Other
Here it goes a very long list of all kinds of resources
Intro
In this page there are a lot of resources I found along the way... They are organized and can appear or match better in other section, but the main purpose of this section is to provide external links to all possible related security resources.
If you detect some broken links, outdated resources or something missing, please help by editing this page 🙏 Outdated resources are marked with the symbol: ⚠️
Institutions
INCIBE (National Institute of Cybersecurity (Spain))
INCIBE-CERT: the security incident response center of reference for citizens and private law entities in Spain operated by the National Institute of Cybersecurity (INCIBE).
Organizations / Foundations
OWASP: The Open Worldwide Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software.
OISF: The Open Information Security Foundation is a 501(c)3 nonprofit organization created to build community and to support open source security technologies like Suricata, the world-class IDS/IPS network monitoring engine.
CIS (Center for Internet Security): harnessing the power of global IT community to safeguard public and private organizations against cyber threats.
CSA (Cloud Security Aliance): The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
PCI (Security Standards Council): The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.
OpenSCAP: an ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines.
SAFECode: a global industry forum where business leaders and technical experts come together to exchange insights and ideas on creating, improving, and promoting scalable and effective software security programs.
Communities
MISP Standard: The collaborative intelligence standard powering intelligence and information exchange, sharing and modeling.
Enterprises / Products
GitHub Security: protect and defend the most trustworthy platform for developers everywhere to create and build software.
GitLab Security: empowers your teams to balance speed and security by automating software delivery and securing your end-to-end software supply chain.
Sonar (SonarSource): achieve a state of Clean Code so that all code is fit for development and production.
Datadog: the monitoring and security platform for cloud applications.
Snyk: find and automatically fix vulnerabilities in your code, open source dependencies, containers, and infrastructure as code.
MITRE: applying systems thinking to national challenges in defense, cybersecurity, healthcare, homeland security, & transportation.
Palo Alto Networks: several security solutions.
Rapid7: A powerful, practitioner-first approach for comprehensive, operationalized risk & threat response and results.
Cloudflare: a global network designed to make everything you connect to the Internet secure, private, fast, and reliable. Secure your websites, APIs, and Internet applications. Protect corporate networks, employees, and devices. Write and deploy code that runs on the network edge.
NCC Group: several solutions.
Aqua: several solutions and tools (some open source).
Anchore: Software Supply Chain Security.
Synopsis: software security - helps you protect your bottom line by building trust in your software.
Tarlogic: one of the leading European providers of cybersecurity services. A technical team of top-level specialists and state-of-the-art solutions to provide auditing, pentesting, vulnerability management, and incident response services.
cipher: a global cybersecurity company that delivers a wide range of services: Managed Detection and Response (MDR), Managed Security Services (MSS), Cyber Intelligence Services (CIS), Red Team Services (RTS), Governance, Risk and Compliance (GRC) and Cybersecurity Technology Integration (CTI).
Yogosha: One platform to secure them all.
Splunk: Keep your digital systems securely up and running Fend off threat actors. Diminish downtime. Fix issues faster. Do it all with Splunk, the key to enterprise resilience.
Byron Labs: team of experts use cutting-edge technology to analyze darknets and provide Threat Intelligence solutions to keep your business safe from cyber attacks.
Wise security global: To protect the activity of our customers by generating reliable and secure cyber environments that allow them to maintain and improve the trust of their stakeholders.
Outpost24: Outpost24's intelligence-led cyber risk management solution makes it easy to identify security gaps in your attack surface and prioritize vulnerabilities that matter.
S21Sec: a leading pure player cybersecurity provider, we promote the transformation of the business of organizations through cybersecurity risk management to protect their people and assets.
ZeroLynx: a European business group specialised in Cybersecurity, Intelligence and Property Security. Our main mission is to assist you on the road to security, always striving for excellence.
Checkmarkx: Shift Everywhere With the Leading Cloud-Native AppSec Platform.
Qualys: provider of information security and compliance cloud solutions.
GuardRails: GuardRails eliminates vulnerabilities at source, educates developers in real-time, minimizes the security bottleneck, and helps organizations go faster to market.
CrowdStrike: We stop cyberattacks, we stop breaches, we stop a lot of bad things from happening.
GitGuardian: git security scanning & secrets detection.
TruffleSecurity: make security problems more identifiable, accessible and easier to fix.
Progress Chef (Security): extend DevOps Value with Cloud-to-Edge Security and Compliance.
Acunetix: find and fix the vulnerabilities that put your web applications at risk of attack.
Cilium: an open source, cloud native solution for providing, securing, and observing network connectivity between workloads, fueled by the revolutionary Kernel technology eBPF.
datree: secures your Kubernetes by blocking the deployment of misconfigured resources.
LunaSec: Open Source Data Security Platform.
Phylum: the Software Supply Chain Security Company.
Mandiant: dynamic cyber defense solutions by combining services and products powered by industry-leading expertise, intelligence and innovative technology.
Metlo: the open source API security platform.
HummerRisk (Chinese): Cloud-Native Security Platform.
Cider: control your application security from code to deployment.
deepfence: Detect, Protect and Remediate Cloud Attacks.
CrowdSec: real-time & crowdsourced protection against aggressive IPs.
tenable: Exposure Management Company.
PyUp: End-to-end Python Dependency Security.
Project Discovery: an open-source software company that builds tools to detect and remediate vulnerabilities across your modern tech stack.
Smallstep: identify security issues, prioritize what matters, and protect network assets. Built for modern operational environments on the cloud and on-premise.
Filigran: provides cyber threat intelligence, knowledge subsystems and crisis response solutions.
OpenSecurity: pentests, security engineering, online training and OpenSource.
Rhino Security Labs: penetration testing services.
Red Canary: managed detection and response to secure your endpoints, cloud...
Faraday: open source Vulnerability Management Platform.
StrangeBee: provides cutting edge incident response automation to hundreds of SOC, CERT & CSIRT teams.
Cisco Duo: Easy, Flexible Cybersecurity Solutions for Everyone.
Kaspersky: cybersecurity leader.
Fortinet: offers the most comprehensive solutions to help industries accelerate security, maximize productivity, preserve user experience, and lower total cost of ownership.
Akamai (Security Solutions): their solutions leverage our global security platform to protect your unique environment and all of its critical applications, so you can confidently innovate and expand your business, without creating new vulnerabilities.
Radware: DDoS protection, Application protection, Public Cloud protection and Application delivery.
NetScout: unique approach and deep technical expertise allow us to help our customers solve today’s biggest challenges for the most complex networks in the world.
CAST: software intelligence automated - actionable insights into your software inner workings.
Greenbone: provider of open source vulnerability management.
Fluid attacks: multiple techniques in a single solution to secure your technology throughout the software development lifecycle.
Bridgecrew: natively embed security into your development tools and workflows to secure your cloud-native applications at the source.
Armo (Armosec): secure your Kubernetes and CI/CD in less than three minutes with the most powerful open-source Kubernetes security solution on the planet.
Turbot: cloud tools.
Paragon: software consulting with attention to security above compliance.
runZero: get unmatched visibility and insights into every asset connected to your network.
Panther: alleviates the pain of traditional SIEMs with detection-as-code, a robust security data lake, and high scalability with zero-ops.
Tines: No-code automation for security teams.
Material: fights phishing and provides visibility, defense-in-depth, and security infrastructure for Office 365 and Google Workspace.
GreyNoise: Turning internet noise into intelligence.
Teleport: The Open Infrastructure Access Platform. The easiest, most secure way to access all your infrastructure.
Thinkst Canary: Order, configure and deploy your Canaries throughout your network. Your Canaries run in the background, waiting for intruders.
JupiterOne: Secure your attack surface with continuous asset discovery and attack path analysis.
LaceWork: Secure your entire cloud from one place.
Drata: automates your compliance journey from start to audit-ready and beyond and provides support from the security and compliance experts who built it.
VeraCode: Continuously Find and Fix Flaws at Every Stage of The Modern Software Development Lifecycle.
Micro Focus (Open Text): empowers and protects information to elevate every person and every organization to their full potential.
Orca Security: the industry-leading Cloud Security Platform that identifies, prioritizes, and remediates security risks and compliance issues across your cloud estate spanning AWS, Azure, Alibaba Cloud, Google Cloud and Kubernetes.
StackHawk: makes it simple for developers to find, triage, and fix application security bugs. AppSec Closer to the Keyboard than Ever Before.
Socket: fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript and Python dependencies.
Impart Security: Discover and block API attacks using inline enforcement and developer enablement tools.
Censys: empowers security teams with the most comprehensive, accurate, and up-to-date map of the internet to defend attack surfaces and hunt for threats.
HCL Software: Security from Application to Endpoint.
Invicti: vulnerability scanner for your web applications.
Data Theorem: modern application security.
Contrast Security: Ignite innovation velocity on the only unified security platform built to get secure code moving through the entire application development pipeline and continuously protect your apps across the complete software lifecycle.
ChainGuard: Fortified software delivery.
Betterscan: A simple and powerful DevSecOps software to automate thousands of checks and eliminate human errors in Source Code and Cloud Infrastructure. Integrable into anything.
Onapsis: business application cybersecurity.
imperva: detecting and protecting your apps and APIs anywhere.
PortSwigger: web security company on a mission to enable the world to secure the web.
Check Point: Check Point is constantly innovating to deliver security solutions that raise the bar for businesses worldwide, as well as a track record of success to back it up.
Spectral (part of Check Point)
Controlplane: Cloud Native and Open Source Security.
CyberArk: offers the most complete and extensible Identity Security Platform, protecting identities and critical assets by enabling Zero Trust and enforcing least privilege.
Puma Security: to help organizations build, develop, and support systems to deliver secure products and services.
ReportURI: browser security technologies, enabling you to detect and mitigate attacks, fast.
INE: challenge your team, regardless of level, to a training platform that puts real world infrastructure first. Learn from expert instructors and prove your knowledge in Networking, Cyber Security, Cloud and Data Science.
debricked: take full control of security, compliance and health with a toolkit that will revolutionize the way you use open source.
PurpleBox: Empower your team with cybersecurity solutions that work in harmony and help you detect, protect, respond and recover from cyberattacks (Vulnerability Management, Penetration testing, Risk and Compilance, Endpoint security, Web App firewall, Cloud Security, etc.).
Dig Security: Real-time visibility, control, and protection of data assets across any cloud with data security posture management (DSPM). Dig allows you to protect all the data that matters without giving up cloud agility and speed.
Halborn: Elite Blockchain Security Solutions.
Prancer: All-in-One Platform: fully automated solution streamlines discovering applications, APIs, and infrastructure, conducting threat emulation through automated penetration testing, validating zero-trust principles, intelligent API Security, checking the codes, and finally assessing risks and correlating findings, all while providing actionable remediation and reporting.
Lists
"Awesome" Lists
Awesome Cloud Security by 4ndersonLin
Awesome Cloud Security (Chinese) by TeamSix
Awesome Cloud Security by Funkymyster
Checklists
Guides
Security 101 for SaaS startups (English/Chinese)
Collections
RubySec: security resources for the Ruby community.
My arsenal of AWS security tools: list of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
How they SRE: a curated collection of publicly available resources on how technology and tech-savvy organizations around the world practice Site Reliability Engineering (SRE).
HolyTips: a Collection of Notes, Checklists, Writeups on Bug Bounty Hunting and Web Application Security.
CyberSecurityRSS (English/Chinese): a collection of cybersecurity RSS.
AI for security learning (Chinese)
Veracode Resources: lots of resources in several formats from Veracode.
Security Development
Guidelines
Frameworks
Building Security In Maturity Model (BSIMM) by Synopsys
Microsoft SDL practices by Microsoft
Others
DevOps Periodic Table (by digital.ai)
Labs
AWS Well-architected labs (web): hands on labs and code to help you learn, measure, and build using architectural best practices.
Templates
Roadmaps
DevSecOps: roadmap for everyone who wants DevSecOps.
Knowledge base
MITRE ATTACK (ATT&CK): is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
SecureFlag Knowledge Base: is a repository of helpful information for developers, DevOps practitioners, and their organizations.
Advisories databases
OSV: a distributed vulnerability database for Open Source.
GitHub Advisory Database (web): security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Open Source Insights - devs.dev: Open Source Insights is a service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages.
RustSec: vulnerability database for the Rust ecosystem.
Ruby Advisory Database: the Ruby Advisory Database is a community effort to compile all security advisories that are relevant to Ruby libraries.
Projects
OWASP MASVS (Mobile Application Security Verification Standard): the industry standard for mobile app security.
Vulnerable to learn
VulnHub: provides materials allowing anyone to gain practical hands-on experience with digital security, computer applications and network administration tasks.
OWASP Vulnerable Web Applications Directory (VWAD): a comprehensive and well maintained registry of known vulnerable web and mobile applications currently available.
OWASP Juice Shop (web): Probably the most modern and sophisticated insecure web application.
OWASP NodeGoat (web): provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
OWASP DVSA (web): Damn Vulnerable Serverless Application (DVSA) is a deliberately vulnerable application aiming to be an aid for security professionals to test their skills and tools in a legal environment, help developers better understand the processes of securing serverless applications and to aid both students & teachers to learn about serverless application security in a controlled class room environment.
Checkmarx capital: a built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities. Use c{api}tal to learn, train and exploit API Security vulnerabilities within your own API Security CTF.
Badssl.com (web): memorable site for testing clients against bad SSL configs.
CI/CD GOAT: a deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.
INE Azure Goat: a Damn Vulnerable Azure Infrastructure.
Bridgecrew TerraGoat: "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
Bridgecrew Cfngoat: Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments (Cloudformation).
Kubernetes Goat (web): a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground.
KaiMonkey: vulnerable Terraform Infrastructure.
Java Sec Code: a very powerful and friendly project for learning Java vulnerability code.
Last updated