Learning Content
- Increase your knowledge
- Advance your career
- Fulfill your curiosity
Information Security - Learning Resources
These resources, presentations, blogs, and training have been instrumental in my journey to continually become a better security practitioner - @aaronzollman. If you or your content has been mentioned in this resource list, thank you for being awesome and to the invaluable contributions you have made to advance the industry! Additionally, I have had a handful of mentors not mentioned directly in here who have taken a chance on me through investment of your time, knowledge, and wisdom. I am forever grateful!
Follow me on twitter @ryanelkins
Youtube subscriptions
- Bugcrowd LevelUp Series - Application Security/Bug Bounty - @Bugcrowd
- HackerOne - Hacker101 - Application Security/Bug Bounty - @Hacker0x01
- Software Security Gurus - Software Security - @mmadou
- Nahamsec - Bug Bounty - @NahamSec
- STÖK - Bug Bounty - @stokfredrik
- John Hammond - Security - @_johnhammond
- Katie Paxton-Fear - Bug Bounty - @InsiderPhD
- Farah Hawa - Bug Bounty - @Farah_Hawaa
- TrustedSec - General InfoSec - @HackingDave and @trustedsec
- Red Team Village - Red Team - @RedTeamVillage_ and @santosomar
- Recon Village - @ReconVillage
- Amazon Web Services - Re:Invent Series - Cloud Security - @AWSreInvent
- Black Hills Information Security - @BHinfoSecurity
- SANS Institute - @SANSInstitute
- Michael Skelton - Bug Bounty - @codingo_
- The Cyber Mentor - Heath Adams - Information Security - @thecybermentor
Some of my favorite presentations
- Chris Nickerson - Ted Talk - Hackers are all about curiosity, and security is just a feeling - @indi3030
- Jayson Street - Defcon 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin - @jaysonstreet
- Sacha Faust - BSidesSF 2018 - Six Degress of Infiltration - @sachafaust
- Jason Haddix - How to Shot Web (Methodology v1) - Make sure to watch the later methodologies as well - @jhaddix
- Arkadiy Tetelman - Data Driven Bug Bounty - [@arkadiyt]
Application/Software Security Resources
- Building Security in Maturity Model (BSIMM) - @cigitalgem
- The OWASP Project - @owasp
- tl;dr sec - Clint Gibler - @clintgibbler - Absolutely subscribe to the newsletter.
- What I Learned Watching All 44 AppSec Cali 2019 Talks - One of the best AppSec reading investments that you can make.
- Penetration Testing Execution Standard (PTES)
- Jason Haddix - Bug Bounty Hunting Methodology - @Jhaddix
- Container Security - anything published or presented by Ian Coldwater - @IanColdwater
- The Twelve-Factor App - Adam Wiggins - @hirodusk
- hakluke - Luke Stephens - @hakluke
- codingo - Michael Skelton - @codingo_
Cloud Security Resources
- Cloud Security Alliance
- Summit Route - Scott Piper - Blog, Twitter, and Projects - @0xdabbad00
- CloudSecList - Make sure to subscribe to the weekly reading list. - @lancinimarco
- AWS Geek - Jerry Hargrove - I may seriously have to print tshirts of all of your diagrams now that conferences are mostly virtual and my tshirt intake is declining. - @awsgeek
- AWS Well Architected - @awscloud
Additionally, there are a handful of talks, tools, and blogs that I continually revisit for ongoing learning.
- AWS ReadOnlyAccess: Not Even Once - SpecterOps
- Become and IAM Policy Master in 60 Minutes of Less (SEC316-R1) - Brigid Johnson - @bjohnso5y
- Advanced VPC design and new capabilities for Amazon VPC (NET305-R1) - Matt Lehwess - @mlehwess
- Automated forensic artifact collection on AWS with Goldman Sachs - Ryan Tick, Vaishnav Murthy, Logan Bair
- Investigating PrivEsc Methods in AWS - Gerben Kleijn
- IAM Vulnerable - An AWS IAM Privilege Escalation Playground - Seth Art - @sethsec
- Rhino Security Labs - @RhinoSecurity
- Finding Azurescape - Cross-Account Container Takeover in Azure Container Instances - Unit 42
- Last Week in AWS
Additional cloud experts to follow:
- Aidan Steele @__steele
- Leo Meyerovich @lmeyerov
- Forrest Brazeal @forrestbrazeal
- Jeff Barr @jeffbarr
- Corey Quinn @QuinnyPig
- Jason Trost @jason_trost
- Eric Johnson @emjohn20
- Matt Fuller @matthewdfuller
- Chris Farris @jcfarris
- Ben Kehoe @ben11kehoe
- Kinnaird McQuade @kmcquade3
- Ian Mckay @iann0036
Standards, Baselines, and Controls
- NIST cybersecurity framework (CSF) - @NIST
- NIST 800-53
- ISO 27002 controls - this requires purchase
- Center for Internet Security (CIS) Benchmarks - @CISecurity
- CIS/SANS Top 20
- CWE/SANS Top 25 Most Dangerous Programming Errors
- Common Vulnerability Scoring System (CVSS)
Conferences
- fwd:cloudsec - @fwdcloudsec
- defcon - @defcon
- BlackHat - @BlackHatEvents
- BSides - Various cities
Data Science and Analytics
- Google Colaboratory - Free Jupyter notebook environment
- Kaggle - Code examples and datasets - @kaggle
- AWS Public Datasets
Security Architecture
Detect/Respond/Forensics/Reverse Engineering/Mobile
- Mitre ATT&CK - @MITREattack
- Malware Unicorn - Amanda Rousseau - @malwareunicorn
- Lenny Zeltser - @lennyzeltser
- Leslie Carhart - tisiphone.net - @hacks4pancakes
- Azeria Labs - Maria Markstedter - @Fox0x01 and @azeria_labs
Training
- NICE Framework - This is the best resource that I am aware of for explaining cyber security careers.
- PortSwigger - Web Security Academy - Free, very high quality training - @WebSecAcademy
- Cybrary - @cybraryIT
- Free Azure credits for students - @Azure
- Metasploit Unleashed - Training for Kali Linux - @offsectraining
- Pluralsight - @pluralsight
- Secure Code Warrior - Secure software development training - @SecCodeWarrior
- Hack The Box - @hackthebox_eu
- PentesterLab - @PentesterLab
- TryHackMe - @RealTryHackMe
- flAWS.cloud
- flAWS2.cloud
- The Cyber Mentor
General Security Topics and News
- Daniel Miessler - The Unsupervised Learning Newsletter - @DanielMiessler
- Black Hills InfoSec - @BHinfoSecurity and @strandjs
- TrustedSec blog - @TrustedSec and @HackingDave
- KrebsOnSecurity - Brian Krebs - @briankrebs
- The Hacker News - @TheHackersNews
- HelpNetSecurity - @helpnetsecurity
- Threatpost - @threatpost
- Dark Reading - @DarkReading
- CSO Online - @CSOonline
Popular Security Certifications
Certified Information Systems Security Practitioner (CISSP) - ISC2 - @ISC2
SANS Certifications and Training - @SANSInstitute
- Cloud Certifications
- Certified Cloud Security Professional (CCSP) - ISC2
- Certified Cloud Security Knowledge (CCSK) - Cloud Security Alliance - @cloudsa
- Amazon Web Services - Security Specialty (or really any AWS, Azure, or Google Cloud certification)
- CISA, CRISC, CISM - ISACA - @ISACANews
- Practical Network Penetration Tester (PNPT) - @thecybermentor
- Offensive Security - @offsectraining
- Certified Ethical Hacker (CEH) - @ECCOUNCIL
Social Media
Social media is an important role in real-time news and direct collaboration. I have included the Twitter accounts for the previously mentioned resources and recommend following all of them.