enso.security's AppSec Map provides a quick overview of different elements of an AppSec programme and some of the offerings which can help an organisation provide each element of the programme.
The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.
The Azure Well-Architected Framework is a set of guidance that helps you improve how you build and deploy your application on Microsoft's Azure cloud platform. Security is one pillar within the Well-Architected Framework.
The Citadel Programming Lab is an online virtual secure coding game-based computer lab. The Lab combines a tower defence game with 6 security programming tasks. The lab is based on a serious game approach to join learning and playfulness. The lab’s platform combines a Unity game linked with a coding environment based on an instance of GitLab. The game elements and coding exercises are linked to CyBOK, the Cybersecurity Body of Knowledge, to map its cybersecurity content.
Read about one person's experience creating product security programme's from scratch.
The CWE™ Most Important Hardware Weaknesses is the result of collaboration within the Hardware CWE Special Interest Group (SIG). Its intent is to drive awareness of common hardware weaknesses and prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle.
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications.
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application. It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 100 web vulnerabilities! It covers all major known web bugs, including all risks from the OWASP Top 10 project. bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux/Windows with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP. Another possibility is to download the bee-box, a custom Linux VM pre-installed with bWAPP.
OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application providing a target for web-security training. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets.