Learning Application Security

Introduction

Some of the oldest known application security issues continue to affect projects today. Being aware of these issues, as well as techniques for exploiting and mitigating them, will aid in your testing efforts and help you to avoid vulnerabilities in your own code. The resources below should help you learn more about common security issues, and how to prevent these issues from surfacing in new products/product features.

Some links and sections have ⭐s next to them to denote what I consider to be essential knowledge for understanding application security.

Table of Contents

0. OWASP Top 10
1. Security guides and overviews
2. AppSec topics
3. AppSec presentations
4. Interesting case studies
5. Test your skills
6. Stay up to date
7. Useful references

⭐ OWASP Top 10

The OWASP Top 10 is a list of common vulnerabilities, as assessed by OWASP, the Open Web Application Security Project. It is re-evaluated periodically based on the findings that they see in the wild. OWASP's wiki has some very helpful articles about testing for and fixing many common security issues.

Understanding the basics of each of these is essential to any security engineer.

The top 10 issues for 2013 are:

1. Injection (such as SQL or LDAP injection)
2. Broken authentication and session management
3. Cross-site scripting
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-site request forgery
9. Using components with known vulnerabilities
10. Unvalidated redirects and forwards

Cheat Sheets

• Cross Site Scripting Prevention Cheat Sheet - Describes methods for detecting and preventing Cross-site scripting in webapps.
• SQL Injection Prevention Cheat Sheet - Describes methods for detecting and preventing SQL injection in webapps.
• HTML5 Security Cheat Sheet - Security considerations for HTML5 apps
• REST Security Cheat Sheet - Security considerations for REST APIs
• Google Application Security - Cross-Site Scripting - Guide explaining how to test for and prevent XSS, from Google

Security Guides and Overviews

• The Basics of Web Application Security - Blog post describing some of the more common issues in web application security (e.g. XSS, SQL injection...)
• 2016 Guide to User Data Security - This is an in-depth guide to setting up cloud-based apps in a secure way. It covers how to securely configure cloud services/users/etc., set up infrastructure, and avoid introducing vulnerabilities through programming errors, at a high level.
• Security Guide for Developers - A work-in-progress project to document security best practices for a developer audience. Includes a very handy security checklist for secure applications.
• Introduction to Microsoft Secure Development Lifecycle - A great introductory slideshow describing Microsoft's method of doing secure software development. We borrow heavily from this model on the Rackspace Security Engineering team, conducting threat modeling sessions with all new products to understand the system-level interactions and the "trust boundaries" that exist between systems, for example.

AppSec Topics

The Basics

• ⭐ Ten Immutable Laws of Security - High-level security principles to keep in mind.

Handling User Passwords

• Password Hashing: Why and How - This is a high-level overview of how and why to use well-tested approaches to password storage. More of a philosophical than technical talk. Read this one, then the one below.
• How to Safely Store Your Users' Passwords in 2016 - Solid implementation of current best-practice password hashing in several languages. Very specific (i.e. mostly "how", not much "why")

Operations

• Choosing Secure Passwords - Guide on how to think about choosing secure passwords from Bruce Schneier.
• HowTo: Privacy & Security Conscious Browsing - Tips for how to safely configure your browser to avoid unnecessary exposure to security issues.
• A Week with a Rails Security Strategy - A short guide to creating a daily practice of maintaining your application security posture.
• Secure Secure Shell - A guide to tightening security in OpenSSH

Cryptography

• ⭐ The Cryptographic Doom Principle - A short must-read for anyone implementing or auditing crypto systems
• crypto101.io - Overview of the building blocks of cryptography - cryptographic hash/MAC algorithms, popular ciphers, SSL/TLS, and much more.
• The First Few Milliseconds of an HTTPS Connection - In-depth details about how TLS works as a protocol

AppSec Presentations

Slide Deck Presentations

• (ADVANCED) Giant bags of mostly water - This presentation hits on a lot of high-level changes that security organizations need to invest in to make user-error less likely in their organizations. More of a philosophical presentation than a technical one.

Video Presentations

DEFCON

• DEFCON 24 Presentations (2016)
• DEFCON 23 Presentations (2015)
• DEFCON 22 Presentations (2014)

Black Hat

• Black Hat USA 2016 Videos
• Black Hat USA 2015 Videos
• Black Hat USA 2014 Videos

AppSec USA

• AppSec USA 2016 Presentations
• AppSec USA 2015 Presentations
• AppSec USA 2014 Presentations

Interesting Case Studies

• (XSS) OX (Guard): Stored Cross-Site Scripting via Email Attachment - An interesting XSS and CSP bypass vulnerability in an encrypted email service.
• (XSS) AddToAny Share Buttons WordPress Plugin DOM-Based XSS - A walk-through (by yours truly) about tracing down a DOM-based cross-site scripting issue in a WordPress plugin.
• (CRLF) blog.trello.com CRLF Injection - Example of header injection by adding a CRLF to the Location header
• (SSRF) Blind SSRF on synthetics.newrelic.com - This shows how server-side request forgery can be used to retrieve e.g. AWS instance metadata
• (AuthN/AuthZ) How to steal $2,999.99 in less than 2 minutes with Venmo and Siri - An example of a vulnerability resulting from several features interacting that weren't intended (or known) to interact, because they were in components made by two different companies (Apple's iOS and Venmo, a money-charging service that uses SMS)
• (Sessions/Crypto) Anatomy of a Crypto Vulnerability - A walk-through describing cryptographic weaknesses in a Python session-management framework.
• (Sessions/Crypto/Mobile/IDOR/AuthN) The Bank Job - A walk-through of multiple security issues in a bank's online banking services, including insecure SSL/TLS, insecure session management, and indirect object reference.
• (Crypto) A Tale of Lost Entropy - A walk-through (by yours truly) discussing a weak Node.JS cryptography implementation

Test Your Skills

• (XSS) Google XSS Game - An introduction to finding XSS vulnerabilities
• (XSS) Escape - Much more in-depth examples than above, organized like a game where the objective is finding the shortest "exploit" that pops up an alert box
• (ALL) Hack This Site - Site with all kinds of "wargames" for testing your hacking skills, and tutorials about security concepts
• (ALL) Over The Wire Wargames - Very in-depth "wargames" for learning different aspects of security and testing your skills
• (ALL) OWASP WebGoat - This is a Java/.NET web app that has been deliberately implemented with multiple security vulnerabilities. Can you find/patch them all?
• (SQLi) CodeBashing SQL Injection Demo
• (PROGRAMMING) Stockfighter.io - Programming challenges related to security and stock trading.

Stay up-to-date

News Sites & Blogs

• /r/netsec - Subreddit with news relevant to network security, application security, etc.
• Hacker News - News relevant to startups, technology, programming, and sometimes security
• Sustainable Application Security - Blog covering the intersection of security and ops/devops.

Mailing Lists

• OSS-Sec - Open-source Software Security list with vulnerability announcements, CVE requests, and new research (more popular than FD these days)
• Full Disclosure - Vulnerability announcements, CVE requests, new research
• Websec Weekly - Roundup of interesting vulnerability reports from HackerOne and popular discussions on /r/netsec
• Apple Product Security - Apple's list for announcing security vulnerabilities/updates

Useful References

Lists-of-lists

• Troy Hunt's ultimate list of security links - List of relevant security links from a well-known security researcher at Microsoft.
• j.haddix's Pentesting bookmarks - Lengthy list of bookmarks in various application security categories. No descriptions on the individual links 😣

Further Training Resources

Free

• Cyber Security Base - A course created by F-Security and the University of Helsinki to teach security skills.
• Hacksplaining - An immersive walk-through of numerous security issues, with animations and examples.

Paid

• Coursera Cybersecurity Course - If you find that cybersecurity is interesting to you, Coursera offers a certificate program that covers several broad topics in cybersecurity like software security, hardware security, and cryptography.
• CodeBashing - Application security training for teams / businesses

Books

• The Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto
• The Tangled Web by Michal Zalewski

Miscellaneous

• List of naughty strings - A list of strings that can cause various issues - unicode decode errors, spam/profanity filter triggers, XSS, memory exhaustion, etc.