This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Testing Guide Appendix B: Suggested Reading

From OWASP

Revision as of 10:08, 14 May 2014 by Jane O'Connor (talk | contribs) (Final edit)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

This article is part of the new OWASP Testing Guide v4.

Back to the OWASP Testing Guide v4 ToC:
   https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
Back to the OWASP Testing Guide Project:
   https://www.owasp.org/index.php/OWASP_Testing_Project

1 Whitepapers
2 Books
3 Useful Websites
4 Videos
5 Deliberately Insecure Web Applications

Whitepapers

The Economic Impacts of Inadequate Infrastructure for Software Testing - http://www.nist.gov/director/planning/upload/report02-3.pdf

Improving Web Application Security: Threats and Countermeasures- http://msdn.microsoft.com/en-us/library/ff649874.aspx

NIST Publications - http://csrc.nist.gov/publications/PubsSPs.html

The Open Web Application Security Project (OWASP) Guide Project - https://www.owasp.org/index.php/Category:OWASP_Guide_Project

Security Considerations in the System Development Life Cycle (NIST) - http://www.nist.gov/customcf/get_pdf.cfm?pub_id=890097

The Security of Applications: Not All Are Created Equal - http://www.securitymanagement.com/archive/library/atstake_tech0502.pdf

Software Assurance: An Overview of Current Practices - http://www.safecode.org/publications/SAFECode_BestPractices0208.pdf

Software Security Testing: Software Assurance Pocket guide Series: Development, Volume III - https://buildsecurityin.us-cert.gov/swa/downloads/SoftwareSecurityTesting_PocketGuide_1%200_05182012_PostOnline.pdf

Use Cases: Just the FAQs and Answers – http://www.ibm.com/developerworks/rational/library/content/RationalEdge/jan03/UseCaseFAQS_TheRationalEdge_Jan2003.pdf

Books

The Art of Software Security Testing: Identifying Software Security Flaws, by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, Elfriede Dustin, published by Addison-Wesley, ISBN 0321304861 (2006)

Building Secure Software: How to Avoid Security Problems the Right Way, by Gary McGraw and John Viega, published by Addison-Wesley Pub Co, ISBN 020172152X (2002) - http://www.buildingsecuresoftware.com

The Ethical Hack: A Framework for Business Value Penetration Testing, By James S. Tiller, Auerbach Publications, ISBN 084931609X (2005)

+ Online version available at: http://books.google.com/books?id=fwASXKXOolEC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false

Exploiting Software: How to Break Code, by Gary McGraw and Greg Hoglund, published by Addison-Wesley Pub Co, ISBN 0201786958 (2004) -http://www.exploitingsoftware.com

The Hacker's Handbook: The Strategy behind Breaking into and Defending Networks, By Susan Young, Dave Aitel, Auerbach Publications, ISBN: 0849308887 (2005)

+ Online version available at: http://books.google.com/books?id=AO2fsAPVC34C&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false

Hacking Exposed: Web Applications 3, by Joel Scambray, Vinvent Liu, Caleb Sima, published by McGraw-Hill Osborne Media, ISBN 007222438X (2010) - http://www.webhackingexposed.com/

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2nd Edition - published by Dafydd Stuttard, Marcus Pinto, ISBN 9781118026472 (2011)

How to Break Software Security, by James Whittaker, Herbert H. Thompson, published by Addison Wesley, ISBN 0321194330 (2003)

How to Break Software: Functional and Security Testing of Web Applications and Web Services, by Make Andrews, James A. Whittaker, published by Pearson Education Inc., ISBN 0321369440 (2006)

Innocent Code: A Security Wake-Up Call for Web Programmers, by Sverre Huseby, published by John Wiley & Sons, ISBN 0470857447(2004) - http://innocentcode.thathost.com

+ Online version available at: http://books.google.com/books?id=RjVjgPQsKogC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false

Mastering the Requirements Process, by Suzanne Robertson and James Robertson, published by Addison-Wesley Professional, ISBN 0201360462

+ Online version available at: http://books.google.com/books?id=SN4WegDHVCcC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false

Secure Coding: Principles and Practices, by Mark Graff and Kenneth R. Van Wyk, published by O’Reilly, ISBN 0596002424 (2003) - http://www.securecoding.org

Secure Programming for Linux and Unix HOWTO, David Wheeler (2004) http://www.dwheeler.com/secure-programs
+ Online version: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html

Securing Java, by Gary McGraw, Edward W. Felten, published by Wiley, ISBN 047131952X (1999) - http://www.securingjava.com

Software Security: Building Security In, by Gary McGraw, published by Addison-Wesley Professional, ISBN 0321356705 (2006)

Software Testing In The Real World (Acm Press Books) by Edward Kit, published by Addison-Wesley Professional, ISBN 0201877562 (1995)

Software Testing Techniques, 2nd Edition, By Boris Beizer, International Thomson Computer Press, ISBN 0442206720 (1990)

The Tangled Web: A Guide to Securing Modern Web Applications, by Michael Zalewski, published by No Starch Press Inc., ISBN 047131952X (2011)

The Unified Modeling Language – A User Guide – by Grady Booch, James Rumbaugh, Ivar Jacobson, published by Addison-Wesley Professional, ISBN 0321267974 (2005)

The Unified Modeling Language User Guide, by Grady Booch, James Rumbaugh, Ivar Jacobson, Ivar published by Addison-Wesley Professional, ISBN 0-201-57168-4 (1998)

Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast, by Paco Hope, Ben Walther, published by O’Reilly, ISBN 0596514832 (2008)

Writing Secure Code, by Mike Howard and David LeBlanc, published by Microsoft Press, ISBN 0735617228 (2004) http://www.microsoft.com/learning/en/us/book.aspx?ID=5957&locale=en-us

Useful Websites

Build Security In - https://buildsecurityin.us-cert.gov/bsi/home.html

Build Security In – Security-Specific Bibliography - https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/measurement/1070-BSI.html

CERT Secure Coding - http://www.cert.org/secure-coding/

CERT Secure Coding Standards- https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards

Exploit and Vulnerability Databases - https://buildsecurityin.us-cert.gov/swa/database.html

Google Code University – Web Security - http://code.google.com/edu/security/index.html

McAfee Foundstone Publications - http://www.mcafee.com/apps/view-all/publications.aspx?tf=foundstone&sz=10

McAfee – Resources Library - http://www.mcafee.com/apps/resource-library-search.aspx?region=us

McAfee Free Tools - http://www.mcafee.com/us/downloads/free-tools/index.aspx

OASIS Web Application Security (WAS) TC — http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was

Open Source Software Testing Tools - http://www.opensourcetesting.org/security.php
OWASP Security Blitz - https://www.owasp.org/index.php/OWASP_Security_Blitz

OWASP Phoenix/Tool - https://www.owasp.org/index.php/Phoenix/Tools
SANS Internet Storm Center (ISC) - https://www.isc.sans.edu

The Open Web Application Application Security Project (OWASP) — http://www.owasp.org

Pentestmonkey - Pen Testing Cheat Sheets - http://pentestmonkey.net/cheat-sheet

Secure Coding Guidelines for the .NET Framework 4.5 - http://msdn.microsoft.com/en-us/library/8a3x2b7f.aspx

Security in the Java platform - http://docs.oracle.com/javase/6/docs/technotes/guides/security/overview/jsoverview.html

System Administration, Networking, and Security Institute (SANS) - http://www.sans.org

Technical INFO – Making Sense of Security - http://www.technicalinfo.net/index.html

Web Application Security Consortium - http://www.webappsec.org/projects/

Web Application Security Scanner List - http://projects.webappsec.org/w/page/13246988/Web%20Application%20Security%20Scanner%20List

Web Security – Articles - http://www.acunetix.com/websitesecurity/articles/

Videos

OWASP Appsec Tutorial Series - https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series

SecurityTube - http://www.securitytube.net/

Videos by Imperva - http://www.imperva.com/resources/videos.asp

Deliberately Insecure Web Applications

OWASP Vulnerable Web Applications Directory Project - https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=Main

BadStore - http://www.badstore.net/

Damn Vulnerable Web App - http://www.ethicalhack3r.co.uk/damn-vulnerable-web-app/

Hacme Series from McAfee:

+ Hacme Travel - http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx

+ Hacme Bank - http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx

+ Hacme Shipping - http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx

+ Hacme Casino - http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx

+ Hacme Books - http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx

Moth - http://www.bonsai-sec.com/en/research/moth.php

Mutillidae - http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/

Vicnum - http://vicnum.sourceforge.net/ and http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project

WebGoat - http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

WebMaven (better known as Buggy Bank) - http://www.mavensecurity.com/WebMaven.php

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_B:_Suggested_Reading&oldid=175018"