Learning Content

• Increase your knowledge
• Advance your career
• Fulfill your curiosity

Information Security - Learning Resources

These resources, presentations, blogs, and training have been instrumental in my journey to continually become a better security practitioner - @aaronzollman. If you or your content has been mentioned in this resource list, thank you for being awesome and to the invaluable contributions you have made to advance the industry! Additionally, I have had a handful of mentors not mentioned directly in here who have taken a chance on me through investment of your time, knowledge, and wisdom. I am forever grateful!

Follow me on twitter @ryanelkins

Video Content

I spend a lot of time listening to pre-recorded conference videos, Twitch streams, and creator uploaded content. These talks help me stay current with relevant security topics, lead me down trails of knowledge, or help me become more well-rounded in areas that I do not primarily focus.

The primary mechanism that I utilize for video consumption is Youtube. Although these are videos, keep in mind that there are many great presentations where the audio is just as valid. This permits me to listen at times when doing household chores, driving (just the audio), or doing yard work. Upgrading to YouTube Premium for me personally has been one of my best self-learning investments because it enables background play (audio while phone is locked), it is ad-free, and supports video downloads (convenient for listening on flights). This is also nice for listening to live concerts in the background if you enjoy music so there is added benefit.

My current list of subscriptions includes:

• Security BSides San Francisco - There are multiple years of great talks from this conference. Surprisingly, there are some hidden gems with under 500-1000 views that are amazing.
• DEF CON Conference - There are large playlists of videos which includes the village talks.
• fwd:cloudsec
• Cloud Village - Cloud Security
• Bugcrowd LevelUp Series - Application Security/Bug Bounty - @Bugcrowd
• HackerOne - Hacker101 - Application Security/Bug Bounty - @Hacker0x01
• Intigriti - Application Security/Bug Bounty
• Software Security Gurus - Software Security - @mmadou
• Nahamsec - Bug Bounty - @NahamSec
• STÖK - Bug Bounty - @stokfredrik
• John Hammond - Security - @_johnhammond
• Katie Paxton-Fear - Bug Bounty - @InsiderPhD
• Farah Hawa - Bug Bounty - @Farah_Hawaa
• LiveOverflow - Hacking - @LiveOverflow
• IppSec - Hacking/CTFs/Walkthroughs - @ippsec
• Jason Haddix - Tool Time - @jhaddix
• TrustedSec - General InfoSec - @HackingDave and @trustedsec
• Red Team Village - Red Team - @RedTeamVillage_ and @santosomar
• Recon Village - @ReconVillage
• Amazon Web Services - Re:Invent Series - Cloud Security - @AWSreInvent
• Black Hills Information Security - @BHinfoSecurity
• SANS Institute - @SANSInstitute
• Codingo - Michael Skelton - Bug Bounty - @codingo_
• The Cyber Mentor - Heath Adams - Information Security - @thecybermentor

Some of my favorite presentations

• Chris Nickerson - Ted Talk - Hackers are all about curiosity, and security is just a feeling - @indi3030
• Jayson Street - Defcon 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin - @jaysonstreet
• Sacha Faust - BSidesSF 2018 - Six Degress of Infiltration - @sachafaust
• Jason Haddix - How to Shot Web (Methodology v1) - Make sure to watch the later methodologies as well - @jhaddix
• Arkadiy Tetelman - Data Driven Bug Bounty - [@arkadiyt]

Must Subscribe Newsletters

• tl;dr sec - Clint Gibler - @clintgibbler - Absolutely subscribe to the newsletter.
• Securibee - Hive Five - @securibee
• Daniel Miessler - The Unsupervised Learning Newsletter - @DanielMiessler
• Intigriti - Bug Bytes
• Marco Lancini - CloudSecList - @lancinimarco

Application/Software Security Resources

I want to specifically highlight the OWASP Cheat Sheet Series as an excellent resource to bookmark. As security practitioners, there is no possible way for us to have depth and breadth in everything. Prior to meetings on a specific topic, I leverage these cheat sheets extensively to do a quick recap of the important components, threats, and security around a topic and when I read these right before a discussion, I always can bring value from a security lens.

• Building Security in Maturity Model (BSIMM) - @cigitalgem
• The OWASP Project - @owasp
  • Application Security Verification Standard
  • OWASP Code Review Guide
  • OWASP Testing Guide
• What I Learned Watching All 44 AppSec Cali 2019 Talks - One of the best AppSec reading investments that you can make.
• Penetration Testing Execution Standard (PTES)
• Detectify - Excellent hacking labs and walkthroughs.
• Project Discovery - The best open source tools available.
• Jason Haddix - Bug Bounty Hunting Methodology - @Jhaddix
  • Bug Bounty Hunting Methodology v2
  • Bug Bounty Hunting Methodology v3
  • Bug Bounty Hunting Methodology v4
• Container Security - anything published or presented by Ian Coldwater - @IanColdwater
• The Twelve-Factor App - Adam Wiggins - @hirodusk
• hakluke - Luke Stephens - @hakluke
• codingo - Michael Skelton - @codingo_

Cloud Security Resources

• Cloud Security Alliance
  • Cloud Security Guidance
  • Cloud Controls Matrix (CCM)
  • Consensus Assessments Initiative Questionnaire (CAIQ)
• Summit Route - Scott Piper - Blog, Twitter, and Projects - @0xdabbad00
• AWS Geek - Jerry Hargrove - @awsgeek
• AWS Well Architected - @awscloud

Additionally, there are a handful of talks, tools, and blogs that I continually revisit for ongoing learning.

• AWS ReadOnlyAccess: Not Even Once - SpecterOps
• Become and IAM Policy Master in 60 Minutes of Less (SEC316-R1) - Brigid Johnson - @bjohnso5y
• Advanced VPC design and new capabilities for Amazon VPC (NET305-R1) - Matt Lehwess - @mlehwess
• Automated forensic artifact collection on AWS with Goldman Sachs - Ryan Tick, Vaishnav Murthy, Logan Bair
• Investigating PrivEsc Methods in AWS - Gerben Kleijn
• IAM Vulnerable - An AWS IAM Privilege Escalation Playground - Seth Art - @sethsec
• Rhino Security Labs - @RhinoSecurity
• Finding Azurescape - Cross-Account Container Takeover in Azure Container Instances - Unit 42
• Last Week in AWS

Additional cloud experts to follow:

• Daniel Grzelak @dagrz
• Aidan Steele @__steele
• Leo Meyerovich @lmeyerov
• Forrest Brazeal @forrestbrazeal
• Emily Freeman @editingemily
• Jeff Barr @jeffbarr
• Christina Morillo @divinetechygirl
• Corey Quinn @QuinnyPig
• Jason Trost @jason_trost
• Eric Johnson @emjohn20
• Matt Fuller @matthewdfuller
• Chris Farris @jcfarris
• Ben Kehoe @ben11kehoe
• Kinnaird McQuade @kmcquade3
• Ian Mckay @iann0036

Standards, Baselines, and Controls

• NIST cybersecurity framework (CSF) - @NIST
• NIST 800-53
• ISO 27002 controls - this requires purchase
• Center for Internet Security (CIS) Benchmarks - @CISecurity
• CIS/SANS Top 20
• CWE/SANS Top 25 Most Dangerous Programming Errors
• Common Vulnerability Scoring System (CVSS)

Conferences

• fwd:cloudsec - @fwdcloudsec
• DEF CON - @defcon
• BlackHat - @BlackHatEvents
• BSides - Various cities

Data Science and Analytics

• Google Colaboratory - Free Jupyter notebook environment
• Kaggle - Code examples and datasets - @kaggle
• AWS Public Datasets

Security Architecture

• SABSA

Threat Intel/Detect/Respond/Forensics/Reverse Engineering/Mobile

• Mitre ATT&CK - @MITREattack
• Malware Unicorn - Amanda Rousseau - @malwareunicorn
• Lenny Zeltser - @lennyzeltser
• Leslie Carhart - tisiphone.net - @hacks4pancakes
• Azeria Labs - Maria Markstedter - @Fox0x01 and @azeria_labs
• Whitney Champion - @shortxstack
• Katie Nickels - @likethecoins - Threat intelligence

Training

• NICE Framework - This is the best resource that I am aware of for explaining cyber security careers.
• PortSwigger - Web Security Academy - Free, very high quality training - @WebSecAcademy
• Free Azure credits for students - @Azure
• Metasploit Unleashed - Training for Kali Linux - @offsectraining
• Secure Code Warrior - Secure software development training - @SecCodeWarrior
• Hack The Box - @hackthebox_eu
• PentesterLab - @PentesterLab
• TryHackMe - @RealTryHackMe
• flAWS.cloud
• flAWS2.cloud
• The Cyber Mentor

General Security Topics and News

• Black Hills InfoSec - @BHinfoSecurity and @strandjs
• TrustedSec blog - @TrustedSec and @HackingDave
• Marcus Carey - @marcusjcarey - @TribeOfHackers - Career Resources
• KrebsOnSecurity - Brian Krebs - @briankrebs
• The Hacker News - @TheHackersNews
• HelpNetSecurity - @helpnetsecurity
• Threatpost - @threatpost
• Dark Reading - @DarkReading
• CSO Online - @CSOonline

Popular Security Certifications

Certified Information Systems Security Practitioner (CISSP) - ISC2 - @ISC2
SANS Certifications and Training - @SANSInstitute

• Cloud Certifications
  • Certified Cloud Security Professional (CCSP) - ISC2
  • Certified Cloud Security Knowledge (CCSK) - Cloud Security Alliance - @cloudsa
  • Amazon Web Services - Security Specialty (or really any AWS, Azure, or Google Cloud certification)
• CISA, CRISC, CISM - ISACA - @ISACANews
• Practical Network Penetration Tester (PNPT) - @thecybermentor
• Offensive Security - @offsectraining

Social Media

Social media is an important role in real-time news and direct collaboration. I have included the Twitter accounts for the previously mentioned resources and recommend following all of them.