Programming Language Courses/References/Security (AppSec)

Table of Contents

Sort

  • Providence
    • Providence is a system for code commit & bug system monitoring. It is deployed within an organization to monitor code commits for security (or other) concerns, via customizable plugins. A plugin performs logic whenever a commit occurs.

End Sort


General

  • The content here is just stuff I've come across or think would be useful to someone in infosec. It is not to be taken as anything beyond a suggestion about stuff.
  • Educational
    • App Ideas - Stuff to build out ot improve your programming skills
    • How to be a Programmer: Community Version
      • To be a good programmer is difficult and noble. The hardest part of making real a collective vision of a software project is dealing with one's coworkers and customers. Writing computer programs is important and takes great intelligence and skill. But it is really child's play compared to everything else that a good programmer must do to make a software system that succeeds for both the customer and myriad colleagues for whom he or she is partially responsible. In this essay I attempt to summarize as concisely as possible those things that I wish someone had explained to me when I was twenty-one.
    • Learn_X_in_Y_Minutes
    • Hyperpolyglot

Secure Development Patterns/Practices/Resources

  • General
  • Design Patterns
  • Development Lifecycle/Things to Read While Still in The Design/Early Development Stages
  • Secure Coding Documents
    • Secure Coding Standards - Android
    • Secure Coding Cheat Sheet - OWASP
    • Secure iOS application development
      • This guide is a collection of the most common vulnerabilities found in iOS applications. The focus is on vulnerabilities in the applications’ code and only marginally covers general iOS system security, Darwin security, C/ObjC/C++ memory safety, or high-level application security. Nevertheless, hopefully the guide can serve as training material to iOS app developers that want to make sure that they ship a more secure app. Also, iOS security reviewers can use it as a reference during assessments.
  • Articles/Papers/Talks/Writeups
  • Secure File Upload
  • Software Testing
    • Big picture software testing unit testing, Lean Startup, and everything in between PyCon 2017
      • There are many ways you can test your software: unit testing, manual testing, end-to-end testing, and so forth. Take a step back and you'll discover even more form of testing, many of them very different in their goals: A/B testing, say, where you see which of two versions of your website results in more signups or ad clicks. How do these forms of testing differ, how do they relate to each other? How do you choose which kind of testing to pursue, given limited time and resources? How do you deal with strongly held yet opposite views arguing either that a particular kind of testing is essential or that it's a waste time? This talk will provide you with a model, a way to organize all forms of testing and understand what exactly they provide, and why. Once you understand the model you will be able to choose the right form of testing for your situation and goals.
    • When to Test and How to Test It - Bruce Potter - Derbycon7
      • “I think we need a penetration test” This is one of the most misunderstood phrases in the security community. It can mean anything from “Someone should run a vulnerability scan against a box” to “I’d like nation-state capable actors to tell me everything that wrong with my enterprise” and everything in between. Security testing is a complex subject and it can be hard to understand what the best type of testing is for a given situation. This talk will examine the breadth of software security testing. From early phase unit and abuse testing to late phase penetration testing, this talk will provide details on the different tests that can be performed, what to expect from the testing, and how to select the right tests for your situation. Test coverage, work effort, attack simulation, and reporting results will be discussed. Also, this talk will provide a process for detailed product assessments, i.e.: if you’ve got a specific product you’re trying to break, how do you approach assessing the product in a way that maximizes your chance of breaking in as well as maximizing the coverage you will get from your testing activity.
  • Talks & Presentations
  • Six Stages of debugging
    * 1. That can’t happen.
    * 2. That doesn’t happen on my machine.
    * 3. That shouldn’t happen.
    * 4. Why does that happen?
    * 5. Oh, I see.
    * 6. How did that ever work?
    ``
    
    
    
    

Source Code Analysis

  • Articles/Blogposts/Writeups
  • General
    • Code-Audit-Challenges
    • InsecureProgramming
      • Insecure Programming by Example - Teach yourself how buffer overflows, format strings, numeric bugs, and other binary security bugs work and how to exploit them
  • Presentations/Talks
    • Code Insecurity or Code in Security - Mano 'dash4rk' Paul - Derbycon2014
      • Attendees of this talk will benefit from learning about what constitutes insecure code and the associated attacks that stem from such code. Applicable attacks ranging from injection to reversing will be demonstrated to reinforce contents of this talk. This way, the attendee would not only be taught about “What not to do?” but also, “Why this should not do, what they ought not to do?”. Finally, attendees will also be introduced to secure development processes such as protection needs elicitation, threat modeling, code review and analysis and secure deployment, to illustrate that while writing secure code is one important aspect of software security, there is more to securing applications, than what meets the eye. Come for a fun filled, interactive session and your chance to win one of the personalized and autographed copies of the speaker’s renowned book – The 7 qualities of highly secure software.
    • Code Insecurity or Code in Security - Mano 'dash4rk' Paul
      • Attendees of this talk will benefit from learning about what constitutes insecure code and the associated attacks that stem from such code. Applicable attacks ranging from injection to reversing will be demonstrated to reinforce contents of this talk. This way, the attendee would not only be taught about “What not to do?” but also, “Why this should not do, what they ought not to do?”. Finally, attendees will also be introduced to secure development processes such as protection needs elicitation, threat modeling, code review and analysis and secure deployment, to illustrate that while writing secure code is one important aspect of software security, there is more to securing applications, than what meets the eye. Come for a fun filled, interactive session and your chance to win one of the personalized and autographed copies of the speaker’s renowned book – The 7 qualities of highly secure software.
  • Tools
    • RIPS
      • RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by user input (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis.
    • PHPMD - PHP Mess Detector
      • What PHPMD does is: It takes a given PHP source code base and look for several potential problems within that source. These problems can be things like: Possible bugs; Suboptimal code; Overcomplicated expressions; Unused parameters, methods, properties.
    • PMD
      • PMD is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, PLSQL, Apache Velocity, XML, XSL. Additionally it includes CPD, the copy-paste-detector. CPD finds duplicated code in Java, C, C++, C#, PHP, Ruby, Fortran, JavaScript, PLSQL, Apache Velocity, Ruby, Scala, Objective C, Matlab, Python, Go.
    • Graudit
      • Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, analysis
    • How to find 56 potential vulnerabilities in FreeBSD code in one evening
    • Phan
      • Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.
    • PMD
      • PMD is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, Salesforce.com Apex and Visualforce, PLSQL, Apache Velocity, XML, XSL.
    • Django-Security
      • This package offers a number of models, views, middlewares and forms to facilitate security hardening of Django applications.
    • FindBugs
      • The FindBugs plugin for security audits of Java web applications.
    • SpotBugs
      • SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community.
    • bundler-audit
      • Patch-level verification for Bundler
    • OWASP SafeNuGet
      • OWASP SafeNuGet is an MsBuild task to warn about insecure NuGet libraries: https://nuget.org/packages/SafeNuGet/
    • Infer
      • Infer is a static analysis tool for Java, Objective-C and C, written in OCaml.
    • SourceTrail
      • A cross-platform source explorer for C/C++ and Java
    • Graudit
      • Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.
    • cloc
      • cloc counts blank lines, comment lines, and physical lines of source code in many programming languages.

APIs

  • 101
    • API Security Checklist
      • Checklist of the most important security countermeasures when designing, testing, and releasing your API
  • General/Articles/Writeups
  • Tools
    • Syntribos
      • Syntribos is an open source automated API security testing tool that is maintained by members of the OpenStack Security Project. Given a simple configuration file and an example HTTP request, syntribos can replace any API URL, URL parameter, HTTP header and request body field with a given set of strings. Syntribos iterates through each position in the request automatically. Syntribos aims to automatically detect common security defects such as SQL injection, LDAP injection, buffer overflow, etc. In addition, syntribos can be used to help identify new security defects by automated fuzzing.

Assembly x86/x64/ARM


Android (Kotlin/Android Java)


Bash


C/C++


C#


Go


Java


Javascript

  • 101
  • Vanilla JS
  • Node.js
    • Node.js Best Practices
      • The largest Node.JS best practices list. Curated from the top ranked articles and always updated
  • Learn
    • Mostly Adequate Guide
      • This is a book on the functional paradigm in general. We'll use the world's most popular functional programming language: JavaScript. Some may feel this is a poor choice as it's against the grain of the current culture which, at the moment, feels predominately imperative.
    • Spellbook of Modern Web Dev
      • A Big Picture, Thesaurus, and Taxonomy of Modern JavaScript Web Development
  • Reference
  • Tools
    • NodeJsScan
      • Static security code scanner (SAST) for Node.js applications.
  • Other

Lisp


Lua

  • Lua
    • Official Homepage
  • Lua - Getting Started
  • Learn
    • Learn X in Y minutes, Where X=Lua
    • Lua code: security overview and practical approaches to static analysis
      • Abstract — Lua is an interpreted, cross-platform, embeddable, performant and low-footprint language. Lua’s popularity is on the rise in the last couple of years. Simple design and efficient usage of resources combined with its performance make it attractive or production web applications even to big organizations such as Wikipedia, CloudFlare and GitHub. In addition to this, Lua is one of the preferred choices for programming embedded and IoT devices. This context allows to assume a large and growing Lua codebase yet to be assessed. This growing Lua codebase could be potentially driving production servers and extremely large number of devices, some perhaps with mission-critical function for example in automotive or home-automation domains. However, there is a substantial and obvious lack of static analysis tools and vulnerable code corpora for Lua as compared to other increasingly popular languages, such as PHP, Python and JavaScript. Even the state-of-the-art commercial tools that support dozens of languages and technologies actually do not support Lua static code analysis. In this paper we present the first public Static Analysis for SecurityTesting (SAST) tool for Lua code that is currently focused on web vulnerabilities. We show its potential with good and promising preliminary results that we obtained on simple and intentionally vulnerable Lua code samples that we synthesized for our experiments. We also present and release our synthesized corpus of intentionally vulnerable Lua code, as well as the testing setups used in our experiments in form of virtual and completely reproducible environments. We hope our work can spark additional and renewed interest in this apparently overlooked area of language security and static analysis, as well as motivate community’s contribution to these open-source projects. The tool, the samples and the testing VM setups will be released and updated at http://lua.re and http://lua.rocks
  • Tools
    • REPL.lua
      • a reusable Lua REPL written in Lua, and an alternative to /usr/bin/lua

<a name="net".NET


<a name="perl"Perl


Powershell

try { #stuff } catch { $ErrorMessage = $.Exception.Message $ErrorSource = $.Exception.Source $err = $ErrorSource + " reports: " + $ErrorMessage }

'''


PHP


Python


Ruby


SQL


Swift

  • Alamofire
    • Alamofire is an HTTP networking library written in Swift.

UEFI Programming


Other