Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you're looking for something more practically related to securing the code you write, the OWASP Top 10 (and OWASP in general) is probably the best place to start. Many modern frameworks like Spring have lots of nice security features baked in, but I've still seen plenty of low hanging Top 10 vulnerabilities in Spring apps -- most often caused by simply failing to use allowlist (formerly known as whitelist) validation on key inputs.

It is astonishing how often people neglect basic programming best practices (input validation, error handling, logging, access control) which in turn leads to security vulnerabilities. My theory is this is caused moreso by Agile Management forcing developers to cut corners, rather than just developers being ignorant/lazy.

https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top...

Threat modeling can be a good practice to learn, because it gets you into the habit of thinking about how you could hack each new thing you're developing.

I dont think the CISSP is a good recommendation for this person's case, unless they plan on becoming a cyber security manager.



That's not my point suggesting CISSP. The book I recommended takes the reader through the different OSI layers for networking and security, a basic intro to threat modeling, and other stuff that is fundamental to security. One can always skip the managerial stuff, but it doesn't mean the CISSP book is not a good recommendation.

Also, having a developer understand the value and need for code security from the perspective of a security person is important to the overall success of an infosec program. Otherwise both engineering and infosec are going to be grating on each other.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: