Web development is hard. Secure web development is harder. Running applications on the internet without security incidents is almost impossible. A non-exhaustive list of infrastructure services that you rely on for running any website. The following are references for the talk given at Microsoft Ventures Accellerator on 28th April 2015 References General An illustrated guide to computer security Security News Hackers temporarily take control of Tesla’s website and twitter Fundamentals DNS Resource Records Tools DNS Recon DNS Recon Using DNS Recon tool DirBuster DirBuster Using DirBuster Video Using DirBuster like a pro wfuzz wfuzz wfuzz basics Bruteforcing web applications webslayer a similar tool fuzzdb fuzzdb Using fuzzdb for testing website security Web app URLs default list web app urls pwnwiki cewl cewl - Wordlist generator Concepts Ocean’s 11 Movie Plot Trust OWASP OWASP OWASP Top 10 OWASP Top 10 OWASP Mobile Top 10 OWASP A1 Injection Injection Exploits of a Mom Bobby Tables SQL Injection Command Injection XXE OWASP A3 Cross Site Scripting XSS Apache.
Consider this as a very basic step by step guide to getting started with application security practice for your organisation. We begin by looking at an overall framework and pick the Microsoft SDL which is the gold standard for building applications in enterprises. Once we have the overall framework defined we can look at web and mobile application specific resources for guidance and benchmarking against. STEP 1 - Get introduced to Microsoft Security Development Lifecycle Read the Microsoft SDL getting started documents Download the Microsoft SDL Optimization Model Start by reading the SDL Optimization Model - Introduction.