Application Security

• Avoiding the Top 10 Software Security Design Flaws
• https://samate.nist.gov/SRD/testsuite.php

OWASP

---

• Top 10
• Code Review Guide
• Developer Guide
• ASVS - Application Security Verification Standard
• Testing Guide
• Testing Checklist
• Cheat Sheets
• Top 10 Privacy Risks Project
• Proactive Controls
• TimeGap Theory
• Juice Shop

Web

---

• Content Security Policy
• Subresource Integrity
• Cross-Origin Resource Sharing
• w3c webappsec mailing list
• Web Authentication
• SSRF Bible
• HTTP Strict Transport Security (HSTS)
• https://portswigger.net/web-security

Mozilla

---

• https://www.mozilla.org/en-US/security/advisories/
• https://blog.mozilla.org/security/

Wiki

• https://wiki.mozilla.org/Security/Server_Side_TLS
• https://wiki.mozilla.org/Security/Guidelines/OpenSSH
• https://wiki.mozilla.org/Security/Guidelines/Key_Management
• https://wiki.mozilla.org/Security
• https://wiki.mozilla.org/Security/OpSec
• https://wiki.mozilla.org/SecurityEngineering
• https://wiki.mozilla.org/WebAppSec
• https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
• https://wiki.mozilla.org/WebAppSec/Web_Security_Verification
• https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist

Developer

• https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
• https://developer.mozilla.org/en-US/docs/Web/Security
• https://developer.mozilla.org/en-US/docs/Security/Firefox_Security_Basics_For_Developers
• https://developer.mozilla.org/en-US/docs/Security/Firefox_Security_Guidelines
• https://developer.mozilla.org/en-US/docs/Secure_Development_Guidelines

Threat Modeling

---

• https://www.owasp.org/index.php/Threat_Risk_Modeling
• OWASP Threat Model Cookbook
• https://owasp.org/www-project-pytm/
• https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
• Microsoft SDL Practice #7: Use Threat Modeling
• Uncover Security Design Flaws Using The STRIDE Approach
• Security Briefs - The MSF-Agile+SDL Process Template for TFS 2010
• Security Development Lifecycle for Agile Development
  • http://www.blackhat.com/presentations/bh-dc-10/Sullivan_Bryan/BlackHat-DC-2010-Sullivan-SDL-Agile-wp.pdf
  • http://www.blackhat.com/presentations/bh-dc-10/Sullivan_Bryan/BlackHat-DC-2010-Sullivan-SDL-Agile-slides.pdf
• SDL for Agile
• Common Attack Pattern Enumeration and Classification
• Adversarial Tactics, Techniques & Common Knowledge
• http://projects.webappsec.org/w/page/13246978/Threat%20Classification
• http://octotrike.org/

SAST Tools

---

• https://www.owasp.org/index.php/Source_Code_Analysis_Tools
• https://docs.gitlab.com/ee/user/application_security/sast/index.html#supported-languages-and-frameworks

Languages & Frameworks

---

Go

• https://github.com/Checkmarx/Go-SCP
• https://github.com/securego/gosec

JavaScipt

• https://github.com/RetireJS/retire.js
• https://github.com/h3xstream/burp-retire-js
• https://snyk.io/
• https://github.com/cure53/DOMPurify
• https://github.com/cure53/mustache-security
• https://github.com/wisec/domxsswiki/wiki
• http://lcamtuf.coredump.cx/postxss/
• https://nodesecurity.io/
• https://blog.risingstack.com/node-js-best-practices/
• https://blog.risingstack.com/node-js-security-tips/
• http://bitwiseshiftleft.github.io/sjcl/
• https://flow.org/
• https://github.com/dpnishant/jsprime

Ruby

• https://www.ruby-lang.org/en/security/
• https://groups.google.com/forum/#!forum/ruby-security-ann
• https://www.cvedetails.com/product/12215/Ruby-lang-Ruby.html?vendor_id=7252
• https://trailofbits.github.io/rubysec/
• https://rubysec.com/
• http://guides.rubygems.org/security/
• https://hakiri.io/blog/ruby-security-tools-and-resources
• http://rubysecurity.info/

Rails

• https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet
• http://guides.rubyonrails.org/security.html
• http://edgeguides.rubyonrails.org/security.html
• https://groups.google.com/forum/#!forum/rubyonrails-security
• https://rails-sqli.org/
• http://www.cvedetails.com/vulnerability-list/vendor_id-12043/product_id-22568/Rubyonrails-Ruby-On-Rails.html
• https://rorsecurity.info/
• http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/
• https://molily.de/xss/
• https://sakurity.com/blog
• http://homakov.blogspot.ca/
• https://github.com/hakirisec/hakiri_toolbelt

.NET

• https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet
• https://msdn.microsoft.com/en-us/library/330a99hc%28v=vs.140%29.aspx

Web Browsers & Extensions

---

• https://cure53.de/browser-security-whitepaper.pdf
• https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf
• https://storage.googleapis.com/google-code-attachments/browsersec/issue-8/comment-8/Google%20Browser%20Security%20Handbook.pdf
• https://blog.chromium.org/2009/12/security-in-depth-extension-system.html
• https://blog.chromium.org/2011/07/writing-extensions-more-securely.html
• https://docs.google.com/document/d/1RamP4-HJ7GAJY3yv2ju2cK50K9GhOsydJN6KIO81das/pub
• https://www.chromium.org/Home/chromium-security/education/security-tips-for-crx-and-apps
• https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Getting_started_with_web-ext
• https://developer.mozilla.org/en-US/docs/Mozilla/Gecko/Script_security
• https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Xray_vision

Native Application

---

• https://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx
• https://msdn.microsoft.com/en-us/library/windows/desktop/ff919712(v=vs.85).aspx
• https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx#search_order_for_desktop_applications

Bug Bounty & Responsible Disclosure Programs

---

• https://www.bugcrowd.com/
  • https://forum.bugcrowd.com/t/how-do-you-approach-a-target/293
  • https://forum.bugcrowd.com/t/researcher-resources-tools/167
  • https://forum.bugcrowd.com/t/researcher-resources-bounty-bug-write-ups/1137
  • https://forum.bugcrowd.com/t/researcher-resources-tutorials/370
• https://www.hackerone.com/
• https://firebounty.com/
• https://www.vulnerability-lab.com/list-of-bug-bounty-programs.php
• https://internetbugbounty.org/
• https://leanpub.com/web-hacking-101
• http://jackson.thuraisamy.me/finding-vulnerabilities.html
• https://www.youtube.com/watch?v=1M1EOzulQsw
• https://github.com/disclose/disclose

Oauth2

---

• OAuth 2.0 Threat Model and Security Considerations
• OAuth 2.0 Security Best Current Practice