[WEB SECURITY] Wanna to learn about application security

Ziots, Edward EZiots at Lifespan.org
Wed Jan 7 08:31:57 EST 2009


+2 on the Web Application Hackers Handbook, but it be best to read
through the HTTP Internals by Oreilly for your basis, and work with
HTTPWATCH or fiddler web debugging proxies so you know what is going on
under the covers and then work going through the hackers handbook. 

Z

Edward E. Ziots
Network Engineer
Lifespan Organization
Email: eziots at lifespan.org
Phone: 401-639-3505
MCSE, MCP+I, ME, CCA, Security +, Network +

-----Original Message-----
From: Steve Pinkham [mailto:steve.pinkham at gmail.com] 
Sent: Saturday, November 15, 2008 1:18 PM
To: Dhiraj Mahajan
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Wanna to learn about application security

Dhiraj Mahajan wrote:
> Hi,
> 
> I wanna to learn in depth about application security frm scratch, can
> u help me by giving some good source where
> i will get a chance to learn about application security.
> 
> Thanks in advance to all
> 
For web application security specifically:

The Web Application Hackers Handbook by Dafydd Stuttard and Marcus Pinto

is currently the gold standard.  It's not small though.

Ajax Security by Billy Hoffman and co is a pretty easy to read book on 
"Ajax" and regular web vulnerability security, and is a great place to 
start if you have no experience.  It is more conceptual, while the above

Web Application Hackers Handbook goes much deeper into the techniques 
and details.

The Database Hackers Handbook is a good starter guide to SQL injection, 
which is one of the most common and dangerous things to find in a web 
application.

OWASP, particularly the OWASP testing guide, webgoat for a hands-on 
tutorial, and conference papers and video for keeping up with the latest

attacks.

WASC(http://www.webappsec.org/), particularly the threat classification.

Also Hacking: the Art of Exploitation , Counter Hack,  Fuzzing: Brute 
Force Vulnerability Discovery, and The Art of Software Security 
Assessment are all very good.  They are more about general software and 
network vulnerabilities, but the knowledge is quite useful in web apps, 
even though the days of finding buffer overflows, command injection, and

format string type errors in web apps are mostly behind us.

Security Engineering by Ross Anderson is the best big picture view to 
security out there, and is highly recommended.

There's also lots of good training out there if you'd rather go that
route.

To be really good at it takes a long time, but you can learn the basics 
in a few weeks.

Hope you enjoy the journey!

Steve

-- 
  | Steven E. Pinkham                      |
  | GPG public key ID CD31CAFB             |

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list