| ||
Reference | Link |
---|---|
General References | |
Writing Secure Code, 2 nd Ed. by Michael Howard and David C. LeBlanc | ISBN: 0735617228 |
19 Deadly Sins of Software Security by Michael Howard, David LeBlanc, and John Viega | McGraw-Hill/Osborne Media, ISBN: 0072260858 |
Perl TAINT | http://aspn. activestate .com/ASPN/CodeDoc/Taint/Taint.html |
Security Development Lifecycle (SDL) from Microsoft | http://msdn.microsoft.com/security/sdl |
Windows Data Protection (covers DPAPI) | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp |
Java Cryptography Extension (JCE) | http://java.sun.com/j2se/1.4.2/docs/guide/security/ |
Java Authentication and Authorization Service (JAAS) | http://java.sun.com/products/jaas/ |
ASP.NET Authorization | http://msdn2.microsoft.com/en-us/library/wce3kxhd.aspx |
Threat Modeling | |
Threat Modeling by Frank Swiderski and Window Snyder | ISBN: 0735619913 |
Microsoft's Threat Modeling page | http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx |
"Threat Modeling Web Applications" on Microsoft.com | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/tmwa.asp |
"Cheat Sheet: Web Application Security Frame," Microsoft's categorization system for common web application vulnerabilities | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/tmwacheatsheet.asp |
Risk Quantification | |
"DREAD is Dead" by Dana Epp | http://silverstr.ufies.org/blog/archives/000875.html |
Microsoft Security Response Center Security Bulletin Severity Rating System (Revised, November 2002) | http://www.microsoft.com/technet/security/bulletin/rating.mspx |
"A Complete Guide to the Common Vulnerability Scoring System (CVSS)" | http://www.first.org/cvss/cvss-guide.html |
Code Review | |
Writing Secure Code, 2 nd Ed. by Michael Howard, David C. LeBlanc | ISBN: 0735617228 |
"How To: Perform a Security Code Review for Managed Code" by Microsoft | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000027.asp |
"Security Code Review Guidelines" by Adam Shostack (older, but still good) | http://www.homeport.org/~adam/review.html |
Apache Struts Framework | http://struts.apache.org/ |
HTTP Response Splitting | http://www.watchfire.com/securityzone/library/whitepapers.aspx |
Binary Analysis | |
Open Reverse Engineering Code | http://www.openrce.org |
Ollydbg | http://www.ollydbg.de |
Ollydbg Discussion Forum | http://community. reverse-engineering .net |
IDA Pro | http://www.datarescue.com |
Fuzz Testing | |
Spike Fuzzer | http://www.immunitysec.com/resources-freesoftware.shtml |
Fuzz Testing of Application Reliability at University of Wisconsin Madison | http://www.cs.wisc.edu/~bart/fuzz/fuzz.html |
"The Advantages of Block-Based Protocol Analysis for Security Testing" by David Aitel | http://www.immunitysec.com/downloads/advantages_of_block_based_analysis.pdf |
The Shellcoder's Handbook: Discovering and Exploiting Security Holes by Koziol, et al | John Wiley & Sons, ISBN 0764544683 |
Exploiting Software: How to Break Code by Hoglund & McGraw | Addison-Wesley, ISBN 0201786958 |
How to Break Software Security: Effective Techniques for Security Testing by Whittaker & Thompson | Pearson Education, ISBN 0321194330 |
Security Test Tools | |
Mercury Interactive | http://www.mercury.com/us/products/quality-center/ |
SPIDynamics QA inspection | http://www.spidynamics.com/ |
Security Development Lifecycle (SDL) | |
Microsoft's SDL page | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/sdl.asp |
"Improving Security Across the Software Development Lifecycle," task force report | http://www.itaa.org/software/docs/SDLCPaper.pdf |
"Security Considerations in the Information System Development Life Cycle" by the National Institute of Standards and Technology | http://csrc.nist.gov/ publications /nistpubs/800-64/NIST-SP800-64.pdf |
| ||