paragonie / awesome-appsec Goto Github PK

View Code? Open in Web Editor NEW

6.1K 314.0 726.0 193 KB

A curated list of resources for learning about application security

Home Page: https://paragonie.com/projects

License: MIT License

PHP 100.00%

security-experts reading-list curated application-security security owasp

awesome-appsec's People

Contributors

Stargazers

Watchers

Forkers

grue magnologan lborguetti ad3n conqs kkcorps malisetti lyrl twocngdagz thisisnotofficialcodeitsjustforks shalomabitan ksmaheshkumar sohaeb nootropics th3n3rd kindlyops david-a-wheeler basicsbeauty suchitpuri brianjking demolaakinyoade snehesht qhnetspirit tolry ingben iokto repson sh4d0ws4int bhargavz faltay kworm2407 joni2back agilemobiledev krasnyanskiy stevetompson0 mubassirhayat johnjohnsp1 geek-li pramoth brandonberne rkornmeyer tdoh austinvernsonger marcosginel solidstorm orsiit974 theviajero anmolview mehdimabrouk alaasalman kontez enascimento tuxlu bavragor moraesmv surpass f00bar10 thehackcave pombredanne reality9 akustolin cloudxtreme choullanaresh caesar010 romydj zarth zhaiyuyong wflk mariangibala dmreiland ruadmjn taidou meprofile angry7panda 19anand90 iruwl srve4 nullkaos kany0r0 number0 trashsydowdev numberwhun code4days baiyinnamula pathcl seanmcn lubuntufu jaredthecoder gowth4m kipyegonmark rgksugan yodamaster modulexcite 24775714 0x13337 kiramishima extremecoders-re lethaldoze secforks nosun

awesome-appsec's Issues

Python Reading List?

Are there any recommended Python books, articles, blogs, etc.?

Conferences

Have you thought about adding an appsec conferences section?

[README.md/compiler.php] name field (containing " - ") isn't handled correctly

JSON:

data/00-general/articles/0002-hashing-security.json
data/00-general/books/0018-security-engineering.json
data/00-general/websites/00-blogs/0002-nccgroup.json
data/00-general/websites/02-tools/0003-report-uri.json
data/Go/articles/0001-cryptolosophy-memory-security.json
data/Node.js/articles/0001-risingstack-checklist.json

Examples: NOK(broken link)

JSON:

data/00-general/articles/0005-crypto-unicorns.json
data/00-general/websites/0005-news-feeds.json
data/00-general/books/0020-holistic-info-sec-for-web-developers-f0.json
data/00-general/books/0021-holistic-info-sec-for-web-developers-f1.json

Examples: OK

Workaround: Add this snippet or similar task between lines 237/238 (suggestion).
src/Util.php

        if (\array_key_exists('name', $fd)) {
          if (isset($fd['name'])) {
            $fd['name'] = preg_replace('/\-/', ' ', $fd['name']);
        }

Broken link in README.md

https://github.com/paragonie/awesome-appsec#salted-password-hashing-doing-it-right-2014
https://github.com/paragonie/awesome-appsec#salted-password-hashing---doing-it-right-2014

Let me know if you are accepting PRs?

Officially maintained OWASP ZAP Node API

Is there a place for this on awesome-appsec?

This API has been unmaintained for several years, I'm the new owner and keeping it maintained now

Interested in a PR?

Chargen has moved

Note to myself for later: Chargen has moved, now it's the NCC Group blog. I should remember to update this tonight.

Is this list still maintained?

Just wondering if this list is still maintained, or if not could i help maintain it?

Non-Free List Items

Since not everything on the list is free, I'm thinking about making the compiler mark the non-free ones.

For example:

{
    "date": "2010-01-23",
    "free": false,
    "name": "....",
    "remark": "Read this and you can avoid the rest of this list forever!",
    "url": "http://omfgdogs.com"
}

And have it indicate non-free in the markdown somehow. (An image would probably be best!)

Add SEI CERT C & C++ Coding Standard Books

https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-c-coding-standard-2016-v01.pdf

https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-cpp-coding-standard-2016-v01.pdf

Add awesome-cryptography

A curated list of cryptography resources and links.
https://github.com/sobolevn/awesome-cryptography

Securepasswords.info

Secure passwords in several languages/frameworks, I think this might be useful to some people.

Maybe there's a place for it here somewhere!

https://securepasswords.info/

Validate pull requests with Travis

Hello, I wrote a tool that can validate README links (valid URLs, not duplicate). It can be run when someone submits a pull request.

It is currently being used by

Examples

https://travis-ci.org/matteocrippa/awesome-swift/builds/96526196 ok ✅
https://travis-ci.org/matteocrippa/awesome-swift/builds/96722421 link redirected / rename 🔴
https://travis-ci.org/dkhamsing/open-source-ios-apps/builds/96763135 bad link / project deleted 🔴
https://travis-ci.org/dkhamsing/open-source-ios-apps/builds/95754715 dupe 🔴

If you are interested, connect this repo to https://travis-ci.org/ and add a .travis.yml file to the project.

See https://github.com/dkhamsing/awesome_bot for options, more information
Feel free to leave a comment 😄

Random number generation

I think https://github.com/ircmaxell/RandomLib library serves the needs than using urandom.

README: Offensive Computer Security (CIS 4930) FSU link is broken

{
"date": "2023-01-1",
"free": true,
"name": "Angela",
"remark": "Received a 404 error on the CIS 4930 link.",
"url": "https://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/"
}

CERT Coding Standard

CERT C Coding Standard: https://www.securecoding.cert.org/confluence/display/c/CERT+C+Coding+Standard

CERT C++ Coding Standard: https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637

Android, Java, Perl: https://www.securecoding.cert.org/confluence/spacedirectory/view.action

More Security Resources for Developers?

Although, historically, we've maintained an open inquiry for reading material suggestions in other languages, creating an issue for each and every language isn't feasible. For general purpose application security material suggestions, please feel free to leave a comment here or open a pull request.

Node.js Reading List?

Are there any great articles, books, blogs, etc. for writing secure Node.js software? If so, let us know and we'll add them to the list.

[data/C/books-and-ebooks/0002-fedora-defensive-coding.json] date field isn't applied from the JSON file to the README.md

After running src/compiler.php the date is ignored:

$ grep -r date data/C/books-and-ebooks/0002-fedora-defensive-coding.json 
    "date": "2012",

README.md:

-      * [Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team](#defensive-coding-a-guide-to-improving-software-security-by-the-fedora-security-team-2018) (2018)
+      * [Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team](#defensive-coding-a-guide-to-improving-software-security-by-the-fedora-security-team-2019) (2019)

src/Util.php:

        if (!empty($fd['date'])) {
            $dt = new \DateTime($fd['date']);
            $header .= ' ('.$dt->format('Y').')';
        }

DateTime:

Instead of just using the year, it seems working when date matches the pattern "YYYY-MM"

https://github.com/paragonie/awesome-appsec/blob/master/data/C/books-and-ebooks/0002-fedora-defensive-coding.json#L2

Notes:

OK: Four digit year and month (GNU) YY "-" mm "2008-6", "2008-06", "1978-12"
NOK: Year (and just the year) YY "1978", "2008"
https://www.php.net/manual/pt_BR/datetime.construct.php#123882
https://www.php.net/manual/pt_BR/datetime.construct.php#119591
https://www.php.net/manual/en/datetime.formats.date.php)

Enhancement:

Include optional fields and examples.

Golang Readling List?

.NET Reading List?

Add ModSecurity WAF

ModSecurity is a pretty decent open-source WAF that can be placed in front of applications. Can this be added to this repo? https://modsecurity.org/

Also OWASP updated its cheatsheet series and placed them on Github, these are a good resource as well: https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets

***Can I make a pull request that adds 1 or both of these to the repo?