Security

Java security books & specs

---

• The CERT Oracle Secure Coding Standard for Java, Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda, 2011
• Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs, Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda, 2013
• SEI CERT Oracle Coding Standard for Java
• Beginning Cryptography with Java, David Hook, Wiley, 2005
• Iron-Clad Java: Building Secure Web Applications, Jim Manico, August Detlefsen, Oracle, 2014
• Java Cryptography, Jonathan B. Knudsen, O’Reilly, 1998
• Java Security, 2nd Edition, Scott Oaks, O’Reilly, 2001
• Practical Java ® Programming for IoT, AI, and Blockchain, Perry Xiao, Wiley, 2019
• Pro Spring Security: Securing Spring Framework 5 and Boot 2-based Java Applications, Carlo Scarioni, Massimo Nardone, APress, 2019
• Spring Security 3, Peter Mularien, Packt Publishing, 2010
• Spring Security 3.x Cookbook, Anjana Mankale, Packt Publishing, 2013
• Hands-On Spring Security 5 for Reactive Applications, Tomcy John, Packt Publishing, 2018
• Inside Java™ 2 Platform Security: Architecture, API Design, and Implementation, Second Edition, Li Gong, Gary Ellison, Mary Dageforde, Addison-Wesley Professional, 2003
• Java SE Technologies - Security

Security open-source JVM projects

---

• Contribute to Google’s Tsunami Security Scanner (Java)
• Contribute to Zing - the Zero packet Ping network utility or Zing2 forked project (Java)
• Beginning Crypthography with Java Code Examples
• Java Cryptography
• Java Security
• Contribute to Signal for Android (Java + Kotlin)
• Haven / GuardianProject (Java + Kotlin)
• Nzyme Network Defense System - project repository (Java)

Videos on JVM security

---

• Java Security Architecture Demystified by Martin Toshev
• Cryptography 101 for Java developers by Michel Schudel
• What’s New in Java Security? by Oracle Developers
• Keeping Your Java Applications Secure - Cryptographic Improvements and Best Practices
• javaBin Online : 10 Java Security Practices They Didn’t Teach You In School
• Martin Toshev - Java Security Animated
• 10 Java Security Practices • Brian Vermeer • Devoxx Poland 2021
• Tech3camp#72 (Java): Adam Zielke - Security w Javie nie istnieje - dowody
• Java application security the hard way - a workshop for the serious developer (Steve Poole)
• Secure Coding Guidelines for Java
• Java Security & the Java Ecosystem • Nicolas Frankel • GOTO 2021
• Securing the JVM • Nicolas Frankel • GOTO 2019
• The Anatomy of a Secure Web Application in Java Using Spring Security and Apache Fortress
• Diving Java ecosystem security with DevOps and OpenSource
• Fuzzing Java with Jazzer - Java User Group Switzerland
• Exploring Java Heap Dumps Java Language label Ryan Cuprak
• DevSecCon videos

Courses

---

Security for developers - including Java

• Java security by Snyk - free interactive lessons for developers, covering over sixty vulnerabilities and remediatiation in various languages, including Java and Python
• Secure Code Warrior - another interactive security platform for developers, offers free trial + some free stuff
• Codebashing - developer-oriented and interactive, free unlimited trial, 41 lessons on discreet CVE’s to code level OWASP Top 10 vulnerabilites
• Hacksplaining - more theory but still interactive, focuses on attacker side, shows code snippets at the end of every lesson
• Contrast’s Secure Code Learning Hub - lessons consist on text, videos, code snippets and resources, shows vulnerabilities and mitigations, and there is Java, too
• Avatao secure coding training - only three free excercises, learning path by language (Java, Kotlin) or by topic
• Veracode Security Labs Community Edition - forever-free option for developers who want to gain knowledge about the latest security topics
• OWASP Secure Coding Dojo and its GitHub repo (https://github.com/owasp/SecureCodingDojo) - this is a self-hosted learning platform in Java with lessons hosted and an insecure app to fix, Docker, Java
• Kontra - Application Security Training by ThriveDX - many of the OWASP Top Ten Exercises free and a free trial, interactive, but nice old-school design (I’d say Windows 98 / Win XP style)
• Appsec Engineer - access to 7 courses for 15 days

Security in general, cryptography, privacy, mathematics

• +7000 courses related to security lauched by world univerities: including > 2500 for free.
• Privacy: +1000 courses available, including > 500 free.
• hackers-arise.com (search for free stuff)
• Coursera: cryptography courses, including legendary Dan Boneh’s Cryptography I & Cryptography II
• Coursera: security and privacy courses
• Web Security Academy of PortSwigger
• Wolfram Cryptography
• Khan Academy Math

How to start in security

• Starting InfoSec career - great summary For Java programmers, blue team roles like secure development, threat intel and research, possibly also indentity management positions, security engineering. Red team roles for Java programmers: vulnerability research and mabye pentesting (might require full stack & CS knowledge) seems to be the most suitable.
• How to Build a Cybersecurity Career
• Navigating the Cybersecurity Career Path, Hellen E. Patton, Wiley 2021
• Confident Cybersecurity, Jessica Barker
• A Tribe of Hackers books

Must-read: security books & blogs

---

• Cybersecurity Canon by Ohio State Univeristy (former project of Palo Alto Networks)
• Security Engineering: A Guide to Building Dependable Distributed Systems, Ross Anderson, Wiley 2020

Antology of security. First edition available for free from the author’s website.

• Podstawy kryptografii, Marcin Karbowski, Helion, 2014

A pleasant introduction into cryptography basics. Topics of various difficulty, from beginner how-to-start and history to more advanced math formulas. If this book was updated now and edited in English (and maybe extended in some areas), it would be a bestseller.

• Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, Michał Zalewski, 2005
• The Tangled Web: A Guide to Securing Modern Web Applications, Michał Zalewski, 2011
• Schneier on Security
• Security concepts explained as simple sketches
• Michał Zalewski blog (retired)
• Michał Zalewski website
• Cryptography and Network Security, Seventh Edition, William Stallings, Prentice Hall, 2016
• Handbook of Applied Cryptography, Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, CRC Press

Privacy books & websites

---

• Extreme Privacy: What It Takes To Disappear - 4th Edition (2022), Michael Bazzell
• Michael Bazzell’s website
• How To Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life, J. J. Luna, Thomas Dunne Books, New York, 2012
• Personal Digital Security: Protecting Yourself from Online Crime 2016 Revision, Michael Bazzell
• The Art of Invisibility, Kevin Mitnick

OSINT: books & manuals

---

• OSINT Techniques: Resources for Uncovering Online Information - 10th Edition (2023), Michael Bazzell
• Open Source Intelligence Tools and Resources Handbook
• non-typical OSINT guide GitHub repo - a very recommended treasure trove

OSINT: cybersecurity search engines

---

• Shodan - search engine for Internet-connected devices
• CVE - search engine for vulnerabilities
• Wigle - database of wireless networks with statistics
• GreyNoise - search engine for Internet-connected devices
• VirusTotal - analyse suspicious files, domains, IPs and URLs
• URL Scan - free service to scan URL’s
• Vulners - search engine for security intel & vulnerabilities
• Internet Archive / WayBackMachine - what happens in the Internet, stays in the Internet forever
• Netlas - discover, research and monitor IP addresses, domain names, websites, web applications, IoT devices, and other online assets
• ONYPHE - cyber defense search engine for open-source and cyber threat intelligence data collected by crawling various sources available on the Internet or by listening to Internet background noise
• FullHunt - a complete platform to solve Attack Surface Management at scale
• GrepApp - search across a half million git repos
• Crt sh - search for certificates
• GrayHatWarfare - search public S3 buckets & shorteners
• AlienVault - Open Threat Intelligence Community (free access to over 20 million threat indicators contributed daily and more features)
• Binary Edge - real-time threat intelligence streams for Internet Attack Surface
• TinEye - reverse image search
• OSINT framework - OSINT helper, gathers information from free tools or resources. The intention is to help people find free OSINT resources and plan the research.
• Hunter - search for emails related with professional domain
• LeakIX - search publicly indexed information (last update: August 2022)
• IntelligenceX - search Tor, I2P, data leaks, domains and emails
• DNS dumpster - FREE domain research tool that can discover hosts related to a domain
• ExploitDB - exploit database
• PulseDive - threat intel
• Packet Storm - cybersecurity news & updates

Linux basics

---

• freeCodeCamp: Introduction to Linux
• freeCodeCamp: How to create your own command in Linux
• Linux terminal for beginners - short intro
• Basic Linux commands
• Basic Linux networking commands
• Linux commands tutorial
• The Art of Command Line
• Goalkicker’s Linux Notes for Professionals
• Goalkicker’s Bash Notes for Professionals
• BorgBackup repo and website with cloud BorgBase
• Age - command-line encryption tool and password manager
• btop++ - command-line OS resources monitor (C++), bpytop (Python)

Python basics

---

• 30 days of Python
• Goalkicker’s Python Notes for Professionals

Where to train cybersecurity?

---

• Try Hack Me (training & learning platform)
• Hack The Box (training platform)
• Hack The Box Academy (learning platform launched by Hack The Box)
• Vulnmachines (free labs consist of 100+ real scenarios, like Spring4Shell, Log4jShell)
• Cybrary (partly for free, videos, learning paths, exams preparation)
• Let’s Defend (Blue Team, Hands-On SOC Analyst Training)
• Root Me (+500 challenges, some free)
• HackXExpert labs
• Certified Secure (quiz)
• Try2HackMe (game)
• echoCTF.RED (hacking laboratories)
• VulnHub (practice stuff)
• OverTheWire (https://overthewire.org/wargames/)
• PentesterLab (blog, free, short articles and more)
• Cryptohack (courses & challenges, mainly cryptoghraphy and mathematics)

Bug Bounty

---

• hackerone
• bug crowd
• list of bug bounty platforms

Even if you do not want to actively participate in the bounty, it is worth looking for bug bounty writeups, which are publicly available descriptions of bugs that have been reported as part of bug bounty programmes. This is often a read full of why didn’t I come across this…

• hackerone writeups
• pentester.land