This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Testing Guide Appendix B: Suggested Reading"

From OWASP
Jump to: navigation, search
(Whitepapers)
 
(39 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{Template:OWASP Testing Guide v3}}
+
{{Template:OWASP Testing Guide v4}}
  
 
==Whitepapers==
 
==Whitepapers==
  
* ''Security in the SDLC (NIST)'' - http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf
+
* The Economic Impacts of Inadequate Infrastructure for Software Testing - http://www.nist.gov/director/planning/upload/report02-3.pdf
  
* ''[[:Category:OWASP_Guide_Project|The OWASP Guide to Building Secure Web Applications]]'' - http://www.owasp.org/index.php/Category:OWASP_Guide_Project
+
* Improving Web Application Security: Threats and Countermeasures- http://msdn.microsoft.com/en-us/library/ff649874.aspx
  
* ''The Economic Impacts of Inadequate Infrastructure for Software Testing'' - http://www.nist.gov/director/prog-ofc/report02-3.pdf
+
* NIST Publications - http://csrc.nist.gov/publications/PubsSPs.html
  
* ''Threats and Countermeasures: Improving Web Application Security'' - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/threatcounter.asp
+
* The Open Web Application Security Project (OWASP) Guide Project - https://www.owasp.org/index.php/Category:OWASP_Guide_Project
  
* ''Web Application Security is Not an Oxy-Moron, by Mark Curphey'' - http://www.sbq.com/sbq/app_security/index.html
+
* Security Considerations in the System Development Life Cycle (NIST) - http://www.nist.gov/customcf/get_pdf.cfm?pub_id=890097
 +
 
 +
* The Security of Applications: Not All Are Created Equal - http://www.securitymanagement.com/archive/library/atstake_tech0502.pdf
 +
 
 +
* Software Assurance: An Overview of Current Practices - http://www.safecode.org/publications/SAFECode_BestPractices0208.pdf
  
* ''The Security of Applications: Not All Are Created Equal'' - http://www.atstake.com/research/reports/acrobat/atstake_app_unequal.pdf
+
* Software Security Testing: Software Assurance Pocket guide Series: Development, Volume III - https://buildsecurityin.us-cert.gov/swa/downloads/SoftwareSecurityTesting_PocketGuide_1%200_05182012_PostOnline.pdf
  
 +
* Use Cases: Just the FAQs and Answers – http://www.ibm.com/developerworks/rational/library/content/RationalEdge/jan03/UseCaseFAQS_TheRationalEdge_Jan2003.pdf
 +
[[Category:FIXME|broken link
 +
* ''Web Application Security is Not an Oxy-Moron, by Mark Curphey'' - http://www.sbq.com/sbq/app_security/index.html
 
* ''The Security of Applications Reloaded'' - http://www.atstake.com/research/reports/acrobat/atstake_app_reloaded.pdf
 
* ''The Security of Applications Reloaded'' - http://www.atstake.com/research/reports/acrobat/atstake_app_reloaded.pdf
 +
]]
  
* ''Use Cases: Just the FAQs and Answers'' - http://www-106.ibm.com/developerworks/rational/library/content/RationalEdge/jan03/UseCaseFAQS_TheRationalEdge_Jan2003.pdf
 
  
 
==Books==
 
==Books==
  
* James S. Tiller: "The Ethical Hack: A Framework for Business Value Penetration Testing", Auerbach, ISBN: 084931609X
+
* The Art of Software Security Testing: Identifying Software Security Flaws, by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, Elfriede Dustin, published by Addison-Wesley, ISBN 0321304861 (2006) 
 +
 
 +
* Building Secure Software: How to Avoid Security Problems the Right Way, by Gary McGraw and John Viega, published by Addison-Wesley Pub Co, ISBN 020172152X (2002) - http://www.buildingsecuresoftware.com
 +
 
 +
* The Ethical Hack: A Framework for Business Value Penetration Testing, By James S. Tiller, Auerbach Publications, ISBN 084931609X (2005)
 +
 
 +
*+ Online version available at: http://books.google.com/books?id=fwASXKXOolEC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false
 +
 
 +
* Exploiting Software: How to Break Code, by Gary McGraw and Greg Hoglund, published by Addison-Wesley Pub Co, ISBN 0201786958 (2004) -http://www.exploitingsoftware.com
 +
 
 +
* The Hacker's Handbook: The Strategy behind Breaking into and Defending Networks, By Susan Young, Dave Aitel, Auerbach Publications, ISBN: 0849308887 (2005)
 +
 
 +
*+ Online version available at: http://books.google.com/books?id=AO2fsAPVC34C&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false
 +
 
 +
* Hacking Exposed: Web Applications 3, by Joel Scambray, Vinvent Liu, Caleb Sima, published by McGraw-Hill Osborne Media, ISBN 007222438X (2010) - http://www.webhackingexposed.com/
 +
 
 +
* The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2nd Edition - published by Dafydd Stuttard, Marcus Pinto, ISBN  9781118026472 (2011)
 +
 
 +
* How to Break Software Security, by James Whittaker, Herbert H. Thompson, published by Addison Wesley, ISBN 0321194330 (2003) 
 +
 
 +
* How to Break Software: Functional and Security Testing of Web Applications and Web Services, by Make Andrews, James A. Whittaker, published by Pearson Education Inc., ISBN 0321369440 (2006) 
 +
 
 +
* Innocent Code: A Security Wake-Up Call for Web Programmers, by Sverre Huseby, published by John Wiley & Sons, ISBN 0470857447(2004) - http://innocentcode.thathost.com
 +
 
 +
*+ Online version available at: http://books.google.com/books?id=RjVjgPQsKogC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false
 +
 
 +
* Mastering the Requirements Process, by Suzanne Robertson and James Robertson, published by Addison-Wesley Professional, ISBN 0201360462 
  
* Susan Young, Dave Aitel: "The Hacker's Handbook: The Strategy behind Breaking into and Defending Networks", Auerbach, ISBN: 0849308887
+
*+ Online version available at: http://books.google.com/books?id=SN4WegDHVCcC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false
  
* ''Secure Coding,'' by Mark Graff and Ken Van Wyk, published by O’Reilly, ISBN 0596002424''(2003)'' - http://www.securecoding.org
+
* Secure Coding: Principles and Practices, by Mark Graff and Kenneth R. Van Wyk, published by O’Reilly, ISBN 0596002424 (2003) - http://www.securecoding.org  
  
* ''Building Secure Software: How to Avoid Security Problems the Right Way'', by Gary McGraw and John Viega, published by Addison-Wesley Pub Co, ISBN 020172152X (2002) - http://www.buildingsecuresoftware.com
+
* Secure Programming for Linux and Unix HOWTO, David Wheeler (2004) http://www.dwheeler.com/secure-programs
 +
*+ Online version: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html
  
* ''Writing Secure Code,'' by Mike Howard and David LeBlanc, published by Microsoft Press, ISBN 0735617228 (2003) http://www.microsoft.com/mspress/books/5957.asp
+
* Securing Java, by Gary McGraw, Edward W. Felten, published by Wiley, ISBN 047131952X (1999) - http://www.securingjava.com  
  
* ''Innocent Code: A Security Wake-Up Call for Web Programmers,'' by Sverre Huseby, published by John Wiley & Sons, ISBN 0470857447(2004) - http://innocentcode.thathost.com
+
* Software Security: Building Security In, by Gary McGraw, published by Addison-Wesley Professional, ISBN 0321356705 (2006)
  
* ''Exploiting Software: How to Break Code, ''by Gary McGraw and Greg Hoglund, published by Addison-Wesley Pub Co, ISBN 0201786958 (2004) -http://www.exploitingsoftware.com
+
* Software Testing In The Real World (Acm Press Books) by Edward Kit, published by Addison-Wesley Professional, ISBN 0201877562 (1995)  
  
* ''Secure Programming for Linux and Unix HOWTO, David Wheeler (2004)'' - http://www.dwheeler.com/secure-programs
+
* Software Testing Techniques, 2nd Edition, By Boris Beizer, International Thomson Computer Press, ISBN 0442206720 (1990)
  
* ''Mastering the Requirements Process, ''by Suzanne Robertson and James Robertsonn, published by Addison-Wesley Professional, ISBN 0201360462 - http://www.systemsguild.com/GuildSite/Robs/RMPBookPage.html
+
* The Tangled Web: A Guide to Securing Modern Web Applications, by Michael Zalewski, published by No Starch Press Inc., ISBN 047131952X (2011) 
  
* ''The Unified Modeling Language – A User Guide'' - http://www.awprofessional.com/catalog/product.asp?product_id=%7B9A2EC551-6B8D-4EBC-A67E-84B883C6119F%7D
+
* The Unified Modeling Language – A User Guide – by Grady Booch, James Rumbaugh, Ivar Jacobson, published by Addison-Wesley Professional, ISBN 0321267974 (2005)
  
* ''Web Applications (Hacking Exposed) ''by Joel Scambray and Mike Shema, published by McGraw-Hill Osborne Media, ISBN 007222438X
+
* The Unified Modeling Language User Guide, by Grady Booch, James Rumbaugh, Ivar Jacobson, Ivar published by Addison-Wesley Professional, ISBN 0-201-57168-4 (1998)
  
* ''Software Testing In The Real World (Acm Press Books)'' by Edward Kit, published by Addison-Wesley Professional, ISBN 0201877562 (1995)
+
* Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast, by Paco Hope, Ben Walther, published by O’Reilly, ISBN 0596514832 (2008)
  
* ''Securing Java,'' by Gary McGraw, Edward W. Felten, published by Wiley, ISBN 047131952X (1999) - http://www.securingjava.com
+
* Writing Secure Code, by Mike Howard and David LeBlanc, published by Microsoft Press, ISBN 0735617228 (2004) http://www.microsoft.com/learning/en/us/book.aspx?ID=5957&locale=en-us
  
* Beizer, Boris, ''Software Testing Techniques'', 2nd Edition, © 1990 International Thomson Computer Press, ISBN 0442206720
 
  
 
==Useful Websites==
 
==Useful Websites==
  
* OWASP —  http://www.owasp.org
+
* Build Security In - https://buildsecurityin.us-cert.gov/bsi/home.html
 +
 
 +
* Build Security In – Security-Specific Bibliography - https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/measurement/1070-BSI.html
 +
 
 +
* CERT Secure Coding - http://www.cert.org/secure-coding/
 +
 
 +
* CERT Secure Coding Standards- https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards
 +
 
 +
* Exploit and Vulnerability Databases - https://buildsecurityin.us-cert.gov/swa/database.html
 +
 
 +
* Google Code University – Web Security - http://code.google.com/edu/security/index.html
 +
 
 +
* McAfee Foundstone Publications - http://www.mcafee.com/apps/view-all/publications.aspx?tf=foundstone&sz=10
 +
 
 +
* McAfee – Resources Library - http://www.mcafee.com/apps/resource-library-search.aspx?region=us
 +
 
 +
* McAfee Free Tools - http://www.mcafee.com/us/downloads/free-tools/index.aspx
 +
 
 +
* OASIS Web Application Security (WAS) TC — http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was
 +
 
 +
* Open Source Software Testing Tools - http://www.opensourcetesting.org/security.php
 +
* OWASP Security Blitz - https://www.owasp.org/index.php/OWASP_Security_Blitz
 +
 
 +
* OWASP Phoenix/Tool - https://www.owasp.org/index.php/Phoenix/Tools
 +
* SANS Internet Storm Center (ISC) - https://www.isc.sans.edu
 +
 
 +
* The Open Web Application Application Security Project (OWASP) http://www.owasp.org
 +
 
 +
* Pentestmonkey - Pen Testing Cheat Sheets - http://pentestmonkey.net/cheat-sheet
 +
 
 +
* Secure Coding Guidelines for the .NET Framework 4.5 - http://msdn.microsoft.com/en-us/library/8a3x2b7f.aspx
 +
 
 +
* Security in the Java platform - http://docs.oracle.com/javase/6/docs/technotes/guides/security/overview/jsoverview.html
 +
 
 +
* System Administration, Networking, and Security Institute (SANS) - http://www.sans.org
 +
 
 +
* Technical INFO – Making Sense of Security - http://www.technicalinfo.net/index.html
 +
 
 +
* Web Application Security Consortium - http://www.webappsec.org/projects/
 +
 
 +
* Web Application Security Scanner List - http://projects.webappsec.org/w/page/13246988/Web%20Application%20Security%20Scanner%20List
 +
 
 +
* Web Security – Articles - http://www.acunetix.com/websitesecurity/articles/
 +
 
 +
* Testing Client Side Security issues: http://www.domxss.com
 +
 
 +
 
 +
==Videos==
 +
 
 +
* OWASP Appsec Tutorial Series - https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series
 +
 
 +
* SecurityTube - http://www.securitytube.net/
 +
 
 +
* Videos by Imperva - http://www.imperva.com/resources/videos.asp
 +
 
 +
 
 +
==Deliberately Insecure Web Applications==
 +
 
 +
* OWASP Vulnerable Web Applications Directory Project - https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=Main
 +
 
 +
* BadStore - http://www.badstore.net/
 +
 
 +
* Damn Vulnerable Web App - http://www.ethicalhack3r.co.uk/damn-vulnerable-web-app/
 +
 
 +
* Hacme Series from McAfee:
 +
 
 +
* + Hacme Travel - http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
 +
 
 +
* + Hacme Bank - http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx
 +
 
 +
* + Hacme Shipping - http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
 +
 
 +
* + Hacme Casino - http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
 +
 
 +
* + Hacme Books - http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
 +
 
 +
* Moth - http://www.bonsai-sec.com/en/research/moth.php
 +
 
 +
* Mutillidae - http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
  
* SANS - http://www.sans.org
+
* Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/
  
* Secure Coding — http://www.securecoding.org
+
* Vicnum - http://vicnum.sourceforge.net/ and http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project
  
* Secure Coding Guidelines for the .NET Framework''''' ''''' - http://msdn.microsoft.com/security/securecode/bestpractices/default.aspx?pull=/library/en-us/dnnetsec/html/seccodeguide.asp
+
* WebGoat - http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
  
* Security in the Java platform  —  http://java.sun.com/security
+
* WebMaven (better known as Buggy Bank) - http://www.mavensecurity.com/WebMaven.php
  
* OASIS WAS XML — http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was
+
* DOMXSS - JavaScript Security: http://www.domxss.com

Latest revision as of 09:18, 20 January 2017

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project

Whitepapers


Books

  • The Art of Software Security Testing: Identifying Software Security Flaws, by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, Elfriede Dustin, published by Addison-Wesley, ISBN 0321304861 (2006)
  • The Ethical Hack: A Framework for Business Value Penetration Testing, By James S. Tiller, Auerbach Publications, ISBN 084931609X (2005)
  • The Hacker's Handbook: The Strategy behind Breaking into and Defending Networks, By Susan Young, Dave Aitel, Auerbach Publications, ISBN: 0849308887 (2005)
  • The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2nd Edition - published by Dafydd Stuttard, Marcus Pinto, ISBN 9781118026472 (2011)
  • How to Break Software Security, by James Whittaker, Herbert H. Thompson, published by Addison Wesley, ISBN 0321194330 (2003)
  • How to Break Software: Functional and Security Testing of Web Applications and Web Services, by Make Andrews, James A. Whittaker, published by Pearson Education Inc., ISBN 0321369440 (2006)
  • Mastering the Requirements Process, by Suzanne Robertson and James Robertson, published by Addison-Wesley Professional, ISBN 0201360462
  • Software Security: Building Security In, by Gary McGraw, published by Addison-Wesley Professional, ISBN 0321356705 (2006)
  • Software Testing In The Real World (Acm Press Books) by Edward Kit, published by Addison-Wesley Professional, ISBN 0201877562 (1995)
  • Software Testing Techniques, 2nd Edition, By Boris Beizer, International Thomson Computer Press, ISBN 0442206720 (1990)
  • The Tangled Web: A Guide to Securing Modern Web Applications, by Michael Zalewski, published by No Starch Press Inc., ISBN 047131952X (2011)
  • The Unified Modeling Language – A User Guide – by Grady Booch, James Rumbaugh, Ivar Jacobson, published by Addison-Wesley Professional, ISBN 0321267974 (2005)
  • The Unified Modeling Language User Guide, by Grady Booch, James Rumbaugh, Ivar Jacobson, Ivar published by Addison-Wesley Professional, ISBN 0-201-57168-4 (1998)
  • Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast, by Paco Hope, Ben Walther, published by O’Reilly, ISBN 0596514832 (2008)


Useful Websites


Videos


Deliberately Insecure Web Applications

  • Hacme Series from McAfee: