Essential IT Security Resources

- Security, Quality Assurance

Last revision:

Portrait of Guillaume Fortin-Debigaré

Recently, two of my coworkers coincidentally asked me how I kept track of security news and vulnerabilities. As it took me a long time to build a list of useful resources myself, I figured it would be useful to share it with everyone, so here goes!

Databases

ATT&CK

A database of known attack patterns against networks.

Common Attack Pattern Enumeration and Classification (CAPEC)

A database of known attack patterns against applications.

Common Vulnerabilities and Exposures (CVE)

A database of publicly disclosed cybersecurity vulnerabilities and exposures in released software and hardware, and whether a fix or workaround exists if applicable.

Common Weakness Enumeration (CWE)

A database of software weaknesses types and how to prevent them.

Exploit Database

A database of code snippets and research papers of successful attacks.

Have I Been Pwned?

A database of publicly leaked credentials. Can be used to search incidents by email addresses of victims, or to search the number of times a specific password has been leaked.

A service is also available for email address and domain name owners to notify them of newly-discovered breaches in which they appear in.

Server Information Lookup

Censys

A search engine for publicly-accessible services in the Internet.

DB-IP

A tool that provides geolocation and network intelligence information for a given IP address.

Shodan

A search engine for Internet of Things (IoT) devices, e.g., security cameras, fridges and boats.

WiGLE

A map of publicly discovered Wi-Fi wireless networks.

Your home wireless network is probably already on it.

News

Ars Technica

A mainstream technology news website offering a security news feed.

Certificate Search

A Certificate Transparency (CT) search engine that can generate news feeds of certificates generated for a specific domain name. Useful to detect rogue certificates issued by trusted certificate autorities (CA).

US-CERT Alerts

A news feed of cybersecurity alerts issued by the United States of America's Department of Homeland Security.

Vulnerability Notes Database

A publication of advisory and mitigation notes of software vulnerabilities.

Tools

Fiddler

An HTTP proxy server that can sniff and manipulate requests and responses going through it. Can also decrypt HTTPS traffic if its certificate is set up to be trusted on the client.

FLARE VM

A distribution of various security tools for Windows virtual machines.

Ghidra

An open source suite of reverse engineering tools maintained by the National Security Agency (NSA).

Kali Linux

A Linux distribution specifically designed for penetration testing, with various built-in tools for such a task.

Observatory

A collection of online tools for assessing the security of a given website.

Wireshark

A network sniffer and analyzer, supporting hundreds of different protocols.

Other resources

Cross-Site Scripting (XSS) Cheat Sheet

A list of useful code snippets to test potential XSS vulnerabilities.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

A standard that protects domain names from being used in email forgeries.

Note that if you find this document too technical, you may be interested in my Configuring and Managing SPF, DKIM, and DMARC course on this very topic.

Open Web Application Security Project (OWASP)

A wiki of vulnerabilities and attacks on the web. Mostly known for its regular Top 10 publication of most critical web application security risks.

SQL Injection Cheat Sheet

A list of useful code snippets to test potential SQL injection vulnerabilities.

Related articles I wrote

PlayStation Vita

Fixing Playstation Vita Error Code NP-9968-2, and Why Sony Should Care

- Video Games, Security, Anecdotes

For about 2 years, I was not able to install any new software on my PlayStation Vita, for seemingly no reason. I could make new purchases from the PlayStation Store, but the download would always fail, and only on my Vita. No issues whatsoever with my PlayStation 3 nor my PlayStation 4, but for some…

Brandon Dillon as the ghost of Amnesia Fortnight future

The Hack 'n' Slash Puzzle Collection

- Video Games, Security

This is a collection of all the secret hacking puzzles released between 2012 and 2015 related to the video game Hack 'n' Slash and its prototype. As far as I'm aware, all puzzles were designed by the game's project lead Brandon Dillon. All the material is archived here for preservation purposes…

Snail

The Slow Certificate Authority

- Anecdotes, Security

Last year, I wrote about multiple issues I encountered upon switching web hosts. One of these issues was delay violations from Sectigo (formerly Comodo CA) for revoking old certificates compromising the HTTPS connection to my website. This spawned a saga with Mozilla, the organization behind Firefox…

Man reading emails on his laptop

Pluralsight Course - Configuring and Managing SPF, DKIM, and DMARC

- Security

Configuring and Managing SPF, DKIM, and DMARC is a beginner-friendly course about email security produced by yours truly. It is designed for security professionals and web domain administrators. Email deliverability is a constant challenge for organizations, but this challenge is widely amplified if…

Wii RVT-R Reader test kit

The Test Case that Bricked a Wii Test Kit

- Anecdotes, Quality Assurance, Video Games

Back when I was working at Eidos Montréal, part of my responsibilities included ensuring that the games we were producing for the Wii followed Nintendo's Wii Programming Guidelines. This is the story of how I bricked a Wii RVT-R Reader test kit by doing my job…

See all of my articles