blob: 7cfd9bc2a29f0f30d0fdf7d4d48540a6553ccc03 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
# Anti-Debugging
1. [JavaScript AntiDebugging Tricks](https://x-c3ll.github.io/posts/javascript-antidebugging/)
# Supply chain
1. [chainguard](https://chainguard.dev/)
# Restraint | Sand-boxing
1. [JavaScript Restrictor](https://polcak.github.io/jsrestrictor/)
# Memory
1. [Provably Safe Pointers for a Parallel World](https://www.youtube.com/watch?v=ugf58HNd7Rg)
# User/human-level
1. [Securing your development environment](https://stsewd.dev/posts/securing-your-dev-environment/)
1. [Security Checklist: Tools and resources designed to improve your online privacy, safety, and security.](https://brianlovin.com/security)
# Secrets | Confidentiality
1. [ConfLLVM: A Compiler for Enforcing Data Confidentiality in Low-level Code](https://www.microsoft.com/en-us/research/publication/an-instrumenting-compiler-for-enforcing-confidentiality-in-low-level-code/)
1. [How to Handle Secrets on the Command Line](https://smallstep.com/blog/command-line-secrets/)
# Capability
1. [A Comparison of the Capability Systems of Encore, Pony and Rust](https://uu.diva-portal.org/smash/get/diva2:1363822/FULLTEXT01.pdf)
# Homomorphic encryption
1. https://github.com/Microsoft/SEAL
# Privacy
1. [Programming Differential Privacy](https://uvm-plaid.github.io/programming-dp/intro.html)
1. https://privacypatterns.org/
# Inspiration
1. [Kasm: Desktop and Browser Isolation Platform](https://www.kasmweb.com/)
1. https://www.mailvelope.com
# Finger-printing
1. [How Browser Fingerprinting Works](https://kevq.uk/how-browser-fingerprinting-works/)
1. https://github.com/Valve/fingerprintjs2
# Access Control List
1. [Capirca: Multi-platform ACL generation system](https://github.com/google/capirca)
# Return-oriented programming
1. https://github.com/immunant/selfrando
# Static analysis
1. [Cam Tenny - Beyond the Paper - End-to-End Program Analysis](https://www.youtube.com/watch?v=hmDz0Rv6hKI)
1. https://www.curry-on.org/2019/sessions/beyond-the-paper-end-to-end-program-analysis.html
# Programming language
1. [Secure Compilation](https://blog.sigplan.org/2019/07/01/secure-compilation/)
# Cautionary tale
1. [Thou Shalt Not Depend on Me: A look at JavaScript libraries in the wild](https://queue.acm.org/detail.cfm?id=3205288)
1. https://medium.com/@nodepractices/were-under-attack-23-node-js-security-best-practices-e33c146cb87d
# Surface area
1. [Towards Automated Application-Specific Software Stacks](https://arxiv.org/pdf/1907.01933.pdf)
# Vulnerability
1. [SAML is insecure by design](https://joonas.fi/2021/08/saml-is-insecure-by-design/)
1. [Against Cipher Agility in Cryptography Protocols](https://paragonie.com/blog/2019/10/against-agility-in-cryptography-protocols)
1. [Padding the struct: How a compiler optimization can disclose stack memory](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/october/padding-the-struct-how-a-compiler-optimization-can-disclose-stack-memory/)
1. [PCG generators are easily “crackable”](https://news.ycombinator.com/item?id=21475210)
1. [Safely Creating And Using Temporary Files](https://www.netmeister.org/blog/mktemp.html)
1. [CSS Injection Primitives](https://x-c3ll.github.io/posts/CSS-Injection-Primitives/)
1. https://medium.com/@shnatsel/how-rusts-standard-library-was-vulnerable-for-years-and-nobody-noticed-aebf0503c3d6
1. [ACLs don’t](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.406.4684&rep=rep1&type=pdf)
1. https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf
1. https://pwnedkeys.com/
1. [What Spectre Means for Lanugage Implementers - Ben Titzer - PLISS 2019](https://www.youtube.com/watch?v=FGX-KD5Nh2g)
1. https://rambleed.com/
1. https://browserleaks.com/
# Reference
1. [Secure By Design](https://www.amazon.com/Secure-Design-Daniel-Deogun/dp/1617294357)
1. [Intro to Just-In-Time Access](https://compliance.dev/2021/04/29/introduction-to-just-in-time-access/)
1. https://www.nomoreransom.org/en/index.html
1. [Open Source Security Foundation (OpenSSF)](https://openssf.org/)
1. [Don't get pwned: practicing the principle of least privilege](https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege)
1. [Good Practices for Capability URLs](https://www.w3.org/TR/capability-urls/)
1. [Secure Socket API](https://securesocketapi.org/)
1. [Mind your Language(s): A discussion about languages and security](https://www.ssi.gouv.fr/uploads/IMG/pdf/Mind_Your_Languages_-_version_longue.pdf)
1. https://www.microsoft.com/en-us/research/blog/scaling-the-everest-of-software-security-with-dr-jonathan-protzenko/
1. https://www.owasp.org/index.php/Main_Page
1. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
1. https://wiki.sei.cmu.edu/confluence/display/seccode/Top+10+Secure+Coding+Practices
1. https://www.archive.ece.cmu.edu/~grey/
1. http://www.cs.umd.edu/projects/PL/selinks/
1. http://www.cis.upenn.edu/~stevez/sol/related.html
1. https://www.bsimm.com/
1. https://www.microsoft.com/en-us/securityengineering/sdl/
1. https://www.engineeringtrustworthysystems.com/
1. http://www.ats-lang.org/
1. http://www.cis.upenn.edu/~stevez/papers/publications.html
1. http://collingreene.com/6_buckets_of_prodsec.html
1. [On Post-Compromise Security](https://eprint.iacr.org/2016/221.pdf)
1. https://messaginglayersecurity.rocks/
1. https://github.blog/2019-05-23-introducing-new-ways-to-keep-your-code-secure/
1. [RustBelt](https://plv.mpi-sws.org/rustbelt/popl18/)
1. https://github.com/dckc/awesome-ocap
1. https://projects.csail.mit.edu/jeeves/
1. https://www.sans.org/top25-software-errors/
1. https://www.owasp.org/index.php/Top_10_2013-Top_10
1. https://nvd.nist.gov/cwe.cfm
1. https://en.wikipedia.org/wiki/Software_Development_Security
1. http://gigi.nullneuron.net/gigilabs/the-sorry-state-of-the-web-in-2016/
1. http://www.ranum.com/security/computer_security/editorials/dumb/index.html
1. [Information Technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages](http://www.open-std.org/jtc1/sc22/wg23/docs/ISO-IECJTC1-SC22-WG23_N0751-tr24772-1-after-pre-meeting-51-webex-20171016.pdf)
# Control-flow integrity
1. [On the Effectiveness of Type-based Control Flow Integrity](https://sajjadium.github.io/files/acsac2018typecfi_paper.pdf)
|