Learning Content

• Increase your knowledge
• Advance your career
• Fulfill your curiosity

Information Security - Learning Resources

These resources, presentations, blogs, and training have been instrumental in my journey to continually become a better security practitioner - @aaronzollman. If you or your content has been mentioned in this resource list, thank you for being awesome and to the invaluable contributions you have made to advance the industry! Additionally, I have had a handful of mentors not mentioned directly in here who have taken a chance on me through investment of your time, knowledge, and wisdom. I am forever grateful!

Follow me on twitter @ryanelkins

Youtube subscriptions

• Bugcrowd LevelUp Series - Application Security/Bug Bounty - @Bugcrowd
• HackerOne - Hacker101 - Application Security/Bug Bounty - @Hacker0x01
• Software Security Gurus - Software Security - @mmadou
• Nahamsec - Bug Bounty - @NahamSec
• STÖK - Bug Bounty - @stokfredrik
• John Hammond - Security - @_johnhammond
• Katie Paxton-Fear - Bug Bounty - @InsiderPhD
• Farah Hawa - Bug Bounty - @Farah_Hawaa
• TrustedSec - General InfoSec - @HackingDave and @trustedsec
• Red Team Village - Red Team - @RedTeamVillage_ and @santosomar
• Recon Village - @ReconVillage
• Amazon Web Services - Re:Invent Series - Cloud Security - @AWSreInvent
• Black Hills Information Security - @BHinfoSecurity
• SANS Institute - @SANSInstitute
• Michael Skelton - Bug Bounty - @codingo_
• The Cyber Mentor - Heath Adams - Information Security - @thecybermentor

Some of my favorite presentations

• Chris Nickerson - Ted Talk - Hackers are all about curiosity, and security is just a feeling - @indi3030
• Jayson Street - Defcon 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin - @jaysonstreet
• Sacha Faust - BSidesSF 2018 - Six Degress of Infiltration - @sachafaust
• Jason Haddix - How to Shot Web (Methodology v1) - Make sure to watch the later methodologies as well - @jhaddix
• Arkadiy Tetelman - Data Driven Bug Bounty - [@arkadiyt]

Application/Software Security Resources

• Building Security in Maturity Model (BSIMM) - @cigitalgem
• The OWASP Project - @owasp
  • Application Security Verification Standard
  • OWASP Cheat Sheet Series
  • OWASP Code Review Guide
  • OWASP Testing Guide
• tl;dr sec - Clint Gibler - @clintgibbler - Absolutely subscribe to the newsletter.
  • What I Learned Watching All 44 AppSec Cali 2019 Talks - One of the best AppSec reading investments that you can make.
• Penetration Testing Execution Standard (PTES)
• Jason Haddix - Bug Bounty Hunting Methodology - @Jhaddix
  • Bug Bounty Hunting Methodology v2
  • Bug Bounty Hunting Methodology v3
  • Bug Bounty Hunting Methodology v4
• Container Security - anything published or presented by Ian Coldwater - @IanColdwater
• The Twelve-Factor App - Adam Wiggins - @hirodusk
• hakluke - Luke Stephens - @hakluke
• codingo - Michael Skelton - @codingo_

Cloud Security Resources

• Cloud Security Alliance
  • Cloud Security Guidance
  • Cloud Controls Matrix (CCM)
  • Consensus Assessments Initiative Questionnaire (CAIQ)
• Summit Route - Scott Piper - Blog, Twitter, and Projects - @0xdabbad00
• CloudSecList - Make sure to subscribe to the weekly reading list. - @lancinimarco
• AWS Geek - Jerry Hargrove - I may seriously have to print tshirts of all of your diagrams now that conferences are mostly virtual and my tshirt intake is declining. - @awsgeek
• AWS Well Architected - @awscloud

Additionally, there are a handful of talks, tools, and blogs that I continually revisit for ongoing learning.

• AWS ReadOnlyAccess: Not Even Once - SpecterOps
• Become and IAM Policy Master in 60 Minutes of Less (SEC316-R1) - Brigid Johnson - @bjohnso5y
• Advanced VPC design and new capabilities for Amazon VPC (NET305-R1) - Matt Lehwess - @mlehwess
• Automated forensic artifact collection on AWS with Goldman Sachs - Ryan Tick, Vaishnav Murthy, Logan Bair
• Investigating PrivEsc Methods in AWS - Gerben Kleijn
• IAM Vulnerable - An AWS IAM Privilege Escalation Playground - Seth Art - @sethsec
• Rhino Security Labs - @RhinoSecurity
• Finding Azurescape - Cross-Account Container Takeover in Azure Container Instances - Unit 42
• Last Week in AWS

Additional cloud experts to follow:

• Aidan Steele @__steele
• Leo Meyerovich @lmeyerov
• Forrest Brazeal @forrestbrazeal
• Jeff Barr @jeffbarr
• Corey Quinn @QuinnyPig
• Jason Trost @jason_trost
• Eric Johnson @emjohn20
• Matt Fuller @matthewdfuller
• Chris Farris @jcfarris
• Ben Kehoe @ben11kehoe
• Kinnaird McQuade @kmcquade3
• Ian Mckay @iann0036

Standards, Baselines, and Controls

• NIST cybersecurity framework (CSF) - @NIST
• NIST 800-53
• ISO 27002 controls - this requires purchase
• Center for Internet Security (CIS) Benchmarks - @CISecurity
• CIS/SANS Top 20
• CWE/SANS Top 25 Most Dangerous Programming Errors
• Common Vulnerability Scoring System (CVSS)

Conferences

• fwd:cloudsec - @fwdcloudsec
• defcon - @defcon
• BlackHat - @BlackHatEvents
• BSides - Various cities

Data Science and Analytics

• Google Colaboratory - Free Jupyter notebook environment
• Kaggle - Code examples and datasets - @kaggle
• AWS Public Datasets

Security Architecture

• SABSA

Detect/Respond/Forensics/Reverse Engineering/Mobile

• Mitre ATT&CK - @MITREattack
• Malware Unicorn - Amanda Rousseau - @malwareunicorn
• Lenny Zeltser - @lennyzeltser
• Leslie Carhart - tisiphone.net - @hacks4pancakes
• Azeria Labs - Maria Markstedter - @Fox0x01 and @azeria_labs

Training

• NICE Framework - This is the best resource that I am aware of for explaining cyber security careers.
• PortSwigger - Web Security Academy - Free, very high quality training - @WebSecAcademy
• Cybrary - @cybraryIT
• Free Azure credits for students - @Azure
• Metasploit Unleashed - Training for Kali Linux - @offsectraining
• Pluralsight - @pluralsight
• Secure Code Warrior - Secure software development training - @SecCodeWarrior
• Hack The Box - @hackthebox_eu
• PentesterLab - @PentesterLab
• TryHackMe - @RealTryHackMe
• flAWS.cloud
• flAWS2.cloud
• The Cyber Mentor

General Security Topics and News

• Daniel Miessler - The Unsupervised Learning Newsletter - @DanielMiessler
• Black Hills InfoSec - @BHinfoSecurity and @strandjs
• TrustedSec blog - @TrustedSec and @HackingDave
• KrebsOnSecurity - Brian Krebs - @briankrebs
• The Hacker News - @TheHackersNews
• HelpNetSecurity - @helpnetsecurity
• Threatpost - @threatpost
• Dark Reading - @DarkReading
• CSO Online - @CSOonline

Popular Security Certifications

Certified Information Systems Security Practitioner (CISSP) - ISC2 - @ISC2
SANS Certifications and Training - @SANSInstitute

• Cloud Certifications
  • Certified Cloud Security Professional (CCSP) - ISC2
  • Certified Cloud Security Knowledge (CCSK) - Cloud Security Alliance - @cloudsa
  • Amazon Web Services - Security Specialty (or really any AWS, Azure, or Google Cloud certification)
• CISA, CRISC, CISM - ISACA - @ISACANews
• Practical Network Penetration Tester (PNPT) - @thecybermentor
• Offensive Security - @offsectraining
• Certified Ethical Hacker (CEH) - @ECCOUNCIL

Social Media

Social media is an important role in real-time news and direct collaboration. I have included the Twitter accounts for the previously mentioned resources and recommend following all of them.