Hacker News new | ask | show | jobs
by typicalrunt 2187 days ago
Security is mutli-faceted, so it's hard to know where to start. I like to help people begin by getting them to learn the fundamentals. A lot of security training is changing your mindset (perspective) on situations.

Two books I like to start this process:

* Threat modeling by Adam Shostack

* CISSP all in one handbook by Shon Harris

You don't need to get a CISSP cert, but the resources and education are generally applicable in most situations.
2 comments
banads 2187 days ago
If you're looking for something more practically related to securing the code you write, the OWASP Top 10 (and OWASP in general) is probably the best place to start. Many modern frameworks like Spring have lots of nice security features baked in, but I've still seen plenty of low hanging Top 10 vulnerabilities in Spring apps -- most often caused by simply failing to use allowlist (formerly known as whitelist) validation on key inputs.

It is astonishing how often people neglect basic programming best practices (input validation, error handling, logging, access control) which in turn leads to security vulnerabilities. My theory is this is caused moreso by Agile Management forcing developers to cut corners, rather than just developers being ignorant/lazy.

https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top...

Threat modeling can be a good practice to learn, because it gets you into the habit of thinking about how you could hack each new thing you're developing.

I dont think the CISSP is a good recommendation for this person's case, unless they plan on becoming a cyber security manager.

link
typicalrunt 2187 days ago
That's not my point suggesting CISSP. The book I recommended takes the reader through the different OSI layers for networking and security, a basic intro to threat modeling, and other stuff that is fundamental to security. One can always skip the managerial stuff, but it doesn't mean the CISSP book is not a good recommendation.

Also, having a developer understand the value and need for code security from the perspective of a security person is important to the overall success of an infosec program. Otherwise both engineering and infosec are going to be grating on each other.

link
tptacek 2187 days ago
Ignore threat modeling and CISSP, both of which are industry kabuki dances. The rest of the advice in this comment is fine.
link