.NET Security and Hacking Tool Belt - Tools, Books, Videos, and Sites
There are a ton of tools and books out on security and hacking. My focus has been on learning the techniques hackers use so I can fortify the applications I build. Learning the techniques is great, but you also need to know where in the development process you should use them.
The application my team is rebuilding now is a result of waiting to worry about security until the end of the development lifecycle. They inherited quite a mess. Not only was security completely overlooked, the tools to implement security did not go through a proof of concept. In the end, the product they planned on using did not support role base authorization, it is wide open to Denial-of-service (DOS) attacks, and it intercepts and rewrites JavaScript breaking most of the functionality that has nothing to do with security. Instead of needing the 1 role that was planned for they need between 5 - 7.
Security considerations must be included from the beginning of a project. The only way I know how to do that effectively is to execute architecture centric design. Meaning that without proper architecture, any sizable project will not have proper security. Without a way to keep it in balance with other quality attributes, you can also go over board with security. I have never treated it as its own solution, but rather just one part of the solution that needs to be balanced with the systems other needs (performance, modifiability, etc.).
I have listed some of the tools, books, videos, and sites I keep in my security tool belt below.
Tools
Burp Suite
Nmap and Zenmap GUI
Microsoft Threat Analysis and Modeling v2.1.2 (I like the new version (SDL Threat Modeling Tool 3.1) better. It is lighter weight and can be used in a development process much easier. This version required to much overhead and was hard to justify using. Although this one was prettier.)
SDL Threat Modeling Tool 3.1
Privoxy
TOR
Sam Spade
Vistumbler
Xenu's Link Sleuth
Foundstone's Free Tools
Books
Videos
Matt Fisher - SQL Injection - Everything About SQL Injection
"How Do I" Videos for Security
Microsoft Webcasts
Sites
Microsoft SDL - Developer Starter Kit
The Ethical Hacker Network
Threat Modeling
patterns & practices Improving Web Services Security
CLR Security
Security Developer Center
Web Application Security Consortium
CERT
Security Quality Requirements Engineering (SQUARE) Methodology
Hack this Site
McAfee
Norton- Threat Explorer
The Microsoft Security Response Center (MSRC)
Hacking Exposed: Web Applications 2
Hacking Exposed: Windows
The Web Application Hacker's Handbook
The application my team is rebuilding now is a result of waiting to worry about security until the end of the development lifecycle. They inherited quite a mess. Not only was security completely overlooked, the tools to implement security did not go through a proof of concept. In the end, the product they planned on using did not support role base authorization, it is wide open to Denial-of-service (DOS) attacks, and it intercepts and rewrites JavaScript breaking most of the functionality that has nothing to do with security. Instead of needing the 1 role that was planned for they need between 5 - 7.
Security considerations must be included from the beginning of a project. The only way I know how to do that effectively is to execute architecture centric design. Meaning that without proper architecture, any sizable project will not have proper security. Without a way to keep it in balance with other quality attributes, you can also go over board with security. I have never treated it as its own solution, but rather just one part of the solution that needs to be balanced with the systems other needs (performance, modifiability, etc.).
I have listed some of the tools, books, videos, and sites I keep in my security tool belt below.
Tools
Burp Suite
Nmap and Zenmap GUI
Microsoft Threat Analysis and Modeling v2.1.2 (I like the new version (SDL Threat Modeling Tool 3.1) better. It is lighter weight and can be used in a development process much easier. This version required to much overhead and was hard to justify using. Although this one was prettier.)
SDL Threat Modeling Tool 3.1
Privoxy
TOR
Sam Spade
Vistumbler
Xenu's Link Sleuth
Foundstone's Free Tools
Books
Videos
Matt Fisher - SQL Injection - Everything About SQL Injection
"How Do I" Videos for Security
Microsoft Webcasts
Sites
Microsoft SDL - Developer Starter Kit
The Ethical Hacker Network
Threat Modeling
patterns & practices Improving Web Services Security
CLR Security
Security Developer Center
Web Application Security Consortium
CERT
Security Quality Requirements Engineering (SQUARE) Methodology
Hack this Site
McAfee
Norton- Threat Explorer
The Microsoft Security Response Center (MSRC)
Hacking Exposed: Web Applications 2
Hacking Exposed: Windows
The Web Application Hacker's Handbook
posted by tadanderson at 7:23 PM
0 Comments:
Post a Comment
<< Home