secrets Out of Logs by Allan Reyes
- CI/CD Security Cheat Sheet
Mobile
- OWASP Mobile Application Security
- Mobile Security Framework (MobSF)
- MOBEXLER - A Mobile Application Penetration Testing Platform
- IOS Deep Link Attacks Part 1 – Introduction & IOS Deep Link Attacks Part 2 – Exploitation
- One Scheme to Rule Them All: OAuth Account Takeover by Mohamed Benchikh
- Element Android CVE-2024-26131, CVE-2024-26132 - Never Take Intents From Strangers by suidpit & TheZero
- Vulnerable Android Broadcast Receivers by Rostik
- 3 million iOS and macOS apps were exposed to potent supply-chain attacks by Dan Goodin
- BSides Munich 2023 Workshop "The Hitchhacker's Guide to the Mobile Galaxy" Slides by Claudia Ully
- How I Leak Other’s Access Token by Exploiting Evil Deeplink Flaw by Crisdeo Nuel Siahaan
- Hackers can steal 2FA codes and private messages from Android phones by Dan Goodin
- PromptSpy ushers in the era of Android threats using GenAI by Lukas Stefanko
Vulnerabilities & Exploits
- When is a vulnerability not a vulnerability? by Tanya Janca
- Giggle; laughable security & Shooting the messenger. A story about vulnerability disclosure by Jahmel Harris
- How Spoutible’s Leaky API Spurted out a Deluge of Personal Data by Troy Hunt
- Practical Example Of Client Side Path Manipulation by Antoine Roly
- Stealing passwords from infosec Mastodon - without bypassing CSP by Gareth Heyes
- How to win at CORS by Jake Archibald
- Cross Site Scripting (in less than 2 minutes)
- Smashing the state machine: the true potential of web race conditions by James Kettle
- TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak by Lizzie Moratti and Dani Cronce
- 3 ways to use Common Attack Patterns to abuse an API by Dana Epp
- I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny by Eaton Zveare
- WorstFit: Unveiling Hidden Transformers in Windows ANSI! by Orange Tsai
- Hijacking OAUTH flows via Cookie Tossing by Elliot Ward
- Reconsidering Self-XSS And Exploring Novel Attacks With Cookie Tossing - Thomas Houhou
- Cross-Site WebSocket Hijacking Exploitation in 2025 by Laurence Tennant
- Google Spoofed Via DKIM Replay Attack: A Technical Breakdown by Gerasim Hovhannisyan
- Google Cloud Account Takeover via URL Parsing Confusion by Mohamed Benchikh
- Commit Stomping by Andy Gill
- Can’t Stop, Won’t Stop Hijacking (CSWSH) WebSockets by Jack Hyland
- The Ultimate Guide to JWT Vulnerabilities and Attacks (with Exploitation Examples) by Louis Nyffenegger
- Export to PDF allows local file inclusion/path traversal in Microsoft 365 by Gianluca Baldi
- Consent & Compromise: Abusing Entra OAuth for Fun and Access to Internal Microsoft Applications by Vaisha Bernard
- One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens by Dirk-jan Mollema
- MongoBleed explained simply by Stanislav Kozlovski
- What is RTLO in Hacking? How to Use Right-to-Left Override and Defend Against it by Daniel Iwugo
- The Dot-Dot-Slash That Frameworks Hand You: CSPT Across Every Major Frontend Framework by Jonathan Dunn
- Client Side Path Traversal (CSPT) - A Deep Dive into an Overlooked Vulnerability by Amal PK
- Darknet Diaries EP 144: Rachel with Rachel Tobac
- What Is Pretexting in Cyber Security? [Easy Guide & Examples] by Spencer Abel
- This is how hackers hack you using simple social engineering
- Elicitation Techniques - Covert Information Collection From Human Sources by Christina Lekati
- How to Design and Execute Effective Social Engineering Attacks by Phone by John Malone
- Social Engineer: YOU are Easier to Hack than your Computer with Rachel Tobac
- Pluralistic: How I got scammed (05 Feb 2024) by Cory Doctorow
- How I Almost Got Hacked By A 'Job Interview' by David Dodda
- The inception bar: a new phishing method by Jim Fisher
- Phishing despite FIDO, leveraging a novel technique based on the Device Code Flow by Dennis Kniep
- Inside an AI‑enabled device code phishing campaign
Supply Chain Attacks
- How to stay safe from repo-jacking by Kevin Backhouse
- Weaponizing Dependabot: Pwn Request at its finest
- Brewing Trouble — Dissecting a macOS Malware Campaign by Dhiraj
- eslint-config-prettier Compromised: How npm Package with 30 Million Downloads Spread Malware & Scavenger Malware Distributed via eslint-config-prettier NPM Package Supply Chain Compromise
- Vibe-coded build system NX gets hacked, steals vibe-coders’ crypto by David Gerard
- Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident by Liran Tal
- PhantomRaven: NPM Malware Hidden in Invisible Dependencies by Oren Yomtov
- Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages by Ashish Kurmi
- Shai-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposing Secrets by Hila Ramati, Merav Bar, Gal Benmocha, Gili Tikochinski
- GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX by Bill Toulas & GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace by Idan Dardikman
- Code highlighting with Cursor AI for $500,000 by Georgy Kucherin
- How we pwned X (Twitter), Vercel, Cursor, Discord, and hundreds of companies through a supply-chain attack
- Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854) by Sagi Tzadik
AI
- We hacked Google’s A.I Gemini and leaked its source code (at least some part)
- Critical RCE Vulnerability in Anthropic MCP Inspector - CVE-2025-49596 by Avi Lumelsky
- Claude Code: Data Exfiltration with DNS
- EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
(CVE-2025-53109 & CVE-2025-53110) by Elad Beber - First Malicious MCP in the Wild: The Postmark Backdoor That's Stealing Your Emails by Idan Dardikman
- New Prompt Injection Attack Vectors Through MCP Sampling by Yongzhe Huang, Akshata Rao, Changjiang Li, Yang Ji, Wenjun Hu
- Critical Claude Code vulnerability: Deny rules silently bypassed because security checks cost too many tokens
- SymJack: the approval prompt is lying to you. A symlink-hijack RCE in six AI coding agents by Rony Utevsky
Personal Security
- Security Planner
- Personal Security Checklist
- You Don't Need To Buy a VPN To Stay Secure On Public Wi-Fi by Marcus Hutchins
- Stop Hacklore! An Open Letter
Practice
Vulnerable Apps
- OWASP Juice Shop
- OWASP WebGoat
- Damn-Vulnerable-RESTaurant-API-Game
- Damn Vulnerable Web Services
-
OWASP Vulnerable Web Applications Directory
- vulnerable-apps: over 100 forks of deliberately vulnerable web applications and APIs
- Pentest Ground
Labs
Communities
- OWASP Slack
- BSides
- DEF CON
- InfoSec Community Discord
- HackTheBox Discord
- TryHackMe Discord
- TCM Security Discord
- PentesterLab Discord
- PortSwigger Discord
- Threat Hunter Community Discord
- Dropout Phreaks Discord
- Trace Labs Discord
- Women of Security (WoSEC)
- Women's Society of Cyberjutsu
- WiCyS
- Cyversity