Essential IT Security Resources
- Security, Quality Assurance
Latest revision:
Recently, two of my coworkers coincidentally asked me how I kept track of security news and vulnerabilities. As it took me a long time to build a list of useful resources myself, I figured it would be useful to share it with everyone, so here goes!
Databases
ATT&CK
A database of known attack patterns against networks.
Common Attack Pattern Enumeration and Classification (CAPEC)
A database of known attack patterns against applications.
Common Vulnerabilities and Exposures (CVE)
A database of publicly disclosed cybersecurity vulnerabilities and exposures in released software and hardware, and whether a fix or workaround exists if applicable.
Common Weakness Enumeration (CWE)
A database of software weaknesses types and how to prevent them.
Exploit Database
A database of code snippets and research papers of successful attacks.
Have I Been Pwned?
A database of publicly leaked credentials. Can be used to search incidents by email addresses of victims, or to search the number of times a specific password has been leaked.
A service is also available for email address and domain name owners to notify them of newly-discovered breaches in which they appear in.
Server information lookup
Censys
A search engine for publicly-accessible services in the Internet.
DB-IP
A tool that provides geolocation and network intelligence information for a given IP address.
Shodan
A search engine for Internet of Things (IoT) devices, such as security cameras, fridges and boats.
WiGLE
A map of publicly discovered Wi-Fi wireless networks.
Your home wireless network is probably already on it.
News
Ars Technica
A mainstream technology news website offering a security news feed.
Certificate Search
A Certificate Transparency (CT) search engine that can generate news feeds of certificates generated for a specific domain name. Useful to detect rogue certificates issued by trusted certificate autorities (CA).
US-CERT Alerts
A news feed of cybersecurity alerts issued by the United States of America's Department of Homeland Security.
Vulnerability Notes Database
A publication of advisory and mitigation notes of software vulnerabilities.
References
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
A standard that protects domain names from being used in email forgeries.
Note that if you find this document too technical, you may be interested in my Configuring and Managing SPF, DKIM, and DMARC course on this very topic.
OWASP Secure Headers Project
A description of security-related HTTP response headers, and associated implementation best practices.
OWASP Top 10
A regular publication of the most critical web application security risks.
Tools
FLARE VM
A distribution of various security tools for Windows virtual machines.
Ghidra
An open source suite of reverse engineering tools maintained by the National Security Agency (NSA).
Kali Linux
A Linux distribution specifically designed for penetration testing, with various tools easily available for such a task. Can also be installed under Windows Subsystem for Linux.
Observatory
A collection of online tools for assessing the security of a given website.
OWASP Zed Attack Proxy (ZAP)
An HTTP proxy server that can sniff and manipulate requests and responses going through it. Can also decrypt HTTPS traffic if its certificate is set up to be trusted on the client.
Wireshark
A network sniffer and analyzer, supporting hundreds of different protocols.
Related content I wrote
Current Generative AIs Have Critical Quality Issues
- Business, Quality Assurance, Security
The hype for generative AI is real. It is now possible for anybody to dynamically generate various types of media that are good enough to be mistaken as real, at least at first glance, either for free or at a low cost. In addition, the seemingly-creative solutions they come up with, and the…
After 8 Years, Double Fine's Hack 'n' Slash Secret Room Has Finally Been Cracked
- Video Games, Security
In the history of obscure video game secrets, not many has been quite infamous as the SecretRoom.lua puzzle in 2014's computer hacking game Hack 'n' Slash by Double Fine. Since the game's release, a mysterious encrypted file was found in the game files, yet despite the very nature of the game being…
Upgrading Your Cybersecurity from Cowboys to Sheriffs
- Security, Business, Anecdotes
Roaming throughout the countryside, dangerous desperados are awaiting in their hideout for the perfect opportunity to rob their victims in silence. Powerless, the authorities have posted wanted posters on public boards with cash bounties for any information that could lead to their arrest or death…
Validating and Viewing OpenAPI Definitions with Docker
- Quality Assurance, Programming
Here are a few commands I crafted to validate and easily read API definitions in the OpenAPI format, using Docker and open source tools provided by Swagger. I have yet to convert them into proper shell scripts, but I hope these will be helpful nonetheless. The commands are designed to be run in a…
Essential International Standards and Registries for Web Developers
- Programming, Quality Assurance, Security
The following is a collection of free international standards, registries and references that I collected throughout the years while developing websites and web services. These references, while very precise and technical by their nature, are extremely useful in order to ensure that a specific…