Security

- Learn C. Learn it well. That will give you the level of understanding you need of the way the computer works. - Learn Python or Ruby. If you can automate something, do it. Computers are better than you at repeatable tasks. - Learn x86 assembly (to start). Write some C code, compile it down to assembly, and read it; understand how the two map to each other. Get your friends to write stuff for you and decompile it back to C, and have them check your work. - Learn the basics (at least) of web development. Understand how web applications work, understand the constraints it puts in place, understand the interactions between the client and server. - Internalize the OWASP Top 10. Understand and be able to recognize and mitigate XSS, SQL injection, command injection, arbitrary file reads/writes, etc. - Grab old versions of open source software and rediscover known vulnerabilities. Grab the latest versions of open source software and discover new ones. Start off looking for simple things, and know it well. - Reverse-engineer network protocols. Pick a game, write a server emulator for it. This is a great way to use all your skills up to this point. It's also a lot of fun (it's how I cut my teeth). - Write a debugger. Understand the interaction between hardware, the kernel, and userland. - Understand, understand, understand. Ask questions. Ask a lot of questions. In my opinion, the key to security is always asking "Why?" These are in no particular order, and none of these is more important than the other. It also jumps all over the place, perhaps because that's what I do myself; I may be breaking a web app one day and reversing some hardware the next. But these are things I feel are important, and will give you some direction. **Resources** - Foundations of Security: What Every Programmer Needs to Know ? - OWASP, GCIH, GCIA, SANs, OSCP are all well respected. - The Web Application Hacker's Handbook 2nd Edition - Gives a very good overview and is a good place to start. - The Hacker Playbook 3: Practical Guide To Penetration Testing - #3 just came out. Haven't gone through my copy yet, but I've heard good things. - RTFM - Red Team Field Manual - Nice to have, quick reference guide - BTFM - Blue Team Field Manual - Like the above, but for the good guys ;) - Hacking, 2nd edition - pick area of interest rom https://nostarch.com/catalog/security - follow smart security people on Twitter, which is the defacto medium for information security discussion - read publicly disclosed bug bounty reports on Hackerone and Bugcrowd **Links** - https://www.exploit-db.com/ - https://www.goodreads.com/review/list/57131835-andrew-douma?shelf=read - http://blog.matthewdfuller.com/2013/09/what-i-wish-i-knew-before-studying.html - https://cwe.mitre.org/ - https://trailofbits.github.io/ctf/ - https://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob.html - https://sundowndev.github.io/hacker-roadmap/ - https://stackoverflow.com/questions/2794016/what-should-every-programmer-know-about-security - https://softwareengineering.stackexchange.com/questions/46716/what-technical-details-should-a-programmer-of-a-web-application-consider-before - https://news.ycombinator.com/item?id=11709793 - https://fusionauth.io/learn/expert-advice/security/guide-to-user-data-security - https://www.digitalocean.com/community/tutorials/7-security-measures-to-protect-your-servers - github security checklists - https://learnaifromscratch.github.io/theabsolutestateofsoftware.html **Notes** - 2FA is something you know and something you have. I have a Yubikey with a RSA authorisation key (+enc and signing keys too, but that's irrelevant) in it that I've hooked ssh-agent and GPG to. It is the only key accepted by my servers. Obviously, disable password login. The key has a password, which is the something I know.