Feb 12, 2016 By Sarah Vonnegut | No matter where you are on your journey in security, there is always room to keep learning. Especially in the security industry, it’s important to aim for a deep understanding of software and how applications interact on the web. In such a dynamic field, there’s no doubt the learning will never end. Luckily for students of cybersecurity, there are plenty of organizations doing the hard work to help us better understand what we’re working to protect, and how best to secure our own organizations. These organizations are helping fight the “cyber battles” – and are helping us do the same. From nonprofits to university centers to government-funded research facilities, the security industry has its’ bases covered. There’s a never-ending mountain of high-quality research and guides anyone interested can access – if you know the right places to look. We’ve already written about the best cybersecurity blogs to keep up to date. But if you’re looking for more in-depth guides, research and best practices to soak up, your search is over. Here’s a list of cybersecurity organizations serving the industry and some of the best resources they each offer.
InfoSec Organizations & Their Best Free Resources
If you’re in security, you’re probably pretty familiar with OWASP, but developers are still getting to know it. OWASP, which stands for the Open Web Application Security Project, is a nonprofit organization run with the power of volunteers with security expertise from around the world. Vendor-neutral and run as a Free and Open organization, OWASP is an amazing resource for all things AppSec and is available to anyone. And if you’re able to get involved, there are always new projects and updates requiring experts in all software development fields.
Top OWASP Resources & Projects:
OWASP Top 10
It’s THE industry standard, and though it only covers 10 vulnerabilities, the list, a new version of which has been released every three years since 2004, has the power of the thousands of security experts and hundreds of thousands of research hours behind it.
OWASP Top 10 list Courtesy: OWASP
What makes the OWASP Top 10 so fantastic is that there are so many materials and guides to create around the OWASP Top 10, and that’s what makes it accessible to non-security experts, as well – especially because so many multilingual volunteers have translated the list to 12 languages and counting. SQL Injection and Cross-Site Scripting have finally come into the mainstream development world, and a big part of that is thanks to the OWASP Top 10.
The best part is that a new ESAPI version, 220.127.116.11, was just released this week, making this a great time to see if the framework is right for your organization. Get full details of the release here.
Secure Coding Practices Quick Reference Guide
An example of how OWASP is reaching developers is the Secure Coding Practices Quick Reference Guide, which “at only 17 pages, is easy to read and digest.” Written in checklist format and doesn’t mention specific tools, it’s perfect to print off for developers and work on integrating the principles into your SDLC, if you haven’t already.
The printable PDF version is available here.
The SANS Institute
The SANS Institute, SANS for short, is among the largest information security organizations globally, and provides security training and certifications to thousands of security professionals and ethical hackers annually. Classes are available both online and in-person, making SANS courses accessible to the masses.
SANS also operates the Internet Storm Center, an offshoot organization that aims to keep the internet safe by providing a free analysis and warning service to organizations and individuals around the world.
Top SANS Resources:
CWE/SANS Top 25
The Top 25, like the OWASP Top 10, is an industry standard on which many organizations and tools help guide their secure coding and security testing policies. The 25 Most Dangerous Software Errors are vulnerabilities that are “easy to find, and easy to exploit,” making them prime targets in enterprise applications. The list is designed to help spread awareness and educate developers on important coding errors that could lead to high-risk exploits that they may not even be aware of. A group effort between MITRE, the SANS Institute and security experts around the world, the list was last updated in 2011.
The list is also available on the CWE website, where they also offer a list of tips for how each type of user can best make use of the list. In addition, the Build Security In initiative offered by the U.S. Department of Homeland Security extends on the Top 25 Most Dangerous Software Errors to offer “practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development.”
The Critical Security Controls
This list of recommendations for organizations trying to lower their security risks provide actionable and clear-cut techniques to detect and stop prevalent application attacks. Backed by high-ranking security experts in the US Department of Homeland Security, U.S. Department of Defense, the FBI and many other critical organizations, the Controls help organizations to both defend and stop attacks already in place.
Now in its’ sixth version, the guide’s goal is to “protect critical assets, infrastructure, and information by strengthening your organization’s defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs.”
This resource is available for download here (after filling out details).
The SANS Reading Room offers research papers in all areas of InfoSec topics, “from SCADA to wireless security, from firewalls to intrusion detection.” This area of the SANS site boasts over 75,000 unique visitors a month, so if you’re not familiar with this fantastic resource, the time has come.
It really depends on what you’re looking for, but if you’re interested in just diving in, here are their top 25 most popular papers from the past year.
ISACA, previously called the Information Systems Audit and Control Association but now covers much more ground, is another nonprofit global InfoSec organization. Boasting over 140,000 members worldwide, ISACA is run in part by the huge number of volunteers that help lead the organization. They offer some great pieces of research, and while some of them do cost money or require membership to download, there are plenty of free resources, a select few of which are highlighted below.
Top ISACA Research:
DevOps Practitioner Considerations
When an organization is considering moving to a DevOps ecosystem, there are many security and risk-based factors to ensure will be covered during the transition. This whitepaper offers guidance outlining considerations on the risks of DevOps, the controls that can help mitigate key risk areas, and specific actions security professionals can take to help mitigate potential risk.
Internet of Things: Risk and Value Considerations
While we’ve all heard the horror stories about the Internet of Things wreaking havoc on any number of personal or public appliances, it’s not always clear how IoT can put our own organizations at risk and what we need to be prepared for. The IoT revolution is underway, and this whitepaper helps raise awareness about the risks security professionals need to be on the lookout for.
Cloud Security Alliance
Founded in 2008, this non-profit has a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”
Backed by eBay CISO Dave Cullinane, the goal of the organization is to offer a common baseline for how organizations understand security for their cloud computing needs.
Top Cloud Security Alliance (CSA) Resources:
CSA offers monthly webinars conducted by members to help spread awareness on a variety of Cloud Security topics. There’s an impressive collection of webinars with high-quality speaker on relevant topics, so if you’re into watching webinars (and want to learn more about Cloud Security), this is the area of the site for you.
Have an idea for cloud security research you’d like to help get off the ground? CSA’s Working Groups offer volunteers a way to connect to projects – or start their own – that they’re interested in helping out with in 28 different areas of Cloud Security.
CSA also offers a group of white papers available for download and licensed under a Creative-Commons Attribution license so that non-commercial uses are perfectly fine, as long as you give credit where credit is due. These papers touch on a number of different Cloud Security topics, from auditing distributed databases to securing cloud data under the new European Data Protection laws.
The National Institute of Standards and Technology, a U.S. organization dedicated to creating standards for different verticals, has developed this set of evaluation documents to help organizations determine the right tools for their development environment and help evaluate the effectiveness of different tools and techniques. SAMATE covers source code analysis tools, vulnerability scanners, binary code scanners, and the exposition of static analysis tools, with a broad scope, “ranging from operating systems to firewalls, SCADA to web applications, source code security analyzers to correct-by-construction methods.”
The CERT Division of the Software Engineering Institute has a great history, having been created in response to the Morris worm dating back to 1988. Working with the Department of Homeland Security, along with other government and academic partners, the CERT Division offers a variety of resources and publications to help organizations enhance their security profiles. As an offshoot of the Software Engineering Institute housed at Carnegie Mellon University, the CERT Division has first-class facilities and connections that allow the team to help propel the security industry forward.
The CERT Division divides their work into different topics, with each topic offering a wide range of research, publications and other documents for download. Their secure coding resources are among the best, with various guidelines, research papers and international standards they’ve helped develop available to anyone.