OWASP Testing Guide Appendix B: Suggested Reading

Whitepapers

 * The OWASP Guide to Building Secure Web Applications


 * The Economic Impacts of Inadequate Infrastructure for Software Testing - http://www.nist.gov/director/prog-ofc/report02-3.pdf


 * Threats and Countermeasures: Improving Web Application Security - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/threatcounter.asp


 * Use Cases: Just the FAQs and Answers - http://www-106.ibm.com/developerworks/rational/library/content/RationalEdge/jan03/UseCaseFAQS_TheRationalEdge_Jan2003.pdf

[[Category:FIXME|broken link


 * Security in the SDLC (NIST) - http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf
 * Web Application Security is Not an Oxy-Moron, by Mark Curphey - http://www.sbq.com/sbq/app_security/index.html
 * The Security of Applications: Not All Are Created Equal - http://www.atstake.com/research/reports/acrobat/atstake_app_unequal.pdf
 * The Security of Applications Reloaded - http://www.atstake.com/research/reports/acrobat/atstake_app_reloaded.pdf

]]

Books

 * James S. Tiller: "The Ethical Hack: A Framework for Business Value Penetration Testing", Auerbach, ISBN: 084931609X


 * Susan Young, Dave Aitel: "The Hacker's Handbook: The Strategy behind Breaking into and Defending Networks", Auerbach, ISBN: 0849308887


 * Secure Coding, by Mark Graff and Ken Van Wyk, published by O’Reilly, ISBN 0596002424(2003) - http://www.securecoding.org


 * Building Secure Software: How to Avoid Security Problems the Right Way, by Gary McGraw and John Viega, published by Addison-Wesley Pub Co, ISBN 020172152X (2002) - http://www.buildingsecuresoftware.com


 * Writing Secure Code, by Mike Howard and David LeBlanc, published by Microsoft Press, ISBN 0735617228 (2003) http://www.microsoft.com/mspress/books/5957.asp


 * Innocent Code: A Security Wake-Up Call for Web Programmers, by Sverre Huseby, published by John Wiley & Sons, ISBN 0470857447(2004) - http://innocentcode.thathost.com


 * Exploiting Software: How to Break Code, by Gary McGraw and Greg Hoglund, published by Addison-Wesley Pub Co, ISBN 0201786958 (2004) -http://www.exploitingsoftware.com


 * Secure Programming for Linux and Unix HOWTO, David Wheeler (2004) - http://www.dwheeler.com/secure-programs


 * Mastering the Requirements Process, by Suzanne Robertson and James Robertsonn, published by Addison-Wesley Professional, ISBN 0201360462 - http://www.systemsguild.com/GuildSite/Robs/RMPBookPage.html


 * The Unified Modeling Language – A User Guide - http://www.awprofessional.com/catalog/product.asp?product_id=%7B9A2EC551-6B8D-4EBC-A67E-84B883C6119F%7D


 * Web Applications (Hacking Exposed) by Joel Scambray and Mike Shema, published by McGraw-Hill Osborne Media, ISBN 007222438X


 * Software Testing In The Real World (Acm Press Books) by Edward Kit, published by Addison-Wesley Professional, ISBN 0201877562 (1995)


 * Securing Java, by Gary McGraw, Edward W. Felten, published by Wiley, ISBN 047131952X (1999) - http://www.securingjava.com


 * Beizer, Boris, Software Testing Techniques, 2nd Edition, © 1990 International Thomson Computer Press, ISBN 0442206720

[[Category:FIXME|broken links, I left them above


 * Building Secure Software: How to Avoid Security Problems the Right Way, by Gary McGraw and John Viega, published by Addison-Wesley Pub Co, ISBN 020172152X (2002) - http://www.buildingsecuresoftware.com


 * Writing Secure Code, by Mike Howard and David LeBlanc, published by Microsoft Press, ISBN 0735617228 (2003) http://www.microsoft.com/mspress/books/5957.asp


 * The Unified Modeling Language – A User Guide - http://www.awprofessional.com/catalog/product.asp?product_id=%7B9A2EC551-6B8D-4EBC-A67E-84B883C6119F%7D

]]

Useful Websites

 * OWASP — http://www.owasp.org


 * SANS - http://www.sans.org


 * Secure Coding — http://www.securecoding.org


 * Secure Coding Guidelines for the .NET Framework  - http://msdn.microsoft.com/security/securecode/bestpractices/default.aspx?pull=/library/en-us/dnnetsec/html/seccodeguide.asp


 * Security in the Java platform —  http://java.sun.com/security


 * OASIS WAS XML — http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was


 * Build Security In - https://buildsecurityin.us-cert.gov/bsi/home.html

Videos

 * OWASP Appsec Tutorial Series - https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series


 * SecurityTube - http://www.securitytube.net/


 * Videos by Imperva - http://www.imperva.com/resources/videos.asp

Deliberately Insecure Web Applications

 * BadStore - http://www.badstore.net/


 * Damn Vulnerable Web App - http://www.ethicalhack3r.co.uk/damn-vulnerable-web-app/


 * Hacme Series from McAfee:


 * + Hacme Travel - http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx


 * + Hacme Bank - http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx


 * + Hacme Shipping - http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx


 * + Hacme Casino - http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx


 * + Hacme Books - http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx


 * Moth - http://www.bonsai-sec.com/en/research/moth.php


 * Mutillidae - http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10


 * Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/


 * Vicnum - http://vicnum.sourceforge.net/ and http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project


 * WebGoat - http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project


 * WebMaven (better known as Buggy Bank) - http://www.mavensecurity.com/WebMaven.php