Java security books & specs

  • The CERT Oracle Secure Coding Standard for Java, Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda, 2011
  • Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs, Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda, 2013
  • SEI CERT Oracle Coding Standard for Java
  • Beginning Cryptography with Java, David Hook, Wiley, 2005
  • Iron-Clad Java: Building Secure Web Applications, Jim Manico, August Detlefsen, Oracle, 2014
  • Java Cryptography, Jonathan B. Knudsen, O’Reilly, 1998
  • Java Security, 2nd Edition, Scott Oaks, O’Reilly, 2001
  • Practical Java ® Programming for IoT, AI, and Blockchain, Perry Xiao, Wiley, 2019
  • Pro Spring Security: Securing Spring Framework 5 and Boot 2-based Java Applications, Carlo Scarioni, Massimo Nardone, APress, 2019
  • Spring Security 3, Peter Mularien, Packt Publishing, 2010
  • Spring Security 3.x Cookbook, Anjana Mankale, Packt Publishing, 2013
  • Hands-On Spring Security 5 for Reactive Applications, Tomcy John, Packt Publishing, 2018
  • Inside Java™ 2 Platform Security: Architecture, API Design, and Implementation, Second Edition, Li Gong, Gary Ellison, Mary Dageforde, Addison-Wesley Professional, 2003
  • Java SE Technologies - Security

Security open-source JVM projects

Videos on JVM security


Security for developers - including Java

  • Java security by Snyk - free interactive lessons for developers, covering over sixty vulnerabilities and remediatiation in various languages, including Java and Python
  • Secure Code Warrior - another interactive security platform for developers, offers free trial + some free stuff
  • Codebashing - developer-oriented and interactive, free unlimited trial, 41 lessons on discreet CVE’s to code level OWASP Top 10 vulnerabilites
  • Hacksplaining - more theory but still interactive, focuses on attacker side, shows code snippets at the end of every lesson
  • Contrast’s Secure Code Learning Hub - lessons consist on text, videos, code snippets and resources, shows vulnerabilities and mitigations, and there is Java, too
  • Avatao secure coding training - only three free excercises, learning path by language (Java, Kotlin) or by topic
  • Veracode Security Labs Community Edition - forever-free option for developers who want to gain knowledge about the latest security topics
  • OWASP Secure Coding Dojo and its GitHub repo ( - this is a self-hosted learning platform in Java with lessons hosted and an insecure app to fix, Docker, Java
  • Kontra - Application Security Training by ThriveDX - many of the OWASP Top Ten Exercises free and a free trial, interactive, but nice old-school design (I’d say Windows 98 / Win XP style)
  • Appsec Engineer - access to 7 courses for 15 days

Security in general, cryptography, privacy, mathematics

How to start in security

  • Starting InfoSec career - great summary For Java programmers, blue team roles like secure development, threat intel and research, possibly also indentity management positions, security engineering. Red team roles for Java programmers: vulnerability research and mabye pentesting (might require full stack & CS knowledge) seems to be the most suitable.
  • How to Build a Cybersecurity Career
  • Navigating the Cybersecurity Career Path, Hellen E. Patton, Wiley 2021
  • Confident Cybersecurity, Jessica Barker
  • A Tribe of Hackers books

Must-read: security books & blogs

  • Cybersecurity Canon by Ohio State Univeristy (former project of Palo Alto Networks)
  • Security Engineering: A Guide to Building Dependable Distributed Systems, Ross Anderson, Wiley 2020

Antology of security. First edition available for free from the author’s website.

  • Podstawy kryptografii, Marcin Karbowski, Helion, 2014

A pleasant introduction into cryptography basics. Topics of various difficulty, from beginner how-to-start and history to more advanced math formulas. If this book was updated now and edited in English (and maybe extended in some areas), it would be a bestseller.

Privacy books & websites

  • Extreme Privacy: What It Takes To Disappear - 4th Edition (2022), Michael Bazzell
  • Michael Bazzell’s website
  • How To Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life, J. J. Luna, Thomas Dunne Books, New York, 2012
  • Personal Digital Security: Protecting Yourself from Online Crime 2016 Revision, Michael Bazzell
  • The Art of Invisibility, Kevin Mitnick

OSINT: books & manuals

OSINT: cybersecurity search engines

  • Shodan - search engine for Internet-connected devices
  • CVE - search engine for vulnerabilities
  • Wigle - database of wireless networks with statistics
  • GreyNoise - search engine for Internet-connected devices
  • VirusTotal - analyse suspicious files, domains, IPs and URLs
  • URL Scan - free service to scan URL’s
  • Vulners - search engine for security intel & vulnerabilities
  • Internet Archive / WayBackMachine - what happens in the Internet, stays in the Internet forever
  • Netlas - discover, research and monitor IP addresses, domain names, websites, web applications, IoT devices, and other online assets
  • ONYPHE - cyber defense search engine for open-source and cyber threat intelligence data collected by crawling various sources available on the Internet or by listening to Internet background noise
  • FullHunt - a complete platform to solve Attack Surface Management at scale
  • GrepApp - search across a half million git repos
  • Crt sh - search for certificates
  • GrayHatWarfare - search public S3 buckets & shorteners
  • AlienVault - Open Threat Intelligence Community (free access to over 20 million threat indicators contributed daily and more features)
  • Binary Edge - real-time threat intelligence streams for Internet Attack Surface
  • TinEye - reverse image search
  • OSINT framework - OSINT helper, gathers information from free tools or resources. The intention is to help people find free OSINT resources and plan the research.
  • Hunter - search for emails related with professional domain
  • LeakIX - search publicly indexed information (last update: August 2022)
  • IntelligenceX - search Tor, I2P, data leaks, domains and emails
  • DNS dumpster - FREE domain research tool that can discover hosts related to a domain
  • ExploitDB - exploit database
  • PulseDive - threat intel
  • Packet Storm - cybersecurity news & updates

Linux basics

Python basics

Where to train cybersecurity?

Bug Bounty

Even if you do not want to actively participate in the bounty, it is worth looking for bug bounty writeups, which are publicly available descriptions of bugs that have been reported as part of bug bounty programmes. This is often a read full of why didn’t I come across this