Resources
General
- Mozilla Security: guidelines to help operational teams create secure web applications
- The Cyber Security Body Of Knowledge (CyBOK): comprehensive Body of Knowledge to inform and underpin educational and professional training for the cyber security sector
- The Open Web Application Security Project (OWASP) Foundation: nonprofit foundation that works to improve the security of software
- The OWASP Top 10: standard awareness document for developers and web application security; represents a broad consensus about the most critical security risks to web applications
- Comon Weakness Enumeration (CWE) Top 25: a community-developed list of software and hardware weakness types by Mitre
- Common Vulnerabilities Exposures (CVE): a list of publicly disclosed computer security flaws -- referenced by CVE ID number -- by Mitre
- National Vulnerability Database (NVD): U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP)
- Security in Django: overview of Django's security features and advice on securing a Django-powered site
- Django Deployment Checklist: useful checklist before deploying a Django website
Auditing:
- OWASP Zed Attack Proxy (ZAP): Open-source web app scanner
- Mozilla Observatory: set of tools to evaluate security methods
- PageSpeed Insights: web performance auditing tool by Google
- CSP Evaluator: allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks
Cyber security news
Recent
Top 10 Web App Security Risks
-
OWASP Top 10: Intro
-
OWASP Top 10: Injection (A1:2017)
-
OWASP Top 10: Broken Authentication (A2:2017)
-
OWASP Top 10: Sensitive Data Exposure (A3:2017)
-
OWASP Top 10: XML External Entities (XXE) (A4:2017)
-
OWASP Top 10: Broken Access Control (A5:2017)
-
OWASP Top 10: Security Misconfiguration (A6:2017)
-
OWASP Top 10: Cross-Site Scripting (XSS) (A7:2017)
-
OWASP Top 10: Insecure Deserialisation (A8:2017)
-
OWASP Top 10: Using Components with Known Vulnerabilities (A9:2017)
-
OWASP Top 10: Insufficient Logging and Monitoring (A10: 2017)