Essential IT Security Resources

- Security, Quality Assurance, Programming

Main page decoration

Recently, two of my coworkers coincidentally asked me how I kept track of security news and vulnerabilities. As it took me a long time to build a list of useful resources myself, I figured it would be useful to share it with everyone, so here goes!

Databases

Common Attack Pattern Enumeration and Classification (CAPEC)

A database of known attack patterns against IT systems.

Common Vulnerabilities and Exposures (CVE)

A database of publicly disclosed cybersecurity vulnerabilities and exposures in released software and hardware, and whether a fix or workaround exists if applicable.

Common Weakness Enumeration (CWE)

A database of software weaknesses types and how to prevent them.

Exploit Database

A database of code snippets and research papers of successful attacks.

Have I Been Pwned?

A database of publicly leaked credentials. Can be used to search incidents by email addresses of victims, or to search the number of times a specific password has been leaked.

A service is also available for email address and domain name owners to notify them of newly-discovered breaches in which they appear in.

Email Forgery Prevention

Email Security

A series of blog articles that explains how to configure Domain Name System (DNS) records to prevent and manage forged emails claiming to be from a specific domain name.

Sender Rewriting Scheme (SRS)

A method that ensures forwarded emails don't get flagged as forgeries when implemented.

Server Information Lookup

DB-IP

A tool that provides geolocation and network intelligence information for a given IP address.

Shodan

A search engine for Internet of Things (IoT) devices, e.g., security cameras, fridges and boats.

WiGLE

A map of publicly discovered Wi-Fi wireless networks.

Your home wireless network is probably already on it.

News

Ars Technica

A mainstream technology news website offering a security news feed.

Certificate Search

A Certificate Transparency (CT) search engine that can generate news feeds of certificates generated for a specific domain name. Useful to detect rogue certificates issued by trusted certificate autorities (CA).

US-CERT Alerts

A news feed of cybersecurity alerts issued by the United States of America's Department of Homeland Security.

US-CERT Bulletins

A weekly summary of new software vulnerabilities. Useful for system administrators and for developers responsible of maintaining libraries in their projects.

Vulnerability Notes Database

A publication of advisory and mitigation notes of software vulnerabilities.

Tools

Fiddler

An HTTP proxy server that can sniff and manipulate requests and responses going through it. Can also decrypt HTTPS traffic if its certificate is set up to be trusted on the client.

Kali Linux

A Linux distribution specifically designed for penetration testing, with various built-in tools for such a task.

Phish5

A phishing attack test service. Useful to assess the current risk within your organization, sensibilize its people and identify repeat offenders.

No, this service cannot be used to generate real phishing attacks. Nice try.

Other

Open Web Application Security Project (OWASP)

A wiki of vulnerabilities and attacks on the web. Mostly known for its regular Top 10 publication of most critical web application security risks.

SQL Injection Cheat Sheet

A list of useful code snippets to test potential SQL injection vulnerabilities.

Bonus - Blogs

Hanno Böck

Freelance journalist.

Scott Helme

Independent security researcher.

Troy Hunt

Independent security researcher.