[OWASP-Bangalore] Wanna to learn about application security

Sundar N suntracks at gmail.com
Sun Nov 16 00:49:30 EST 2008

Hi All ,
Do find some interesting notes on App security for the newbies.
this is a thread from web appsec community.


For web application security specifically:

The Web Application Hackers Handbook by Dafydd Stuttard and Marcus Pinto is
currently the gold standard.  It's not small though.

Ajax Security by Billy Hoffman and co is a pretty easy to read book on
"Ajax" and regular web vulnerability security, and is a great place to start
if you have no experience.  It is more conceptual, while the above Web
Application Hackers Handbook goes much deeper into the techniques and

The Database Hackers Handbook is a good starter guide to SQL injection,
which is one of the most common and dangerous things to find in a web

OWASP, particularly the OWASP testing guide, webgoat for a hands-on
tutorial, and conference papers and video for keeping up with the latest

WASC(http://www.webappsec.org/), particularly the threat classification.

Also Hacking: the Art of Exploitation , Counter Hack,  Fuzzing: Brute Force
Vulnerability Discovery, and The Art of Software Security Assessment are all
very good.  They are more about general software and network
vulnerabilities, but the knowledge is quite useful in web apps, even though
the days of finding buffer overflows, command injection, and format string
type errors in web apps are mostly behind us.

Security Engineering by Ross Anderson is the best big picture view to
security out there, and is highly recommended.

There's also lots of good training out there if you'd rather go that route.

To be really good at it takes a long time, but you can learn the basics in a
few weeks.

Hope you enjoy the journey!


 | Steven E. Pinkham                      |
 | GPG public key ID CD31CAFB             |
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20081116/17a826cb/attachment.html 

More information about the OWASP-Bangalore mailing list