Awesome AppSec – The Ultimate Resource Collection For Application Security

The Ultimate Resource Collection for Application Security,’ your premier curated list for delving into the world of application security.

Compiled by Paragon Initiative Enterprises with invaluable contributions from both the application security and developer communities, this guide is your gateway to a wealth of knowledge.

From beginners to seasoned professionals, explore essential books, insightful articles, practical tools, and more to secure your applications against ever-evolving threats.

Awesome AppSec 

A curated list of resources for learning about application security. Contains books, websites, blog posts, and self-assessment quizzes.

Maintained by Paragon Initiative Enterprises with contributions from the application security and developer communities. We also have other community projects which might be useful for tomorrow’s application security experts.

If you are an absolute beginner to the topic of software security, you may benefit from reading A Gentle Introduction to Application Security.

Contributing

Please refer to the contributing guide for details.

Application Security Learning Resources

• General
  • Articles
    • How to Safely Generate a Random Number (2014)
    • Salted Password Hashing – Doing it Right (2014)
    • A good idea with bad usage: /dev/urandom (2014)
    • Why Invest in Application Security? (2015)
    • Be wary of one-time pads and other crypto unicorns (2015)
  • Books
    • Web Application Hacker’s Handbook (2011) 
    • Cryptography Engineering (2010) 
    • Securing DevOps (2018) 
    • Gray Hat Python: Programming for Hackers and Reverse Engineers (2009) 
    • The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (2006) 
    • C Interfaces and Implementations: Techniques for Creating Reusable Software (1996) 
    • Reversing: Secrets of Reverse Engineering (2005) 
    • JavaScript: The Good parts (2008) 
    • Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition (2007) 
    • The Mac Hacker’s Handbook (2009) 
    • The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler (2008) 
    • Internetworking with TCP/IP Vol. II: ANSI C Version: Design, Implementation, and Internals (3rd Edition) (1998) 
    • Network Algorithmics,: An Interdisciplinary Approach to Designing Fast Networked Devices (2004) 
    • Computation Structures (MIT Electrical Engineering and Computer Science) (1989) 
    • Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection (2009) 
    • Secure Programming HOWTO (2015)
    • Security Engineering – Second Edition (2008)
    • Bulletproof SSL and TLS (2014) 
    • Holistic Info-Sec for Web Developers (Fascicle 0) (2016)
    • Holistic Info-Sec for Web Developers (Fascicle 1)
  • Classes
    • Offensive Computer Security (CIS 4930) FSU
    • Hack Night
  • Websites
    • Hack This Site!
    • Enigma Group
    • Web App Sec Quiz
    • SecurePasswords.info
    • Security News Feeds Cheat-Sheet
    • Open Security Training
    • MicroCorruption
    • The Matasano Crypto Challenges
    • PentesterLab
    • Juice Shop
    • Supercar Showdown
    • OWASP NodeGoat
    • Securing The Stack
    • OWASP ServerlessGoat
    • Blogs
      • Crypto Fails
      • NCC Group – Blog
      • Scott Helme
      • Cossack Labs blog (2018)
    • Wiki pages
      • OWASP Top Ten Project
    • Tools
      • Qualys SSL Labs
      • securityheaders.io
      • report-uri.io
      • clickjacker.io
• AWS Lambda
  • Tools
    • PureSec FunctionShield
• Android
  • Books and ebooks
    • SEI CERT Android Secure Coding Standard (2015)
• C
  • Books and ebooks
    • SEI CERT C Coding Standard (2006)
    • Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team (2022)
• C++
  • Books and ebooks
    • SEI CERT C++ Coding Standard (2006)
• C Sharp
  • Books and ebooks
    • Security Driven .NET (2015) 
• Clojure
  • Repositories
    • Clojure OWASP (2020)
• Go
  • Articles
    • Memory Security in Go – spacetime.dev (2017)
• Java
  • Books and ebooks
    • SEI CERT Java Coding Standard (2007)
    • Secure Coding Guidelines for Java SE (2014)
• Node.js
  • Articles
    • Node.js Security Checklist – Rising Stack Blog (2015)
    • Awesome Electron.js hacking & pentesting resources (2020)
  • Books and ebooks
    • Essential Node.js Security (2017) 
  • Training
    • Security Training by ^Lift Security 
    • Security Training from BinaryMist 
• PHP
  • Articles
    • It’s All About Time (2014)
    • Secure Authentication in PHP with Long-Term Persistence (2015)
    • 20 Point List For Preventing Cross-Site Scripting In PHP (2013)
    • 25 PHP Security Best Practices For Sys Admins (2011)
    • PHP data encryption primer (2014)
    • Preventing SQL Injection in PHP Applications – the Easy and Definitive Guide (2014)
    • You Wouldn’t Base64 a Password – Cryptography Decoded (2015)
    • A Guide to Secure Data Encryption in PHP Applications (2015)
    • The 2018 Guide to Building Secure PHP Software (2017)
  • Books and ebooks
    • Securing PHP: Core Concepts 
    • Using Libsodium in PHP Projects
  • Useful libraries
    • defuse/php-encryption
    • ircmaxell/password_compat
    • ircmaxell/RandomLib
    • thephpleague/oauth2-server
    • paragonie/random_compat
    • psecio/gatekeeper
    • openwall/phpass
  • Websites
    • websec.io
    • Blogs
      • Paragon Initiative Enterprises Blog
      • ircmaxell’s blog
      • Pádraic Brady’s Blog
    • Mailing lists
      • Securing PHP Weekly
• Perl
  • Books and ebooks
    • SEI CERT Perl Coding Standard (2011)
• Python
  • Books and ebooks
    • Python chapter of Fedora Defensive Coding Guide
    • Black Hat Python: Python Programming for Hackers and Pentesters 
    • Violent Python 
  • Websites
    • OWASP Python Security Wiki (2014)
• Ruby
  • Books and ebooks
    • Secure Ruby Development Guide (2014)

For more information click here