Reddit reviews 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them
We found 7 Reddit comments about 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. Here are the top ones, ranked by their Reddit score.
McGraw-Hill Osborne Media
I'm the manager of application security and research at a mid-level software vendor with over 400 developers and testers and I want to recommend you ignore all of the more generic advice currently in this thread. As someone with coding experience and interest, you have a unique path to infosec that so many companies want, but find it extremely difficult to hire for.
Any company that ships software has to consider the security of their application - full stop. Most rely on scanners or annual third-party vulnerability assessments for this, but obviously that falls short. They need people who can build security in from an architectural standpoint. Someone who can actually implement the fixes suggested by the above methods, and ideally, someone who can help implement security as an integral part of the SDLC instead of as a bolt-on premise.
My recommendation is to make your way through 24 Deadly Sins of Software Security and The Web Application Hacker's Handbook. If you can understand the bulk of concepts in these two books, you'll be leagues ahead of almost any developer you find yourself up against in a hiring scenario. For the coup de gras, learn about threat modeling. It's a great way to teach other developers and testers security and to build security into any system during design instead of post-release. Check out this book which is actually probably a little too comprehensive, use this card game from Microsoft (it seems silly, but I promise you it works), and watch this talk one of the guys on my team gave at BSides Cincinnati.
If you have any questions, PM me.
https://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751
https://www.amazon.com/Writing-Secure-Code-Strategies-Applications/dp/0735617228
I'd highly recommend that all programmers read the book 24 Sins of Software Security. It goes over all of this stuff, but in more detail and with examples.
If you haven't read this already then please do - 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them.
The book covers a wide range of coding errors such as SQL Injection, Web Servers & Clients, URL's, Cookies, Buffer overruns, etc. I'm currently pairing this with the WAHH2 and it is an amazing resource at understanding the underlying code that causes such vulnerabilities.
At the same time OWASP provides great resources for developers. And the Google Gruyere app allows you to actually exploit some HTML and HTTP Vulnerabilities and go through the code, with steps on how to mitigate it.
Hope that helps. Cheers!
Not sure what everyone uses, but http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751 is a good place to start. Not all internet stuff, but the base ideas of how hacking works.
TL;DR:http://i.imgur.com/zHYn6Zd.jpg
Unfortunately, most of the university programs lag significantly behind industry. I've interviewed candidates with graduate degrees in cybersecurity that were not aware of most modern techniques used to find persistent adversaries. The good things those programs provide is a broad coverage of information security as a whole.
I saw you mention "finding the vulnerabilities before the bad guys do". Unfortunately, in the real world the code is either unpublished and you're a software security consultant, analyst, or tester, or it is published and you're fixing a hole that the adversary has already discovered. If your interest is in the software security side, I would recommend two books above all others.
The 24 Deadly Sins of Software Security: https://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751?_encoding=UTF8&%2AVersion%2A=1&%2Aentries%2A=0
Writing Secure Code: https://www.amazon.com/Writing-Secure-Code-Strategies-Applications/dp/0735617228/ref=sr_1_1?s=books&ie=UTF8&qid=1499038741&sr=1-1&keywords=writing+secure+code
That said, there is also a lot of work in the systems engineering side of the house - along the lines of credential theft and secure enterprise design. If you think this might be interesting to you, I would recommend reading papers such as these:
Microsoft Pass the Hash Whitepaper: https://www.microsoft.com/en-us/download/details.aspx?id=36036
Think Like a Hacker (shameless plug for my book): https://www.amazon.com/Think-Like-Hacker-Sysadmins-Cybersecurity/dp/0692865217/ref=sr_1_sc_1?ie=UTF8&qid=1499038880&sr=8-1-spell
Cybersecurity is typically broken into various subfields, such as reverse engineering, forensics, threat intelligence, and the like - each with its own set of tools and skills. Ultimately, I would recommend attending a decent hacking conference such as DEFCON, DerbyCon, ShmooCon, or the like to get familiar with the field.
24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them is good