I recently completed (ISC)2’s Secure Software Practitioner - .NET course, along with the associated exam. It’s an achievement that I find awkward to boast about, given the mixed feelings about certifications in general, especially regarding the controversy of whether they are effective for teaching and evaluation. That said, I learned a lot just studying for the exam, and am grateful for my employer signing me up for the course. Given that I signed an NDA for the exam itself, I struggled to come up with a way to celebrate on this blog while having something meaningful to share.
Along the way, I ran into a bunch resources that helped add perspective to the topic discussed. I don’t kid myself as being any more than a newbie regarding security topics at this point, but I wanted to share a couple recommendations specifically tailored for beginners. Other more qualified experts have their own comprehensive guides, but I hope these two sources are an approachable start for those who would like to begin exploring in a safe environment:
Live Overflow
It’s one thing to get an overview and demonstration about a threat or exploit, but that’s a separate thing from learning the mindset of how to probe a black box of a system. I really enjoyed this Youtube channel for its informative introductory explanations of binary hacking and web application exploitation, along with the detailed breakdown of concepts applied in the CTF exercises. The narrator’s humble but passionate attitude is also a warm welcome for such a daunting topic.
OWASP WebGoat (and Zed Attack Proxy)
A narrator can talk your ear off about the OWASP Top 10 over a set of lecture slides, but I find that the “what’s the harm?” question is better answered with hands on experimentation. You can learn a lot just from reading the solution writeups, and then playing with the scenarios interactively. I particularly appreciated the exercises where you crafted malicious E-mails and comments to plunder imaginary bank accounts and admin credentials. Remember to unplug your internet or isolate your VM, as running an insecure web service on your computer is about as unsafe as it sounds.
That’s it for now!
I could naturally go listing other neat sites such as microcorruption, cryptopals, and XSS game, but tackling those challenges without prior context can be like trying to walk through a brick wall. Hopefully the above “list” is small enough that the idea of tackling it seems manageable, even inviting!
In the meantime, if you want to ask me about anything more specific, or to lay some frank feedback onto me, you can reach me on the usual channels as always.