Learning Content
- Increase your knowledge
- Advance your career
- Fulfill your curiosity
Information Security - Learning Resources
These resources, presentations, blogs, and training have been instrumental in my journey to continually become a better security practitioner - @aaronzollman. If you or your content has been mentioned in this resource list, thank you for being awesome and to the invaluable contributions you have made to advance the industry! Additionally, I have had a handful of mentors not mentioned directly in here who have taken a chance on me through investment of your time, knowledge, and wisdom. I am forever grateful!
Follow me on twitter @ryanelkins
Video Content
I spend a lot of time listening to pre-recorded conference videos, Twitch streams, and creator uploaded content. These talks help me stay current with relevant security topics, lead me down trails of knowledge, or help me become more well-rounded in areas that I do not primarily focus.
The primary mechanism that I utilize for video consumption is Youtube. Although these are videos, keep in mind that there are many great presentations where the audio is just as valid. This permits me to listen at times when doing household chores, driving (just the audio), or doing yard work. Upgrading to YouTube Premium for me personally has been one of my best self-learning investments because it enables background play (audio while phone is locked), it is ad-free, and supports video downloads (convenient for listening on flights). This is also nice for listening to live concerts in the background if you enjoy music so there is added benefit.
My current list of subscriptions includes:
- Security BSides San Francisco - There are multiple years of great talks from this conference. Surprisingly, there are some hidden gems with under 500-1000 views that are amazing.
- DEF CON Conference - There are large playlists of videos which includes the village talks.
- fwd:cloudsec
- Cloud Village - Cloud Security
- Bugcrowd LevelUp Series - Application Security/Bug Bounty - @Bugcrowd
- HackerOne - Hacker101 - Application Security/Bug Bounty - @Hacker0x01
- Intigriti - Application Security/Bug Bounty
- Software Security Gurus - Software Security - @mmadou
- Nahamsec - Bug Bounty - @NahamSec
- STÖK - Bug Bounty - @stokfredrik
- John Hammond - Security - @_johnhammond
- Katie Paxton-Fear - Bug Bounty - @InsiderPhD
- Farah Hawa - Bug Bounty - @Farah_Hawaa
- LiveOverflow - Hacking - @LiveOverflow
- IppSec - Hacking/CTFs/Walkthroughs - @ippsec
- Jason Haddix - Tool Time - @jhaddix
- TrustedSec - General InfoSec - @HackingDave and @trustedsec
- Red Team Village - Red Team - @RedTeamVillage_ and @santosomar
- Recon Village - @ReconVillage
- Amazon Web Services - Re:Invent Series - Cloud Security - @AWSreInvent
- Black Hills Information Security - @BHinfoSecurity
- SANS Institute - @SANSInstitute
- Codingo - Michael Skelton - Bug Bounty - @codingo_
- The Cyber Mentor - Heath Adams - Information Security - @thecybermentor
Some of my favorite presentations
- Chris Nickerson - Ted Talk - Hackers are all about curiosity, and security is just a feeling - @indi3030
- Jayson Street - Defcon 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin - @jaysonstreet
- Sacha Faust - BSidesSF 2018 - Six Degress of Infiltration - @sachafaust
- Jason Haddix - How to Shot Web (Methodology v1) - Make sure to watch the later methodologies as well - @jhaddix
- Arkadiy Tetelman - Data Driven Bug Bounty - [@arkadiyt]
Must Subscribe Newsletters
- tl;dr sec - Clint Gibler - @clintgibbler - Absolutely subscribe to the newsletter.
- Securibee - Hive Five - @securibee
- Daniel Miessler - The Unsupervised Learning Newsletter - @DanielMiessler
- Intigriti - Bug Bytes
- Marco Lancini - CloudSecList - @lancinimarco
Application/Software Security Resources
I want to specifically highlight the OWASP Cheat Sheet Series as an excellent resource to bookmark. As security practitioners, there is no possible way for us to have depth and breadth in everything. Prior to meetings on a specific topic, I leverage these cheat sheets extensively to do a quick recap of the important components, threats, and security around a topic and when I read these right before a discussion, I always can bring value from a security lens.
- Building Security in Maturity Model (BSIMM) - @cigitalgem
- The OWASP Project - @owasp
- What I Learned Watching All 44 AppSec Cali 2019 Talks - One of the best AppSec reading investments that you can make.
- Penetration Testing Execution Standard (PTES)
- Detectify - Excellent hacking labs and walkthroughs.
- Project Discovery - The best open source tools available.
- Jason Haddix - Bug Bounty Hunting Methodology - @Jhaddix
- Container Security - anything published or presented by Ian Coldwater - @IanColdwater
- The Twelve-Factor App - Adam Wiggins - @hirodusk
- hakluke - Luke Stephens - @hakluke
- codingo - Michael Skelton - @codingo_
Cloud Security Resources
- Cloud Security Alliance
- Summit Route - Scott Piper - Blog, Twitter, and Projects - @0xdabbad00
- AWS Geek - Jerry Hargrove - @awsgeek
- AWS Well Architected - @awscloud
Additionally, there are a handful of talks, tools, and blogs that I continually revisit for ongoing learning.
- AWS ReadOnlyAccess: Not Even Once - SpecterOps
- Become and IAM Policy Master in 60 Minutes of Less (SEC316-R1) - Brigid Johnson - @bjohnso5y
- Advanced VPC design and new capabilities for Amazon VPC (NET305-R1) - Matt Lehwess - @mlehwess
- Automated forensic artifact collection on AWS with Goldman Sachs - Ryan Tick, Vaishnav Murthy, Logan Bair
- Investigating PrivEsc Methods in AWS - Gerben Kleijn
- IAM Vulnerable - An AWS IAM Privilege Escalation Playground - Seth Art - @sethsec
- Rhino Security Labs - @RhinoSecurity
- Finding Azurescape - Cross-Account Container Takeover in Azure Container Instances - Unit 42
- Last Week in AWS
Additional cloud experts to follow:
- Daniel Grzelak @dagrz
- Aidan Steele @__steele
- Leo Meyerovich @lmeyerov
- Forrest Brazeal @forrestbrazeal
- Emily Freeman @editingemily
- Jeff Barr @jeffbarr
- Christina Morillo @divinetechygirl
- Corey Quinn @QuinnyPig
- Jason Trost @jason_trost
- Eric Johnson @emjohn20
- Matt Fuller @matthewdfuller
- Chris Farris @jcfarris
- Ben Kehoe @ben11kehoe
- Kinnaird McQuade @kmcquade3
- Ian Mckay @iann0036
Standards, Baselines, and Controls
- NIST cybersecurity framework (CSF) - @NIST
- NIST 800-53
- ISO 27002 controls - this requires purchase
- Center for Internet Security (CIS) Benchmarks - @CISecurity
- CIS/SANS Top 20
- CWE/SANS Top 25 Most Dangerous Programming Errors
- Common Vulnerability Scoring System (CVSS)
Conferences
- fwd:cloudsec - @fwdcloudsec
- DEF CON - @defcon
- BlackHat - @BlackHatEvents
- BSides - Various cities
Data Science and Analytics
- Google Colaboratory - Free Jupyter notebook environment
- Kaggle - Code examples and datasets - @kaggle
- AWS Public Datasets
Security Architecture
Threat Intel/Detect/Respond/Forensics/Reverse Engineering/Mobile
- Mitre ATT&CK - @MITREattack
- Malware Unicorn - Amanda Rousseau - @malwareunicorn
- Lenny Zeltser - @lennyzeltser
- Leslie Carhart - tisiphone.net - @hacks4pancakes
- Azeria Labs - Maria Markstedter - @Fox0x01 and @azeria_labs
- Whitney Champion - @shortxstack
- Katie Nickels - @likethecoins - Threat intelligence
Training
- NICE Framework - This is the best resource that I am aware of for explaining cyber security careers.
- PortSwigger - Web Security Academy - Free, very high quality training - @WebSecAcademy
- Free Azure credits for students - @Azure
- Metasploit Unleashed - Training for Kali Linux - @offsectraining
- Secure Code Warrior - Secure software development training - @SecCodeWarrior
- Hack The Box - @hackthebox_eu
- PentesterLab - @PentesterLab
- TryHackMe - @RealTryHackMe
- flAWS.cloud
- flAWS2.cloud
- The Cyber Mentor
General Security Topics and News
- Black Hills InfoSec - @BHinfoSecurity and @strandjs
- TrustedSec blog - @TrustedSec and @HackingDave
- Marcus Carey - @marcusjcarey - @TribeOfHackers - Career Resources
- KrebsOnSecurity - Brian Krebs - @briankrebs
- The Hacker News - @TheHackersNews
- HelpNetSecurity - @helpnetsecurity
- Threatpost - @threatpost
- Dark Reading - @DarkReading
- CSO Online - @CSOonline
Popular Security Certifications
Certified Information Systems Security Practitioner (CISSP) - ISC2 - @ISC2
SANS Certifications and Training - @SANSInstitute
- Cloud Certifications
- Certified Cloud Security Professional (CCSP) - ISC2
- Certified Cloud Security Knowledge (CCSK) - Cloud Security Alliance - @cloudsa
- Amazon Web Services - Security Specialty (or really any AWS, Azure, or Google Cloud certification)
- CISA, CRISC, CISM - ISACA - @ISACANews
- Practical Network Penetration Tester (PNPT) - @thecybermentor
- Offensive Security - @offsectraining
Social Media
Social media is an important role in real-time news and direct collaboration. I have included the Twitter accounts for the previously mentioned resources and recommend following all of them.