Breaking Into Web Application Security

July 11, 2012

 

Every month or so I get asked about how to get into information security. Today that question came from a web application developer, so my answer had a slant toward web application security. I quickly put together the resources below. I’d like to build this out so I have a better answer the next time someone asks. If you have any recommended additions, let me know!

Various “getting into” InfoSec Resources
Digininja Project: http://www.digininja.org/projects_general.php
Career Exploit Kit – This is an interesting approach to a web app sec career that starts with being a web developer – http://www.novainfosecportal.com/2012/04/05/slides-career-exploit-kit-from-appsecdc-presentation
Krebs on Security – A series of interviews asking high profile security professionals how to break in to security. - http://krebsonsecurity.com/category/how-to-break-into-security

Attend local chapter meetings of security organizations. Go to a conference. Talk to infosec people!
DEFCON – annual hacker convention in Vegas -  https://www.defcon.org
Security BSides – small nonprofit cons held all over – http://www.securitybsides.com
ISSA – local chapters all over -  http://www.issa.org
OWASP – local chapters all over  – https://www.owasp.org/index.php/OWASP_Chapter

Classes and Certifications
CISSP – the de facto standard of security certifications – https://www.isc2.org/cissp
SANS – Excellent, hands on training and certification programs – http://www.sans.org

My Favorite Web App Sec Books (right now)
The Tangled Web: A Guide to Securing Modern Web Applications: http://goo.gl/t7Jz4
The Web Application Hacker’s Handbook: http://goo.gl/UUfVN
Software Security: Building Security In: http://goo.gl/thvly

Set up a home lab – hack things – fix things
Tools – Web App Vulnerability Scanners
w3af – http://w3af.sourceforge.net
OWASP ZAP – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
burp – http://portswigger.net/burp
Tools – Browser Platform
OWASP Mantra – https://www.owasp.org/index.php/OWASP_Mantra_-_Security_Framework
Tools – Attack Platforms (these have tools built in to a linux distro)
Backtrack – http://www.backtrack-linux.org
Samurai WTF – http://samurai.inguardians.com
Tools – Virtual Environment of Vulnerable Web Apps
OWASP Broken Web Apps – https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
Web Goat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Security Podcasts
PaulDotCom Security Weekly – http://www.pauldotcom.com
Hak5 – http://revision3.com/hak5
Exotic Liability – http://www.exoticliability.com

Leave a Reply

Your email address will not be published. Required fields are marked *

Where to Find Me

NoVa OWASP: April 11

By

The NoVa chapter of OWASP is meeting on 4/11. Topic: Impact of IPv6 On Your Applications.

Read more »

ISSA Meeting: February 21

By

NoVa ISSA Chapter Meeting! Topic: The Beauty of Surveillance.

Read more »

Security MBA: January 7

By

Come and enjoy some security news while drinking an icy cold refreshment.

Read more »

Lijit Search