Security resources for developers

"The ultimate" collection of security resources and tools for secure development, secure coding and DevSecOps. Contributions (PRs) are appreciated.

Litterature

• OWASP Top 10 (Updated 2021)
  • https://owasp.org/Top10/
  • Don’t just know about it, learn the actual contents!
• OWASP Top 10 for APIs
  • https://owasp.org/www-project-api-security/
• OWASP Top 10 for mobile
  • https://owasp.org/www-project-mobile-top-10/
• OWASP cheat sheets
  • Best developer security practices for “everything!”
  • https://cheatsheetseries.owasp.org/
  • Examples:
    • Best practice for file uploads: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
    • Best practice for input validation: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
    • JavaScript third-party (dependency) management: https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html
    • CWE/SANS Top 25 Most Dangerous Software Errors
      • https://www.sans.org/top25-software-errors/
• Department of Defense (DoD) Enterprise DevSecOps Initiative
  • https://software.af.mil/dsop/documents/
• OpenSSF Best Practices Working Group (WG)
  • Concise Guide for Developing More Secure Software
  • Compiler Options Hardening Guide for C and C++
  • Memory Safety Continuum
• Security Champions Playbook
• Books
  • OWASP Code Review Guide v2 (2017)
    • Free must read for every developer
    • Project page
  • Secure Programming HOWTO - Creating Secure Software by David A. Wheeler
    • Free HTML and PDF book by the author of Flawfinder
  • The Art of Software Security Assessment by John McDonald, Mark Down and Justin Schuh
    • As recommended by Natalie Silvanovich at Google Project Zero
    • Note only ebook is the complete version for some reason
  • A Bug Hunter's Diary by Tobias Klein
• Articles
  • How to prevent, detect and respond to cloud token theft (Session hijacking of cloud access token)
  • SVGs are dangerous. How an XSS vulnerability in an electron application can lead to remote code execution.
• Equinor AppSec information pages
• NAV's security playbook (Norwegian)
• 10 developer mitigations to prevent supply chain attacks
• Fifty Years of Open Source Software Supply Chain Security
  • HN Discussion

Interactive training

• Learn OWASP Top 10 (2017 edition) interactive with WebGoat (free)
  • https://owasp.org/www-project-webgoat/
• OWASP Secure Coding Dojo (free) interactive secure coding training
  • https://securecodingdojo.owasp.org/
  • Project page with self-hosting & workshop resources:
    • https://owasp.org/www-project-secure-coding-dojo/
• TryHackMe (some rooms are free) interactive tutorials of various topics
  • https://tryhackme.com/
• PortSwigger Web Security Academy (free) interactive online web sec. training
  • https://portswigger.net/web-security
• Free API Security class & certification based on OWASP API Security Top 10
  • https://university.apisec.ai/apisec-certified-expert
• OWASP Juice Shop (free) intentionally vulnerable application
  • https://owasp.org/www-project-juice-shop/
• Practice cloud security with AzureGoat and AwsGoat
  • https://github.com/ine-labs/AWSGoat (AWS)
  • https://github.com/ine-labs/AzureGoat (Azure)
• Learn and practice fuzzing
  • Antonio Morales' Fuzzing-101

Tools

• Analyze and test your HTTP Security Headers
  • https://securityheaders.com/ (free)
• Analyze and test your TLS/SSL configuration
  • https://www.ssllabs.com/ssltest/ (free)
  • https://github.com/drwetter/testssl.sh (free)
• (Web) Vulnerability scanners
  • Nikto (free)
    • https://github.com/sullo/nikto
  • Trivy (free)
    • https://trivy.dev/
  • Greenbone Community Edition (previously OpenVAS) (free)
    • https://greenbone.github.io/docs/latest/index.html
  • Nessus
    • https://www.tenable.com/products/nessus
• Static Application Security Testing (SAST)
  • Repository listing static analysis tools for all programming languages
    • https://github.com/analysis-tools-dev/static-analysis
    • (website: https://analysis-tools.dev/)
  • OWASP Source Code Analysis Tools
    • https://owasp.org/www-community/Source_Code_Analysis_Tools
  • NIST’s list of SAST tools you can integrate in your DevSecOps pipeline:
    • https://www.nist.gov/itl/ssd/software-quality-group/source-code-security-analyzers
  • Semgrep (commercial)
    • https://semgrep.dev/products/semgrep-code/
  • Snyk Code (commercial)
    • https://snyk.io/product/snyk-code/
  • Sonarcube (commercial)
    • https://www.sonarsource.com/products/sonarqube/
  • Flawfinder
    • https://pypi.org/project/flawfinder/
• Commercial DevSecOps vulnerability scanners
  • https://www.sonarqube.org/
  • https://snyk.io/product/snyk-code/
• “Attack proxies” for web analysis and attacks:
  • OWASP Zap Proxy (free)
    • https://www.zaproxy.org/
  • Portswigger Burp Suite (free limited version available)
    • https://portswigger.net/burp
  • Hetty (free)
    • https://hetty.xyz/
• Aikido "all-in-one AppSec suite"
  • https://www.aikido.dev/
• Privacy tools / alternatives to popular products
  • https://www.privacytools.io/

Communities

• DevSecOps Book Club
• /r/netsec
• Security Champions Norge (Norwegian)

Technology specific

Third-party dependency vulnerability scans

dotnet

Find vulnerable packages:

dotnet list package --vulnerable --include-transitive

Outdated packages:

dotnet list package --outdated

Java

Use OWASP Dependency-Check

python

Find vulnerable dependencies with pip-audit

nodejs / npm

Check for third-party (dependencies) vulnerabilities:

npm audit

Only production packages:

npm audit --omit=dev

npm Best Practices Guide

rust

Use cargo-audit

go

Use govulncheck.

Other lists

• https://github.com/sbilly/awesome-security