• http://www.sector.ca/presentations.htm

The SecTor folks have graciously provided both slides and video for each presentation.

No related posts.

I’ve written and delivered security courses for web developers and coming up with good working examples is a challenge. My language of choice is still Perl (must be my system admin background) so it takes a while to write demonstrations of coding errors in Java, ASP.Net, PHP and the myriad other languages.

Fortunately, several pre-written examples are available. These are complete web applications written in various popular languages that are intentionally vulnerable to all the usual problems: SQL injection, script injection, shell access and authentication problems. Very handy for demonstrating common web programming problems and how to avoid them:

(note: Do you you know of other web security training app like these? Please leave a quick comment if you do. I’d particularly like to find one written in PHP)

• OWASP WebGoat: (Java J2EE) “a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.”
• Foundstone Hackme Books: (Java J2EE) “As a full-featured J2EE application, Hacme Books is representative of real-world J2EE scenarios and demonstrates the security problems that can potentially arise in these applications.”
• Foundstone Hackme Shipping: (Coldfusion MX 7.0) “Written in ColdFusion MX 7 using the Model-Glue framework and a MySQL database, the application emulates the on-line services provided by major shipping companies.”
• Foundstone Hackme Bank: (ASP.NET 1.1) “simulates a ‘real-world’ web services-enabled online banking application, which was built with a number of known and common vulnerabilities. This allows users to attempt real exploits against a web application and thus learn the specifics of the issue and how best to fix it.”
• Foundstone Hackme Casino: (Ruby on Rails) “a learning platform for secure software development and is targeted at software developers, application penetration testers, software architects, and anyone with an interest in application security. This extensible online casino platform is written using Ruby on Rails and demonstrates the security problems that can potentially arise in these applications.”
• Damn Vulnerable Web App: (PHP/MySQL) “a PHP/MySQL web application that is damn vulnerable. Its main goals are to be light weight, easy to use and full of vulnerabilities to exploit. Used to learn or teach the art of web application security.”

Update (2006/11/20): Google Video has a good lecture covering basic web application security issues given by Mike Andrews of Foundstone to Google employees.

Update (2009/07/20): Check out this huge list of hackme and tutorial sites courtesy of ha.ckers.org.

Related posts:

• Advosys mentioned in “Secure Coding”
• OWASP meetings are depressing
• Core GRASP – SQL injection prevention for PHP

• The Handbook of Applied Cryptography is freely available as individual PDFs.
• The Open Web Application Security Project has their very comprehensive Guide to building secure web applications and Web Services available for free in PDF, MS Word and other formats.
• David Wheeler’s excellent book Secure Programming for Linux and Unix HOWTO is essential reading for all programmers. In fact, it’s so excellent that it mentions our paper Writing Secure Web Applications in the bibliography .
• Linuxtopia has a great collection of free Linux security books and guides.
• Sean Boran as published his IT Security Cookbook in HTML format
• A huge list of security and other books is maintained at InfoSysSec
• Links to several security books are found at freecomputerbooks.com (find the section "Special Topics" then click "Security")
• Bruce Perens, originator of the term "Open Source" and former lead of Debian Linux, has a series of books from Prentice Hall available as PDFs. Two security-specific books in the series are Open Source Security Tools: A Practical Guide to Security Applications and Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID. The URL on Bruce’s site currently returns an error, but luckily the ever-watchful Wayback Machine has archived the original page.
• O’Reilly provides several of their older and out-of-print books in viewable HTML format on their Open Books page. None are specific to security but there is guidance on linux firewalls in the Linux Adminstrators Guide and Samba-related security in Using Samba. O’Reilly also published selected chapters from many of their current security books as PDFs.
• The National Academies is a U.S. federal organization that publishes hundreds of academic books and papers for purchase, reading free online in HTML format, and some for download as PDFs. Some titles in the collect concern information security. Finding them is a little difficult since there’s only a search engine. To locate infosec titles, try this incredibly long URL.

There are also many sites offering downloads of books without author or publisher permission, but I won’t link to any of those.

That’s all I could find at the moment. If you know of any other sources of legal freely available security books, please leave a comment so readers will know.

Related posts:

• “Security Engineering” now free
• Advosys mentioned in “Secure Coding”
• Security awareness gone wrong

This is essential reading for everyone who designs and builds security systems or has to manage them. Though it was written by an academic, it’s an easy read with plenty of real world examples and historical background to illustrate and reenforce the issues presented. Highly recommended.

By the way, for those at the management level I also highly recommend Bruce Schneier’s excellent Secrets and Lies. It’s not available for free, but well worth the price. It’s the best guide I know targeted at the non-expert that illustrates what information security is really all about.

Related posts:

• Free information security books
• Security awareness gone wrong