Security links [18.8.2010]

(My 10+ years worth of security bookmarks, actually. New links added frequently, hardly ever cleaned. Lots of outdated and broken links).

   What's new (most recent first)

1. Survey and Analysis of EU ICT Security Industry and Market for Products and Services
2. VERIS Framework
3. How to Analyze People on Sight
4. Azure Security Notes
5. Free "Security Strategy"
6. The Leaking Vault - Five Years of Data Breaches
7. Freedom From Fear Magazine
8. Computer Criminals of the Future (1981)
9. BITS at The Financial Services Roundtable
10. How to choose the right PCI DSS QSA
11. The Suricata Engine - an Open Source Next Generation Intrusion Detection and Prevention Engine
12. OpenPGP Best Practices
13. Payment Card Industry Compliance for Large Computing Systems
14. Projection Point: Test your risk intelligence
15. Cryptool Online
16. Information Security Conferences Calendar
17. VTT: Turvallisuusalan liiketoiminnan kasvualueet ja -mahdollisuudet Suomessa
18. Secure POS Vendor Alliance
19. Cloud Software Program
20. PWC: Revolution or evolution. Information Security 2020
21. PWC: Information Security Breaches Survey 2010
22. DDoS Mitigation - Best Practices for a Rapidly Changing Threat Landscape Whitepaper
23. Google Tutorial: Web Application Exploits and Defenses
24. OpenDLP
25. Generation Y Online Security Survey
26. State of Web Application Security 2010
27. Report: Web Exploits
28. International Journal of Computer Science and Network Security
29. Cartoon: Under Surveillance
30. The Rational Rejection of Security Advice by Users

News & Portals

• Securityfocus.com
• Packetstorm
• The Security Portal for Information System Security Professionals
• Coast
• Securitysearch.net
• National Security Institute
• InfoSec and InfoWar Portal 
• Purdue/Cerias  
• Net Security
• SecuriTeam.com
• U.S. Federal Computer Week    
• Razor by Bindview 
• Computer System and Network Security links 
• HNS - Help Net Security 
• HNS Security Database 
• eSecurityOnline 
• WhiteHat Inc.
• Security News Portal 
• SearchSecurity.com 
• NewsNow 
• Newsfactor Cybercrime 
• The Center for Internet Security 
• Network Security library  
• InfoSec News Archives 
• SANS News Browser 
• c4i 
• Availability.com 
• Astalavista 
• securitypipeline 
• GigaLaw.com: Legal Information for Internet Professionals 
• The ACM Digital Library 
• The Register 
• Virustorjunta.net (finnish)
• Hacker Intel 
• Rootsecure.net Security News
• BankInfoSecurity
• SecurityForest.com
• WikiSecure
• darkReading
• Payment Card Security & IT Controls Explained
• Security.org
• InfoSec Island
• Security Scoreboard
• Cyber Security Central
• MITRE: Making Secure Measurable
• Office of Inadeaquate Security
• eSecurity Intelligence Dashboard

Magazines & Newsletters

• Security Magazine
• Information Security
• Phrack 
• SC Magazine
• Cybercrime 
• Disaster Recovery Journal  
• The Insider 
• Crypto-Gram
• InfoWorld Security Watch 
• ComputerWorld Security Knowledge Center
• Business Security Advisor  
• ZDNet Security Update 
• Secure Business Quarterly 
• CSO online 
• Hacker's Digest 
• Information Security Bulletin (Back Issues) 
• Software Quality Management Magazine 
• IATAC Newsletter 
• Security Horizon's Security Journal 
• Crypt Newsletter
• IEEE Security & Privacy 
• Compsec Publications 
• ISMS Journal 
• Infocon Magazine 
• Microsoft Security Newsletter 
• Ylivuoto - lehti tietoturvasta PK-yrittäjälle (finnish)
• The Hitchhiker's World
• NoticeBored Newsletters
• Digital IdWorld
• (IN)SECURE Magazine
• CIO Magazine
• Government Security
• Enisa Quarterly
• Norwich University Journal of Information Assurance
• Software Security Assurance Newsletter
• NIST Information Technolofy Laboratory (ITL) Bulletins Online
• Crosstalk: The Journal of Defense Software Engineering
• A Journal of Identity Management
• Uninformed
• SANS Newsletters
• Hacker Journals
• Security Acts Magazine
• Information Assurance (IA) Newsletter
• International Journal of Computer Science and Network Security
• Freedom From Fear Magazine

Terms, FAQs

• Hacking Lexicon 
• Jargon File 
• RFC2828, Internet Security Glossary 
• Security-related certifications 
• Free On-line Dictionary of Computing 
• IT-specific encyclopedia (whatis.com) 
• Comprehensive Information Assurance Dictionary 
• Glossary of Communications, Computer, Data, and Information Security Terms 
• The vendor-neutral security certification landscape 
• Hack FAQ 
• The Worm FAQ 
• Valtionhallinnon tietoturvakäsitteistö (finnish)

Papers, presentations

• Trust in Cyberspace 
• Lance Spitzner papers
• Dan Farmer papers
• Papers from UC Davis
• Fred Cohen papers 
• Sys-security Group    
• The Memorability and Security of Passwords -- Some Empirical Results 
• Activism, Hacktivism, and Cyberterrorism 
• Cyber Threats and Information Security Meeting the 21st Century Challenge 
• White Papers and Analyst Reports 
• Protecting Network Infrastructure at the Protocol Level 
• Guarding the Crown Jewels: An Overview of Internet and Network Security 
• 12 Keys for Locking Up Tight 
• EU report about Echelon 
• @Stake Research Reports 
• How to Cheat at the Lottery 
• The Future of Internet Worms 
• Trends in Denial of Service Attack Technology 
• Open Source Security 
• Network Defense Columns by Rik Farrow 
• The Survivor's Guide to 2002 
• CERT-toiminta Suomessa (finnish)
• SANS Security Reading Room 
• The Information Security Group Teaching Material 
• Centralized Management - SIM products 
• Ken Thompson: Reflections on Trusting Trust 
• Computer World: Security Manager's Journal 
• Gartner - Security
• Online Bank Security  
• DoD Insider Threat Migitation (doc)
• Security In the Information Age (US Congress) 
• Keeping Secrets in Hardware: the Microsoft XBox Case Study 
• Kansallinen Tietoturvakatsaus (finnish, pdf)
• Coffee vs. Security 
• Risk Exposure through Instant Messaging and P2P Networks 
• Marcus Ranum: 7 Things I've Learned 
• Homeland Insecurity (about Bruce Schneier) 
• Shatter Attacks - How to break Windows 
• The Ten Immutable Laws of Security 
• Practical Architectures for Survivable Systems and Networks 
• The National (US) Strategy to Secure Cyberspace 
• PhD Thesis: Four Views on security 
• InfoSec Writers
• New Yorkin WTC-terrori-isku ja toiminnan jatkuvuus (finnish, pdf)
• Decimalisation table attacks for PIN cracking 
• Defending Against an Internet-based Attack on the Physical World 
• The Myth of Security at Canada's Airports 
• Failing to Keep Up With the Information Revolution 
• CISSP certification experience 
• Workshop on Human-Computer Interaction and Security Systems 
• Nanog security presentations 
• Safe and Sound: A Treatise on Internet Security 
• Lab for Information Security Technology (LIST) 
• Securing Storage Networks 
• Cyberinsecurity: The Cost of Monopoly 
• EROS: The Extremely Reliable Operating System 
• Semantic hacking 
• Cognitive Hacking: A Battle for the Mind 
• Simulating and optimising worm propagation algorithms 
• Attacking the DNS Protocol Security 
• Decades after creation, viruses defy cure 
• The Future of Security - Scenario One 
• Grand Research Challenges in Computer Science and Engineering, 2002 
• Grand Research Challenges in Information Security & Assurance, 2003 
• Timing the Application of Security Patches for Optimal Uptime 
• Survivability: Protecting Your Critical Systems
• CERT papers about Survivability  
• Fact Squad
• FBI  Guide to Conceable Weapons 
• Who Wrote Sobig? 
• Principles of Survivability and Information Assurance
• An analysis of Skype VoIP application for use in a corporate environment 
• Trust in the New Economy - The Case of Finnish Banks 
• Portable Computing Device Security 
• NIST: Security Considerations for VoIP Systems 
• Aspects on Availability ( Dissertation for the degree of Doctor of Philosophy) 
• Blogs: Another Tool in the Security Pro's Toolkit
• Remote Physical Device Fingerptinting
• Creating a National Framework fo Cybersecurity: An Analysis of Issues and Options 
• Thesis: Plastic card fraud, a survey of current relevant card and system properties 
• Cyber Security: A Crisis of Prioritization 
• DDoS extortion story
• An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol 
• The Economic Impact of Cyber-Attacks 
• The Six Dumbest Ideas in Computer Security
• Skype Security Evaluation 
• Thesis: Strategic Security
• Security considerations of Google Desktop 
• Federal Plan for Cyber Security and Information Assurance Research and Development 
• Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security
• Tietoturvallisuuden tutkimus ja opetus Suomessa 2005 (finnish)
• CIIP Handbook Volume I and Volume II 
• 17 Mistakes Microsoft Made in the Xbox Security System
• Migitating Denial of Service Attacks in Computer Networks 
• Bypassing network access control (NAC) systems 
• The life of the security professional...grand it ain't!
• the underground economy: priceless 
• An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks 
• Exploiting SAP Internals 
• “OO-OO-OO!” The Sound of a Broken OODA Loop
• Security Architecture Blueprint 
• Cost of Information Assurance 
• The Evolution of Security
• The Ghost In The Browser - Analysis of Web-based Malware 
• House of Lords Science and Technology Committee: Personal Internet Security 
• 10 Claims That Scare Security Pros
• Security Usability Fundamentals 
• Commercial Malware Industry 
• Virtual Machine Security Guidelines 
• Guide to Security Architecture in TOGAF ADM 
• Russian Business Network study 
• Security Economics And The Internal Market 
• Point-of-Sales Vulnerabilities 
• The New Politics of Personal Information 
• Using Cartoons to Teach Internet Security 
• Data Breaches: What The Underground World of "Carding" Reveals 
• Large Scale Internet Attacks 
• Information Security Economics – and Beyond 
• SecMeter - tietoturvainformaatiota (finnish)
• Estonia Cyber Security Strategy 
• Security Assessment of the Internet Protocol (IP) 
• CSIS Commission: Securing Cyberspace for the 44th Presidency 
• Attacks on Banks
• Suomen turvallisuus- ja puolustuspolitiikkaa 2009 (finnish)
• Virtual Machine Security Guidelines 
• An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments 
• Virtualization and Risk 
• Bank Trojans - details uncovered
• Security Assessment of The Transmission Control Protocol (TCP) 
• Optimised to Fail: Card Readers for Online Banking 
• Using Science to Battle Data Loss: Analyzing Breaches by Type and Industry 
• Targeted attacks
• Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security
• So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users
• ATM Crime: Overview of the European situation and golden rules on how to avoid it
• Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication
• The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud
• Chip And Pin Is Broken
• Microsoft: The Effective Security Practices Whitepaper Series
• Report: Web Exploits
• DDoS Mitigation - Best Practices for a Rapidly Changing Threat Landscape Whitepaper
• VTT: Turvallisuusalan liiketoiminnan kasvualueet ja -mahdollisuudet Suomessa

Online books, guides

• Sun Tzu on the Art of War
• IT Security Cookbook
• Firewalls Complete 
• Underground 
• The Hacker Crackdown 
• The CISSP Open Study Guide 
• CERT Security Improvement modules 
• Information Security Magazine, 2003 Industry Buyers' Guide
• Handbook of Applied Cryptography 
• SecuritySage - security guide for newbies  
• Joka kodin pieni tietoturvaopas (finnish, pdf)
• ASN.1 - Communication between heterogeneous systems 
• Handbook of Information Security Management (1998 edition) 
• IIS Security and Programming Countermeasures 
• Anti-terrorism manual (Keeping Your Jewish Institution Safe) 
• Microsoft: Building Secure ASP.NET Applications 
• Microsoft: Improving Web Application Security: Threats and Countermeasures 
• M. E. Kabay's courses for Norwich University 
• ISP Security 
• Les Bell and Associates Security Cources Slides 
• The Definitive Guide to Identity Management 
• The Art of Unix Programming 
• A disaster recovery e-book 
• A Taste of Computer Security
• The National Commission on Terrorist Attacks Upon the United States - 9/11 Report 
• The Definitive Guide to Security Management
• Networks and Netwars: The Future of Terror, Crime, and Militancy
• Computer Security Technology Planning Study 
• Building Secure Computer Systems
• Corporate Computer and Network Security Lectures
• Turvallisuuskriittisten organisaatioiden toiminnan erityispiirteet (finnish,pdf)
• Free Security eBooks
• A Guide to Information Security Certifications
• Security Engineering
• Information Security Guide for Electronic Service Providers and the same in finnish 
• Information Security in Wireless Networks 
• Kuluttajan tietoturvaopas (finnish)
• Information Warfare 
• The Definitive Guide to Information Theft Prevention
• The Future of Reputation
• Tietoyhteiskunnan Uhat ja Mahdollisuudet (finnish, pdf)
• Exploring Randomness
• Consumer Reports Guide to Online Security
• Application Architecture Guide
• Google's Browser Security Handbook
• How to Analyze People on Sight

Discussions, Mailing-lists

• The Risks Digest 
• Unofficial CISSP-site  
• Mailing-list Archives
• ietf-pkix mailing-list archive  
• Securityfocus lists (bugtraq, penetration testing, secure programming, ...) 
• full-disclosure 
• Virus.Org Mailing List Archives 
• The Mail Archive 
• Nanog
• The Security Digest archive - security list "history"
• CISSP Forum (Log in - select  Yahoo!Groups)
• CISA Forum
• PatchManagement.org

Known Bugs, Warnings

• CERT alerts 
• FUNET CERT (finnish)
• FBI Cybernotes
• ISS X-Force
• Known NT Exploits 
• NIPC Advisories 
• Safer 
• Georgi Guninski Security Research 

Advisories

• L0pht
• Cable Modem/DSL Tuning Guide 
• Home Network Security 
• Secunia security advisories 
• SANS/FBI: The Twenty Most Critical Internet Security Vulnerabilities
• Checklists
• U.S. National Checklist Program

Guidelines

• Valtionhallinnon tietoturvallisuusohjeistus (finnish)
• RFC2504, Users' Security Handbook 
• RFC2196, Site Security Handbook  
• PK-yritysten tietoturvaopas (finnish)
• The Field Guide for Investigating Computer Crime, Part One, Two, Three, Four, Five, Six, Seven and Eight
• The Open-Source Security Testing Methodology Manual 
• Simple Security Truths 
• Contingency Planning and Disaster Recovery 
• Commonly Accepted Security Practices & Recommendations 
• Introduction to Security Policies Part One, Two, Three and Four 
• Tietoturvaa peruskäyttäjille (finnish)
• BSI IT Baseline Protection Manual
• Security Auditing Guide 
• Tietosuojan ja Tietoturvan Tarkistuslista (rtf, finnish)
• NSA Security Recommendation Guides 
• NIST Guidelines on Securing Public Web Servers 
• NIST Guideline on Network Security Testing 
• OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation 
• OECD Security and Privacy Guidelines 
• NIST ASSET - Automated Security Self Evaluation Tool 
• NIST Guide to Selecting Information Security Products 
• NIST Guide to Information Technology Security Services  
• Tietoturvaopas (finnish)
• The Antivirus Defense-in-Depth Guide 
• Turvallisuussopimusten laadintaohjeistoa (finnish)
• GAISP: Generally Accepted Information Security Principles
• NIST Guide to Computer Security Log Management 
• The IT Audit Checklist for Information Security 
• Global Technology Audit Guide (GTAG)
• Guide to information security certifications
• NIST: Information Security 
• SANS 20 Critical Security Controls
• Frequently Avoided Questions about IT auditing
• Information security awareness in financial organisations - Guidelines and case studies
• OSA - Open Security Architecture
• Jericho Forum Self-Assessment Scheme
• Shared (Vendor) Assessments

Standards and "standards"

• IETF - The Internet Engineering Task Force
• ECMA
• INFOSEC - DG Information Society of the European Commission
• The NSA Rainbow Series
• Intel Common Data Security Architecture 
• SSE-CMM: The Systems Security Engineering Capability Maturity Model 
• XACML 
• ETSI Security Standardization 
• Tupas - pankkien tunnistuspalvelu palveluntuottajille (finnish)
• Information Security Forum's Standard of Good Practice 
• COBIT: Control Objectives for Information and related Technology 
• Information systems security standards handbook 
• AICPA/CICA Trust Services Principles and Criteria 
• Information Security Standards 
• Trusted Computing Group 
• A Comparative Study of IT Security Criteria 
• Open Security Exchange (OSE)
• Application Security Standards
• How ITIL Can Improve Information Security
• ISM3 - Information Security management Maturity Model 
• ECBS TR 411 Security Guidelines for Electronic Banking
• ECBS Guidelines on Algorithms Usage and Key Management 
• How ITIL Can Improve Information Security
• Corporate Information Security Working Group: Report of the Best Practices and Metrics Teams
• Alphabet Soup: Making Sense of Models, Frameworks, and Methodologies 
• OVAL - Open Vulnerability and Assessment Language
• Federal Financial Institutions Examination Council (FFIEC): Information Security 
• IT Security Essential Body of Knowledge
• ICT Security Standards Roadmap
• ICT Security Standards Database
• IT security standard planetarium
• ITIL v3 and Information Security
• KATAKRI: Kansallinen Turvallisuusauditointikriteeristö (finnish)

    Common Criteria / ISO 15408

• NIST: Common Criteria 
• Example CC protection profiles (PKI, IDS, Biometrics, Mobile Code,...)
• Understanding the Windows EAL4 Evaluation 
• Understanding Common Criteria Evaluation 
• Common Criteria Portal
• Manager's Guide to Common Criteria 

    BS7799 / ISO17799 / ISO 27000

• BS 7799 c:cure 
• ISO 17799 
• BS7799 / ISO 17799 
• ISO 17799 FAQ 
• Summary of controls used in BS 7799 
• ISO 17799 information 
• BS7799 - Part 2 draft - Specification for Information Security Management Systems 
• The ISO 17799 Information and Resource Portal 
• The Newly Revised Part 2 of BS 7799 
• The ISO17799 Toolkit 
• Register of ISO 27001 Accredited Certificate 
• SANS ISO 17799 Checklist 
• Purchase and download ISO1779 and BS7799 
• ISO 17799 News
• ISO17799 Open Guide
• Revision of ISO/IEC 17799 
• ISO 17799 Community Forum
• ISO 27001 Online
• ISO 27001 Security
• ISO 20000 Central
• The ISO 27000 Directory

• PCI Security Standards Council
• The Legal Implications, Risks and Problems of the PCI Data Security Standard 
• PCI Knowledge Base
• PCI Europe
• PCI Auditor Community Site
• PCI Portal
• PCI Standards Overview 
• The Society of Payment Security Professionals w/ PCI Forum
• Infosec Compliance, PCI
• PCI and Data Security Compliance Blog
• PCI DSS and Regulatory Compliance Blog
• US Congress PCI hearing: Do the Payment Card Industry Data Standards Reduce Cybercrime?
• PCI DSS Compliance Survey 2009
• Blog: PCI Guru
• Payment Card Industry Compliance for Large Computing Systems
• How to choose the right PCI DSS QSA

Laws, directives, etc.

    General

• Crypto Law Survey
• Digital Signature Law Survey 
• Kansallinen tietoturvastrategia (finnish)
• U.S. DoJ - Computer Intrusion Cases
• Kansallisen tietoturvallisuusasioiden neuvottelukunnan kertomus valtioneuvostolle 14.12.2004 (finnish)
• A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?
• Tietoturvallisuuslainsäädäntö - kansainvälinen vertailututkimus (finnish)
• The Laws of Full Disclosure

    Finnish Laws

• Tietoturva- ja tietosuojasäädökset (finnish)
• KRP: Tietotekniikkaan kohdistuvat rikokset (finnish)
• Suomen Rikoslaki webissä  (finnish)

    EC

• EC: Convention on cyber-crime 
• European Commission stuff (ecommerce, digital signatures) 
• Network and Information Security: Proposal for a European Policy Approach 

Awareness

• Human Firewall 
• Security Awareness
• Security Awareness Materials  
• NIST: Building an Information Technology Security Awareness and Training Program 
• FISSEA 2003 conference presentations 
• U.S. Security Awareness 
• Security posters from Microsoft 
• NIST CSR Awareness, Training & Education 
• Security awareness cartoons
• Security Awareness Posters
• Helsingin Yliopiston tietoturvakampanja (finnish)
• University of Arizona Security Awareness Presentations
• IWD Security Awareness Toolbox
• Microsoft Security Screen Savers
• TIEKE: Tietoturvakartoitus (finnish)
• Video: "Drive-by-download" attack
• Thesis: A design theory for information security awareness 
• The Ten Most Dangerous Things Users Do Online
• Computer Security Awareness Video Contest 2006
• 12 Ways to be a Security Idiot
• Lapin yliopiston tietoturvan kampanjamateriaali (finnish)
• Security Cartoons
• HP Game: Accelerate Security
• Hacker Highschool -  Security Awareness For Teens
• Awareness videos
• Finanssialan Keskusliiton Pankkiturvallisuus-sivusto (finnish)
• Security Visualization
• Microsoft Security Awareness Program
• The Rational Rejection of Security Advice by Users

Risk Management

• Risk Management 
• CACM Inside Risks 
• Risk Management: An Essential guide to Protecting Critical Assets 
• Resources for Security Risk Analysis, ISO 17799 / BS7799, Security Policies & Security Audit 
• Assessing Internet Security Risk Part 1, Part 2, Part 3, Part 4 and Part 5
• Pk-yrityksen riskienhallinta (finnish) 
• NIST SP 800-30; Risk Management Guide for Information Technology Systems   
• Federal Financial Institutions Examination Council (FFIEC) Business Continuity Planning booklet 
• Ohje riskien arvioinnista tietoturvallisuuden edistämiseksi valtionhallinnossa  
• Comprehensive Risk Analysis and Management Network (CRN) 
• Current Trends in Risk Communication: Theory and Practice  
• PWC 7th Annual Global CEO survey: Managing Risk 
• Turning IT Security into Effective Business Risk Management 
• Implementing Information Security: Risks vs. Cost
• RATA: Operatiivisten riskien hallinta (finnish)
• Technology Risk Checklist 
• Microsoft: The Security Risk Management Guide
• The Vulnerability Assessment & Mitigation Methodology 
• VISA Operations and Risk Management
• Open Information Security Risk Management Handbook 
• 10 Ways We Get the Odds Wrong
• The Alliance for Enterprise Security Risk Management (AESRM)
• Understanding Uncertainty
• Open Group Risk Taxonomy
• Towards a cloud-specific Risk Analysis Framework
• Projection Point: Test your risk intelligence

    Methods  & tools

• Riskianalyysin menetelmät (finnish)
• COSO: The Enterprise Risk Management Framework 
• CRAMM
• CORA
• COBRA 
• Isapopen demo 
• Citicus ONE
• CounterMeasures  
• ISAP 
• RiskWatch 
• Yksinkertainen yrityksen turvakartoitus (finnish)
• AuditNet
• Inventory of Risk Management/Risk Assessment methods and tools

Security Management

• Security Management Index Report: Executive Summary 
• The Information Security Policies / Computer Security Policies Directory 
• The Myth of Information Security ROI: Not Every Expense Is an "Investment" 
• Security ROI 
• ROSI: Return on Security Investment
• Why Information Security Is Hard - an Economic Perspective 
• Measuring the Value of Information Security 
• The New Economics of Information Security 
• Finally, a Real Return on Security Spending 
• Security Through ROSI-colored Glasses 
• Common Sense Guide for Senior Managers 
• Approaches to Measuring  Security 
• Security at Microsoft 
• User Education Is Not The Answer to Security Problems
• Security Officers Management and Analysis Project
• The OpenCSO Project
• Leif Åberg - aineistoa viestinnästä (finnish)
• Information Security Management References 
• Microsoft Security Assessment Tool
• Turvallisuustietojohtaminen - esiselvitys (finnish, pdf)
• SABSA - Sherwood Applied Business Security Architecture
• NIST draft: Information Security Handbook: A Guide for Managers (zip)
• Examining the CSO-CEO relationship
• Tietoturva-ammattilaisen osaamistarvekartoitus (finnish)
• The Business of Resilience - Corporate security for 21st century 
• Väitös: Yhteistyö yritysturvallisuuden hallinnassa (finnish)
• Corporate Information Security Governance in Swiss Private Banking 
• Turvallisuusjohtaminen ylimmän liikkeenjohdon näkökulmasta (finnish)
• Hiring Guide to the Information Security Profession 
• Systemic Security Management 
• An Introduction to the Business Model for Information Security 
• Convergence of Enterprise Security Organizations 
• SABSA Institute Community Forum
• Information Security to the Medium Enterprise

• NIST: Security Metrics Guide for Information Technology Systems 
• NIST draft: Guide for Developing Performance Metrics for Information Security 
• A Few Good Metrics
• Metrics: You Are What You Measure!
• Seven myths about information security metrics 
• SecurityMetrics
• Metrics Center
• Primer Control Systems Cyber Security Framework and Technical Metrics 
• Security Metrics Catalog
• The Good, The Bad, And The Ugly: Stepping on the Security Scale
• The Verizon Incident Sharing Framework
• CIS Consensus Information Security Metrics
• VERIS Framework

• The Psychology of Security
• The psychology of scams: Provoking and committing errors of judgement
• Ross Anderson Psychology and Security Resource Page
• The Psychology of  Computer Insecurity
• Understanding scam victims: seven principles for systems security
• Profiling The Defenders

• Open Group Business Scenario: Identity Management (draft) 
• Open Group: Identity Management 
• eEurope Electronic Identity 
• ID management - a key to security 
• The Moron's Guide to Kerberos 
• Authentication get tough (Network Computing) 
• Dos and Don'ts of Client Authentication on the Web 
• Electronic Authentication: Issues relating to its selection and use 
• Shibboleth 
• Smart card usage for authentication in web single sign-on systems 
• NIST: The Economic Impact of Role-Based Access Control 
• Rooliperusteisesta pääsynvalvonnasta (finnish, rtf)
• Sähköisen tunnistamisen menetelmät ja niiden sääntelyn tarve (finnish, pdf)
• SourceID - Open Source Federated Identity Management
• Positive Identification (WS-Security, SAML) 
• Liberty Alliance Project 
• A Primer on User Identification 
• LSE: The Identity Project 
• The Laws of Identity
• Microsoft's Vision for an Identity Metasystem
• Web SSO Interoperability Draft Specifications
• OpenSSO
• Identity Management in eGovenment: Modinis-IDM
• Future of Identity in the Information Society
• NIST draft: Electronic Authentication Guideline 
• OATH: Open Authentication initiative
• Perfect Papers Passwords
• Thesis: Organisational and Cross-Organisational Identity Management 

Disaster Recovery, Business Continuity

• Continuity Central
• Global Continuity 
• Rothstein links
• Disaster Resource Guide
• A Guide For Developing a Disaster Plan 
• Seven Steps Business Continuity Planning Model 
• Professional Practices for Business Continuity Professionals
• The Disaster Center
• DR Planning.org (Toigo)
• The Business Continuity Institute - Good Practice Guidelines
• The 20 Truths of Disaster Recovery
• Eight Best Practices for Disaster Recovery
• NIST Contingency Planning Guide for Information Technology System 
• SIA - Business Continuity Planning
• Huoltovarmuuskeskuksen julkaisut (finnish)
• Internetin hyödyntäminen kriisitiedotuksessa (finnish)
• PAS 56
• BS25999 - Code of Practice for Business Continuity Management (draft)
• Yhteiskunnan elintärkeiden toimintojen turvaamisen strategia (finnish)
• Business and IT Continuity: Overview and Implementation Principles 
• ECB Business Continuity
• BSI standard 100-4 on Business Continuity Management

Organizations

• Tietoturva ry - Finnish Information Security Association  (finnish)
• Tietojärjestelmien tarkastus ja valvonta ry - ISACA Finland Chapter (finnish)
• SANS (System Administration, Networking, and Security) Institute
• ICSA.net
• CIAC - Computer Incident Advisory Capability
• The Royal Canadian Mounted Police 
• Computer Security Insitute 
• (ISC)2: International Information Systems Security Certifications Consortium  
• ISACA: Information Systems Audit and Control Association 
• Information Security Forum 
• Security Research Alliance 
• Viestintävirasto / Finnish Communications Regulatory Authority 
• THEIIA: The Institute of Internal Auditors 
• ISFA: Information Systems Forensics Association 
• ISSA: Information Systems Security Association 
• The Institute for Security and Open Methodologies 
• Security Metrics Consortium 
• The Business Continuity Institute 
• Trusted Electronic Communications Forum
• Yritysturvallisuuden neuvottelukunta (finnish)
• The Jericho Forum
• European Committee of Banking Standards
• Rahoitustarkastus (finnish)
• Initiative for Open Authentication
• Open Informations Systems Security Group
• Dartmouth College Institute for Security Technology Studies
• CAIDA - Cooperative Association for Internet Data Analysis
• ENISA - European Network and Information Security Agency
• IT Services Management Forum
• IFCA: International Financial Cryptography Association
• The Finnish Risk Analysis Society / Suomen Riskianalyysiseura (finnish)
• Financial Services Technology Consortium
• MELANI - Swiss Reporting and Analysis Centre for Information Assurance
• IT Compliance Institute
• US Air Force Cyber Command
• RIMS - Risk and Insurance Management Society
• International Financial Cryptography Association
• Tietoturva ry 10 vuotta - kerhosta Suomen suurimmaksi tietoturvayhdistykseksi (finnish)
• United States Department of Justice Computer Crime & Intellectual Property Section
• Financial Services - Information Sharing and Analysis Center
• The Industry Consortium for the Advancement of Security on the Internet (ICASI) 
• OISSG: Open Information Systems Security Group
• University of Cambridge Banking Security Reasearch
• Secure POS Vendor Alliance
• BITS at The Financial Services Roundtable

    CERT

• CERT/CC
• CERT-FI (finnish)
• FUNET CERT (finnish)
• TERENA - Trusted Introducer for CSIRTs in Europe 
• UNIRAS
• AUSCERT  
• FIRST: Forum of Incident Response and Security Teams
• US-CERT 
• Open Source CERT

Conferences, seminars

• SANS
• Computer Security Institute
• BlackHat
• DefCon 
• CanSecWest   
• Usenix 
• CardTech/SecurTech 
• RSA Conference 
• Burton Group Catalyst 
• Digital Id World 
• HiverCon 
• RAID
• IEEE Symposium on Security and Privacy 
• The Network and Distributed System Security Symposium Conference
• ACM Conference on Computer and Communications Security  
• The Techno Security Conference
• Annual Computer Security Applications Conference 
• New Security Paradigms Workshop
• Emerging Technology Conference
• WhatTheHack
• T2 (finnish)
• Security Briefings
• The Biometric Consortium Conference
• Turvallisuusjohtaminen 2006 (finnish)
• Hack In The Box
• COSAC - International Computer Security Symposium
• Workshop on the Economics of Information Security
• The Workshop on the Economics of Securing the Information Infrastructure
• ITsecurityEvents
• SOURCE Conference
• Shmoocon
• Federation of Security Professionals
• MetriCon
• ToorCon
• Chaos Communication Congress
• Information Security Summit
• O'Reilly Conferences
• FISSEA: Federal Information Systems Security Educators' Association
• XCon
• Electronic Identity - Porvoo Group
• RuxCon
• The Annual Computer Security Applications Conference (ACSAC)
• Internet Society Conferences
• University of Cambridge Computer Laboratory Security Conference Database
• Secure Application Development
• OWASP AppSec
• Workshop on Security and Human Behaviour
• Hacker Halted
• Techpresentations: slides from  many technical conferences
• Annual Computer Security Applications Conference
• Secure Application Development
• Information Security Conferences Calendar

Surveys, stats

• Security Survey of Key Internet Hosts (Dan Farmer, 1996) 
• SSL Server Security Survey 
• The 2000 Information Security Industry Survey 
• The 2001 Information Security Industry Survey 
• Attrition Defacement Statistics 
• Computerworld Security Statistics 
• Salary 
• CERT/CC Statistics 
• Security Statistics 
• SecuritySpace Internet Research Reports 
• Honeynet project: statistics 
• Riptech Internet Security Threat Report - Attack Trends Q3 and Q4 2001  
• e-Security - 2002 and beyond 
• The Security of Applications: Not All Are Created Equal 
• Informationweek - Management Takes Notice 
• ISS: Internet Security Risk Summary for December 22, 2001 through March 21, 2002 
• Network World Top Concerns Survey 2002 
• Riptech Internet Security Threat Report - Attack Trends Q1 and Q2 2002 
• The 2002 Information Security Industry Survey  
• ICAT Vulnerability Statistics 
• ISS Internet Risk Impact Summary 1.1.-31.3.2003 
• IFCC Internet Fraud Reports 
• Top 100 Security Tools 
• Information Security magazine 2003 product survey 
• Fast and Present Danger: In-Home Study on Broadband Security 
• INFOSEC year in Review 
• Understanding Computer Crime Studies and Statistics 
• CIO Security Study - Determine the importance of IT Security 
• Blaster worm took heavy toll: survey 
• Victims of cyberstalking: An exploratory study of harassment perpetrated via the Internet 
• ZDNet 2003 Security Survey: steady progress, wireless worries 
• The State of IT Security 2003 Survey 
• INFOSEC Zeitgeist 
• What keeps information security professionals up at night? 
• F-Secure Corporation's Data Security Summary for 2003
• Imperva: Only 10% of Web Applications are Secured Against Common Hacking Techniques 
• SecurityTracker vulnerability statistics 2002 
• Symantec Internet Security Threat Reports
• Information Security Breaches Survey 2004
• A CompTIA Analysis of IT Security and the Workforce - Summary 
• Kauppakamarien yritysturvallisuustutkimus (finnish)
• Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector 
• PWC 7th Annual Global CEO Survey - Managing Risk 
• CIO - The State of Information Security 2004
• Hi-Tech Crime: The Impact on UK Business 
• Authentication Statistics Index
• F-Secure Corporation's Data Security Summary for 2004
• Coverity: Linux bugs
• ISSA/BSA Survey result 2004 (ppt)
• Identity Theft - Summary
• Hi-Tech Crime - The Impact on UK Business 2005 
• Browser Vulnerability Statistics 2004
• Insider Threat Study 
• Identity and Access Management Trends Survey 
• 2005 Australian Computer Crime and Security Survey
• Banks to spend more on IT security
• Nationmaster - crime statistics
• Study: Flaw disclosure hurts software maker's stock
• The Prolexis Zombie Report
• TrustedSource email & spam stats
• CIO - The State of Information Security 2005 Part I and Part II
• How safe is it out there? - Study of web app security
• Opinion: Investigating the FBI's 'invalid' security survey
• Top Security Trends for 2006
• FTC Consumer Fraud and Identity Theft Complaint Data 2005 
• Swiss Re Corporate Risk Survey: A Global Perspective
• Statistics on web servers attacks for year 2005 
• It's raining security surveys
• F-Secure Corporation's Data Security Summary for 2005
• DTI Information Security Breaches Survey 2006 
• CSI/FBI Computer Crime and Security Survey 2009, 2008,  2007,  2006, 2005, 2004, 2003 and 2002 
• Survey on the Detection and Prevention of Data Breaches 
• Yrityksiin kohdistuvan ja niitä hyödyntävän rikollisuuden tilannekuva 2006 
• Critical look at statistics
• Web Application Security Professionals Survey
• A Chronology of Data Breaches
• 4th Annual Consumer Online Fraud Survey 
• Profile of a Fraudster Survey 2007 
• WASC Web Security Threat Report 1-4/2007 
• Tunnisteilla turvallisuutta - tutkimus sähköisten tunnisteiden käytöstä (finnish)
• Study: Professional Security Certifications Boost Salary 
• Information Security Year in Review 2007 
• Ernst & Young’s Global Information Security Survey 2007 
• Independent comparatives of Anti-Virus software
• Cisco 2007 Annual Security Report 
• The Web Hacking Incidents Database Annual Report 2007
• Banks: Losses from computer intrusions up in 2007
• Tietoturvallisuuden hallinta suomalaisissa organisaatioissa 2007 (finnish)
• IC3 Internet Crime Report 2007 
• The (ISC)2 Global Information Security Workforce Studies 
• Kauppakamarin tutkimus yritysten rikosturvallisuudesta 2005 ja 2008 (finnish)
• Understanding the Web browser threat
• Airport Insecurity: The Case of Missing & Lost Laptops 
• Information Week 2008 Security Survey: We're Spending More, But Data's No Safer Than Last Year
• Web Application Security professional Survey 2008
• Software Security Demand Rising 2007
• Compuware 2008 Study on the Uncertainty of Data Breach Detection 
• Emerging Cyber Threats Report for 2009 
• NRI Secure Technologies Web Application Security Assessment Trend analysis report 2008
• Europol European Organised Crime Threat Assessment (OCTA) reports
• European ATM Security Team (EAST) Crime Reports
• Microsoft Security Intelligence Report
• Dataloss DB
• Arbor Networks Infrastructure Security Report
• Adventurers and Risk-Takers: Finnish professional criminals and their organisations in the 1990s cross-border criminality 
• Symantec Report on the Underground Economy
• Verizon Business Data Breach Investigations Report 2010,  2009, Supplemental Report 2009,  2008and Supplemental Report 2008 
• IDC: Innovation and Security: Collaborative or Combative 
• WhiteHat Website Security Statistics Report 12/2008 
• Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones 
• Top 10 Financial Security Breaches 2008
• The Cisco Annual Security Report 2008  and 2009
• PWC Global State of Information Security Surveys
• IBM X-Force Trend Reports
• Security certifications (excel)
• Deloitte Annual Global Security Survey 2008, 2006, 2004,  2003 
• Outpost24: Cyber Criminality 
• KPMG 's 2009 IT Internal Audit Survey 
• State of the CSO 2009 
• Finjan Cybercrime Intelligence Report
• Yrityksiin kohdistuvan rikollisuuden tilannekuva (finnish)
• Web Application Security Statistics
• Deloitte: Cyber Crime: a clear and present danger
• Ponemon 2009 Annual Study: Cost of a Data Breach
• Survey: Integrating Security Into the Software Development Lifecycle
• State of Web Application Security 2010
• Generation Y Online Security Survey
• PWC: Revolution or evolution. Information Security 2020
• PWC: Information Security Breaches Survey 2010
• The Leaking Vault - Five Years of Data Breaches
• Survey and Analysis of EU ICT Security Industry and Market for Products and Services

Software security

• IBM security papers 
• Secure Internet programming 
• Java Security Hotlist 
• Tietoturvallisuus järjestelmäkehityksessä (finnish)
• eWeek: Access Control Tools 
• Programming Satan's Computer 
• Why Computers are Insecure 
• Open Web Application Security Project
• cgisecurity.net 
• Human factors and computer security: a bibliography 
• Sanctum white papers 
• TCPA / Palladium FAQ 
• NIST: The Economic Impacts of Inadequate Infrastructure for Software Testing 
• Attack Modeling for Information Security and Survivability 
• IBM articles for developers  
• Java Object Inspector 
• SBQ Application Security Articles 
• The Peon's Guide To Secure System Development 
• Session Fixation Vulnerability in Web-based applications 
• The Protection of Information in Computer Systems 
• Manufacturers should be liable... 
• Application Security Best Practices at Microsoft 
• Security in the Microsoft .NET Framework  
• J2EE vs. NET security 
• Why Secure Applications Are Difficult to Write 
• DIMACS Workshop on Software Security 2003 - Presentations 
• .NET Security 
• Framework for Secure Application Design and Development 
• Secure Software Development and Code Analysis Tools  
• Security Evaluation: Microsoft Windows Server 2003 with .NET Framework and IBM WebSphere 
• Security Programming 
• SecureProgramming.com 
• NIST: Role-based Access Control 
• Fuzz Testing of Application Reliability 
• Valtionhallinnon tietojärjestelmäkehityksen tietoturvallisuussuositus (finnish)
• Purdue University Secure Programming Lecture Notes 
• Java vs. .NET security part 1, part 2
• Security Band-Aids or Building Secure Software? 
• Tutorial: Secure your URL 
• Application Vulnerability Description Language 
• Why the Future Belongs to the Quants  
• Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics 
• Can Sotware Kill? 
• Computer security in the real world 
• Software Security Checklist for the Software Life Cycle 
• Web Based Session Management 
• Improving the Security Across the Software Development Life Cycle 
• Article about software trends 
• A Global Survey of Software Development Practices 
• The Challenges of Complex IT Projects 
• Secure Development Framework 
• Security: The root of the problem 
• Microsoft Security Developer Center
• Satan's Computer Revisited - API Security (ppt)
• Ten Software Myths
• An Applications View on Security
• .NET Framework Security 
• The Free Lunch Is Over: A Fundamental Turn Toward Concurrency in Software
• They Write The Right Stuff
• Guerrilla Threat Modeling
• Web Application Security Consortium
• The Trustworthy Computing Security Development Lifecycle
• WebSphere Security Fundamentals
• CLASP: The Comprehensive, Lightweight  Application Security Process 
• Application Security: Mindset Is What Matters
• Community Secure Software Guide
• NIST Security Considerations in the Information System Development Life Cycle  
• Collaboration in a Secure Development Process Part I, Part II, Part III 
• Trike - Threat Modeling
• Software that lasts 200 years
• Building Security In - articles
• Software Asurance and Metrics Tool Evaluation
• Why is Application Security so Elusive?
• Build Security In Portal
• Threat Modeling Web Applications
• Security Engineering Explained
• SearchAppSecurity
• Gary McGraw's (Software) Security Articles
• We Need Assurance 
• Ajax security
• Secure Software Forum
• Misuse cases help to elicit non-functional requirements
• Security pros push for secure code
• The Code Room
• Opening the Black Box: A Source Code Security Analysis Case Study 
• Software Security Assurance: a framework for Software Vulnerability Management and Audit 
• draft: Security in the Software Lifecycle 
• draft: Secure Software Assurance Common Body of Knowledge 
• Principled Assuredly Trustworthy Composable Architectures 
• CERT: Secure Coding
• A Taxonomy of  Software Security Errors 
• The Application Security Industry Consortium
• SANS Software Security Institute
• Hacking Web2.0
• State-of-the-Art Report: Software Security Assurance 
• SAFECode: Software Assurance Forum for Excellence in Code
• Software Project Management for Software Assurance (doc)
• Software Assurance (SwA) in Acquisition: Mitigating Risks to the Enterprise (doc)
• GEMOM: Genetic Message Oriented Secure Middleware
• Microsoft Security Development Lifecycle (SDL)
• Valtionhallinnon arkkitehtuurin suunnitteluprojektin raportit (finnish, pdf)
• Cheat Sheet: Web Application Security Frame
• Fundamental Practices For Secure Software Development 
• Application Secuirty Procurement Language
• Software Assurance Maturity Model
• Building a Web Application Security Program 
• Resources for Secure Software Engineering from Security Compass
• Security Patterns Catalog
• The Building Security In Maturity Model
• Security Analysis of Core J2EE Design Patterns
• Observations on Balancing Discipline and Agility
• Toward an Organization for Software System Security Principles and Guidelines
• Foreign Influence on Software Risks and Recourse
• Enhancing the Development Life Cycle to Produce Secure Software
• Secure Web Application Framework Manifesto
• SDL Quick Security References
• Simplified Implementation of the Microsoft SDL
• Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer
• OpenSeminar - Software Engineering
• Elevation of Privilege card game
• 101 Patterns for Influencing Behaviour Through Design (including security)

    Databases

• Exploiting and Protecting Oracle 
• Protecting Oracle Databases Whitepaper and Slides
• Threat Profiling Microsoft SQL 
• Oracle Security papers 
• SQL Injection - are your web-applications vulnerable 
• Blindfolded SQL Injection 
• Securing MySQL: step-by-step 
• Writing Secure Code in Oracle 
• An Introduction To SQL Injection Attacks For Oracle Developers 
• SQL Injection Attacks by Example

    Design 

• Architectural Patterns for Enabling Application Security 
• A method for designing secure solutions 
• Security patterns 
• OpenGroup Guide to Security Patterns 
• Dos and Don'ts of Client Authentication on the Web 
• Designing secure information systems and software 
• Designing secure software
• Designing for Failure
• The Protection of Information in Computer Systems by Saltzer & Schroeder
• Security Principles
• Security Architecture Cheat Sheet

    Programming

• Packetstorm Programming Tutorials 
• How to Write Secure Code - papers 
• The WWW Security FAQ 
• How To Remove Meta-characters From User-Supplied Data In CGI Scripts
• Secure (Unix) Programming Guidelines 
• Secure Unix programming FAQ 
• Secure Programming for Linux and Unix HOWTO 
• Programming and security related links 
• Best Practices for Secure Development 
• A Guide to Building Secure Web Applications And Web Services
• Links to Java security documentation 
• Twelve rules for developing more secure Java code  
• Microsoft Code Secure 
• Sun Java Security
• The Secure Programming Standards Methodology Manual
• Secure Programmer articles by David Wheeler
• Learning Guide: Developing secure enterprise Java applications
• The Four Coders of Apocalypse
• Cigital Java Security Rulepack
• CERT Java Secure Coding Standards
• Secologic project: Guides for secure programming
• CWE/SANS TOP 25 Most Dangerous Programming Errors

    Examples, known problems

• Exploiting Common Vulnerabilities in PHP Applications 
• Format String Attacks  
• Format String Attacks & Examples 
• The Gibraltar Hack: Anatomy of a break-in
• Smashing The Stack For Fun And Profit
• Insecure Programming by example
• Lots of buffer overflow stuff...
• Heap overflows 
• Analysis of format string bugs 
• Cross-site scripting 
• RPC without borders (SOAP)
• Perl CGI problems  
• MS Code Secure
• Designing Shellcode Demystified 
• HTML Code Injection and Cross-site scripting 
• The Ten Most Critical Web Application Security Vulnerabilities 
• SQL Injection Attacks by Example
• OWASP WebGoat Online
• Breaking the Bank - Vulnerabilities in Numeric Processing within Financial Applications 
• XSS Cheat Sheet
• Active Man-In-The-Middle Attacks

  Testing

• Security Code Review Guidelines 
• Seven Deadly Sins of Software Reviews 
• How to find security holes 
• Bug Hunting: The Seven Ways of the Security Samurai 
• Web application scanners - test 
• Application Assessment Questioning 
• Open source software testing tools
• mangleme - an automated broken HTML generator and browser tester
• Penetration Testing for Web Applications Part I, Part II and Part III
• How To Perform a Security Code Review for Managed Code
• History's worst software bugs
• Review: Source-Code Assessment Tools Kill Bugs Dead
• NIST: The Economics Impact of Inadequate Infrastructure for Software Testing 
• SAMATE - Software Assurance Metrics And Tool Evaluation project
• A Web Services Security Testing Framework  
• Writing Software Security Test Cases
• Web Application Security Scanner Evaluation Criteria

    Tools -free

• PROTOS - Security Testing of Protocol Implementations 
• RATS - Rough Auditing Tool for Security  
• Flawfinder
• Codecheck 
• ITS4 - Software Security Tool
• Splint - Secure Programming Lint 
• Stackguard 
• Achilles 
• @Stake tools
• httpush 
• nikto  
• WebSleuth 
• WPoison - SQL Injection stress tool
• Form Scalpel 
• Session Auditor 
• WebCracker - web password guessing 
• Brutus - The remote password cracker for Windows 
• cURL 
• NTLM Authorization Proxy Server 
• netcat - network swiss army knife
• OpenSAML 
• Data Thief 
• Exodus
• Paros proxy 
• XML SOAP Monitor extension of the Ethereal 
• Burp proxy 
• Mozilla LiveHTTPHeaders
• Odysseus proxy  
• Microsoft Threat Modeling Tool
• Foundstone Hacme Bank training tool for app developers
• Wikto - web assessment tools
• Fiddler - HTTP debugging proxy
• Internet Explorer Developer Toolbar
• SQL Power Injector
• Bugle - Google Source Code Bug Finder
• LAPSE: Web Application Security Scanner for Java
• Web Application Auditing Tool (SWAAT)
• Hack This!
• Casaba Security's Watcher tool for Web Security Auditing and Testing
• OWASP Live CD for Web Application Security
• FindBugs - Find Bugs in Java Programs
• skipfish - web app security scanner
• Google Tutorial: Web Application Exploits and Defenses

    Tool - commercial

• SpiDynamics WebInspect
• Sanctum AppScan 
• Hailstorm 
• BlackWidow 
• Typhon 
• Man Machine Systems
• Rational
• Parasoft
• N-Stalker 
• @stake SmartRisk Analyzer
• Paessler Site Inspector
• Analyzing Accuracy And Time Costs of Web Application Security Scanners

    Web Services, XML security

• Securing Web services 
• Getting Started With XML Security
• Secure Your Web Services Applications 
• Security in a Web Services World: A Proposed Architecture and Roadmap 
• Web Services - Not So Fast 
• XML and Web Services security - articles 
• WebServices.Org 
• Microsoft Web Services White Papers 
• Web services security 
• Specification: Web Services Security v.1.0 
• HP's software developer conference 2003 - slides 
• A Strategy for Securing Web Services 
• Enterprise Security With XML and Web Services 
• Vordel - products for XML security 
• Web Services Security Basics
• Review: WS-Security Gateway Products  
• SOAP Web Services Attack - Part 1 Introduction and Simple injection  
• Ten guidelines for deploying secure XML Web services
• XML Web services security best practices
• Service Oriented Security Architecture 
• Essential XML Web Services Security Practices 
• NIST: Guide to Secure Web Services 
• MS Web Service Security Guide
• SOA Security Red Book
• SOA Design Patterns

    Intrusion Detection Systems

• FAQ: Network Intrusion Detection Systems 
• FAQ: sniffing 
• SANS Intrusion Detection FAQ
• COAST Intrusion Detection Pages
• Intrusion Detection 101 - slides 
• DARPA Intrusion Detection Evaluation
• Denial of Service Attack Resources
• IETF - Intrusion Detection Exchange Format
• Common Vulnerabilities and Exposures (CVE)
• Common Intrusion Detection Framework (CIDF)  
• Computer Intrusion Detection Systems 
• Emerald - project 
• HoneyNet - project 
• DShield: Distributed IDS data catalog 
• SANS Intrusion Detection Reading Room 
• Honeypots: Tracking Hackers
• NSS Labs IPS Test 
• ISS Advisor 
• MetaSploit 
• Securitytechnet IDS links 
• Intrusion Detection Links & Documents 
• Gartner: Magic Quadrant for Intrusion Detection Systems, 2H03 
• NIST: National Vulnerability Database
• NIST: Guide to Intrusion Detection and Prevention (IDP) Systems 
• Common Weakness Enumeration (CWE)

    Articles, papers, presentations

• HackerShield - CyberCop comparison 
• Intrusion Detection - several products
• 50 Ways to Defeat Your Intrusion Detection System 
• Intrusion Detection: Challenges and Myths
• Attack Trees - Modeling security threats  
• Interpreting network traffic 
• IDS Product Survey (1999) 
• Watching the Watchers: Intrusion Detection
• State of the Practice of Intrusion Detection Technologies 
• Hackers caught in security 'honeypot' 
• Columbia University IDS-project 
• Users warming to outsourced intrusion detection  
• NIST on Intrusion Detection Systems 
• Papers from 8th port 
• Internet burglar alarms 
• Intrusion Detection and Packet Filtering: How It Works (zip)
• IDS test (Network Computing) 
• Attack Modeling for Information Security and Survivability 
• The Evolution of Intrusion Detection Systems 
• Gigabit-speed intrusion-detection systems 
• An Introduction to Intrusion Detection Assessement 
• Unearthing the Invaders - IDS test 
• Fingerprinting Port 80 Attacks Part I and Part II
• CERT: Overview of Attack Trends 
• To Catch a Thief 
• One-way cable for IDS 
• How to 0wn the Internet in Your Spare Time 
• Stateful Intrusion Detection for High-Speed Networks (ps)
• Intrusion Detection Issues (ppt)
• Docshow.net - IDS papers 
• Crying wolf: False alarms hide attacks 
• Threat Management: The State of of Intrusion Detection 
• Justifying the Expense of IDS, Part One and Part Two
• From Intrusion Detection to Intrusion Prevention 
• Priorities in the deployment of network intrusion detection systems 
• Curious Yellow: The First Coordinated Worm Design 
• Network Computing: HIP product test 
• Implementing Networks Taps with Network Intrusion Detection Systems 
• Thesis about Honeypots 
• Intrusion Prevention Systems: the Next Step in the Evolution of IDS 
• Securityfocus IDS 
• Attack Lab Design & Security Mini How-To 
• A practical approach for defeating Nmap OS-Fingerprinting 
• Polymorphic Shellcodes vs. Application IDSs 
• False Positives: A user's guide to making sense of IDS alarms 
• Gartner: Intrusion Detection On The Way Out 
• Intrusion Detection Methodologies Demystified  
• An Overview of Issues in Testing Intrusion Detection Systems 
• Cost-Benefit Analysis for Network Intrusion Detection Systems 
• Gartner about Intrusion Detection 
• IDS finds niche as analytical tools 
• Merry Christma: An Early Network Worm 
• Deployment Guidance for Intrusion Detection Systems 
• Taking Aim - Target-based IDSes 
• Network Intrusion-Prevention Systems review 
• Navy researcher has novel security visualization technique 
• The History and Evolution of Intrusion Detection
• Intrusion Detection: A Brief History and Overview  
• Review: Host Intrusion Prevention Software 
• Host-Based IDS vs Network-Based IDS Part I and Part II
• Master's Thesis: Intrusion detection in critical e-business environment 
• Master's Thesis: Verkkohyökkäysinformaation keskitetty analysointi (finnish)
• Infoworld: Network detectives sniff for snoops
• LURHQ technical papers
• The Day After: Your First Response to Security Breach
• Stopping Automated Attack Tools 
• HTTP Request Smuggling 
• Microsoft: The Security Monitoring and Attack Detection Planning Guide 
• Strider HoneyMonkey Exploit Detection

    Commercial tools

• List of Intrusion Detection Systems 
• Talisker's List of Intrusion Detection Systems
• Enterasys
• NFR 
• IntruVert 
• Specter - honeypot 
• Blade Software IDS Informer 
• Sawmill - reporting tool 

    Free tools

• Shadow
• Linux IDS 
• tcpdump 
• windump 
• analyzer - protocol analyzer 
• ntop 
• Tripwire
• Toby (tripwire reimplementation)
• cheops
• Deception Toolkit 
• www.whitehats.com 
• Pakemon 
• Top 75 Security Tools 
• Packetfactory 
• Cassandra (vulnerability notifications) 
• ICAT vulnerability database 
• Analysis Console for Intrusion Databases 
• LaBrea - a "sticky honeypot" 
• Log Analysis Resources 
• Xprobe - OS fingerprinting tool 
• IDSwakeup 
• IPFC -  software and framework to manage and monitor multiple types of security modules 
• ADMmutate 
• fragroute 
• Early Bird: a Realtime HTTP Worm Intrusion Attempt Reporting 
• Prelude IDS  
• honeyd 
• Paketto Keiretsu 
• Ettercap - multipurpose sniffer/interceptor/logger for switched LAN 
• The samhain file integrity / intrusion detection system 
• chkrootkit - checks system binaries for rootkit modification
• SideStep: IDS evasion tool 
• Snare 
• Protowatch 
• Cain & Abel - password recovery tool 
• LogIDS 
• Nagios - monitoring tool 
• yafic - Yet Another File Integrity Checker 
• integrit - file verification system 
• GFI LANguard - System Integrity Monitor 
• Osiris - file integrity verification system 
• The Defiler's Toolkit 
• ModSecurity for Apache
• IISShield - application layer firewall for IIS 
• kses - HTML/XHTML filter 
• Packetyzer - Packet Analyzer for Windows 
• Knoppix - Linux Security Tools Distribution 
• Shell Intrusion Detection 
• Squil - Network Security Monitoring
• EtherApe
• Wireshark - network protocol analyzer
• Zero-Day Tracker
• The Suricata Engine - an Open Source Next Generation Intrusion Detection and Prevention Engine

    Trojans, vulnerabilities, port numbers

• FAQ: Firewall Forensics (What am I seeing?) 
• advICE - trojan ports
• Simowits - trojan ports
• Threats to your Security on the Internet
• Trojan horse port list 
• IDS attack signature database 
• Common Vulnerabilities and Exposures database 
• SANS Consensus Intrusion Database 
• The Internet Ports Database 
• Special Application Port List 
• Yet another port search engine 

    Analysis

• SANS - Global Incident Analysis Center 
• Distributed Denial of Service Attacks/tools 
• ICMP usage in scanning 
• NIPC Cybernotes 2001 Summary 
• Log Analysis Resources
• An evening with Berferd 
• Open Security Evaluation Criteria (OSEC)  
• My NetWatchman 

    Snort

• Snort 
• Snort slides by Martin Roesch 
• NSS IDS Test - Snort 
• poll: What IDS you prefer? 
• Open source mounts IDS challenge 
• Guide: Deploying Open Sourced Network Intrusion Detection for the Enterprise  
• Guide: Snorting_the_Enterprise  
• Guide: Snort-Setup for Statistics HOWTO 
• SnortSam: Firewall-1 plug-in 
• Snort - OPSEC output plugin 
• Hoghwash 
• Introduction to Network-Based Intrusion Detection Systems Using Snort 
• Snort for Windows 
• SnortNet 
• Snort: The Open Source way to fame and fortune 
• Multiple Snort Sensors HOWTO 
• Cerebus: unified alert file browser for Snort 
• Windows Snort FrontEnd 
• Snort Next Generation Detection Engine 
• SnortCenter 
• Guide: Snort Enterprise Implementation 
• Snort XML Plug-in 
• Freshmeat Snort-related projects 
• Snortalog 
• Spade - Statistical Packet Anomaly Detection Engine for Snort  
• snort_inline 
• Guide: Snort Enterprise Implementation - Snort, MySQL, Acid and SnortCenter on Redhat 9.0 
• quidscor - Snort and Qualys integration tool 
• Guide: Shadow/Snort sensor on Slackware step-by-step 
• Intrulock Lite - Snort front-end
• Honeynet Security Console 

    Snort-based commercial products

• Demarc 
• SiliconDefence
• Sourcefire 
• Applied Watch 
• PacketAlarm 
• NitroGuard

     Incident handling & forensics

• SEI: Handbook for Computer Security Incident Response Teams 
• CERT/CC: Computer Security Incident Response 
• CERT/CC: Responding to Intrusions 
• AuCERT: Forming an Incident Response Team 
• SANS: S.C.O.R.E 
• SANS Reading Room: Incident Handling 
• SANS Forum: Incident Handling and Hacker Exploits Forum
• NIST SP 800-3: Establishing a Computer Security Incident Response Capability 
• CIAC: Incident Reporting Procedures
• RFC 2350 - Expectations for Computer Security Incident Response
• CIO: CyberThreat Response and Reporting Guidelines 
• ISS: Computer Security Incident Response Planning 
• Forensic Computing & Analysis (The Coroner's Toolkit)
• Incident Response: Managing Security at Microsoft
• Incident Handling Links & Documents   
• F.I.R.E. - Forensic and Incident Response Environment 
• The Sleuth Kit and The Autopsy Forensic Browser 
• Free tools by Foundstone 
• Guidelines for Best Practice in the Forensic Examination of Digital Technology 
• NIST: National Software reference Library 
• NIST: Computer Security Incident Handling Guide 
• Free Forencis Tools 
• Computer Forensics Resources
• Electronic Crime Scene Investigation -  A Guide for First Responders 
• Sun Blueprints on Incident Response: Book1, book2, book3 and book4 
• Free  Request Tracker for Incident Response
• Windows Forensic Toolchest
• Network Security Toolkit
• Investigations Involving the Internet and  Computer Networks 
• CSIRT Management 

Penetration testing

    General    

• The Open-Source Security Testing Methodology Manual 
• NSS Vulnerability Assesment Group Test  
• Vulnerability Assessment Scanners 
• VA scanner test
• Tietoturvatarkastuksen automatisointi (finnish)
• Firewall Penetration Testing 
• Broadening the Scope of Penetration Testing Techniques 
• French IT database for exploits 
• Open Source Vulnerability Database 
• The Metasploit Project
• Professional Security Testers Warehouse
• NIST:Technical Guide to Information Security Testing and Assessment 

    Commercial tools

• H.E.A.T Vulnerability Scanner 
• Core Impact and related article
• CANVAS 

    Free tools   

• dsniff
• nmap  
• saint 
• nessus
• Nikto - web server scanner 
• Patchwork
• Firewall Tester 
• rhea - a windows http vulnerability scanner 
• Several tools
• HackerWhacker - scan your computer
• Sara - Security Auditor's Research Assistant 
• SPIKE - the fuzzer creation kit 
• dnsdigger 
• p0f - passive OS fingerprinting tool 
• Siphon - passive network mapping 
• Scapy
• MetaCoretex 
• L0phtCrack - password cracker
• John the Ripper - password cracker 
• Russian PaSsWord Crackers  
• BlueStumbler - Bluetooth attack 
• Hydra - network logon cracker 
• Imperva tools: PassLoc, Dl-Hell, etc. 
• Burp spider - a tool for enumerating web-enabled applications
• Smbspy
• Nessus for Windows
• Helix
• Backtrack
• SAPYTO - SAP Penetration Testing Framework
• sqlmap
• Goolag Scanner
• scrawl - SQL Injector and Crawler
• w3af - Web Application Attack and Audit Framework
• HP SWFScan Flash Security Scanner
• Penetration Testing Framework
• Spider for credit card and other confidential data
• OpenDLP
• iKAT - Kiosk terminal auditing tool

Public Key Infrastructure

• NIST PKI Program 
• Overview of Certification Systems: X.509, CA, PGP and SKIP 
• RFC 2527, X.509 Certificate Policy and Certification Practices Framework   
• Several PKI-related links
• The PKI page
• Rethinking public key infrastructures and digital certificates --- building in privacy (thesis 1999)
• SPKI/SDSI Certificates 
• Ten Risks of PKI & The Rebuttal 
• RFC2459, X.509 PKI Certificate and CRL Profile  
• IETF - PKIX-charter 
• IETF - SPKI-charter
• European Certification Authority Forum
• European Electronic Signature Standardization Initiative
• A Heretic's view of Certificates   
• OpenGroup PKI Task Group
• PKI Forum   
• PC/SC Workgroup 
• Conventional PKI: An Artefact Ill-Fitted to the Needs of the Information Society 
• Evaluating the Cost of Ownership for Digital Certificate Projects (Aberdeen Group)
• Inter-operability in a Public Key Infrastructure  
• ICC: General Usage for International Digitally Ensured Commerce 
• Government of Canada PKI 
• PKI and the Law 
• Federal PKI Steering Committee 
• Overview of PKI Vendors (Giga) 
• SWIFT TrustAct 
• CITI Smartcard-projects 
• PKI guru 
• EEMA PKI Challenge
• Smart Card Alliance 
• Open-source PKI Book 
• Deploying a Public Key Infrastructure (IBM RedBook) 
• Internet2 middleware 
• XML Key Management Specification 
• PKI Assessement Guidelines 
• WebTrust 
• Authentication, Authorisation Coordination for Europe
• OCSP - OpenValidation 
• An introduction to XML encryption and XML signature  
• NSS PKI Group Test 
• AICPA/CICA  WebTrust Program for Certification Authorities 
• NIST Key management Guidance drafts 
• ETSI documents: Electronic Signatures and Infrastructures 
• FiCom ETSI  MSS-standardin (mobiilivarmenne) soveltamisohje (finnish)

    Articles, papers, presentations

• Keying in on PKI 
• PKI: a matter of trust, cost 
• 25 Steps to the Successful Implementation of a Corporate PKI  
• Building a Corporate Public Key Infrastructure
• X.509 Style Guide  
• The Emperor's New Clothes: The Shocking Truth About Digital Signatures and Internet Commerce 
• Advances and remaining challenges to adoption of PKI technology 
• A Matter of Trusting Trust - Why Current Public-Key Infrastructures are a House of Cards 
• PKI starts to deliver 
• Companies warming up to PKI 
• PKI Secure Messaging Interoperability 
• PKI woes taking toll on leading firms 
• PKI Interoperability (ICE-CAR) 
• Secure Computing: IDS Test 
• ITPapers.com: PKI White Papers 
• In PKI we Trust? 
• PKI's Are Still Tough To Deploy 
• Varmennepalvelujen markkinat ja kilpailutilanne (finnish)
• PKI implementation experiences and swot-analysis (in Finland)  
• The Internet public key infrastructure (introduction) 
• Securing e-business applications using smart cards
• Robustness Principles for Public Key Protocols 
• Non-repudiation in the Digital Environment 
• SIM-kortin rinnakkaiskäyttö (finnish, pdf)
• PKI - From Pilot to Production 
• Julkisen avaimen järjestelmä, toimikortit ja niiden soveltaminen organisaatiossa (finnish)
• Varmennepalvelut, Viestintäviraston työryhmäraportti 6/2002 (finnish) 
• Optical Fault Induction Attacks 
• PKI - Only Mostly dead 
• Digital Signatures and Electronic Documents: A Cautionary Tale 
• Building Trusted Paths for Web Browsers 
• Thesis: Certificate Management in Mobile Devices 
• Deploying and Supporting a PKI at Microsoft 
• Varmennepalveluvaihtoehdot -FujitsuInvia (finnish)
• Effective PKI Requires Effective HCI 
• Analysis of survey on Obstacles to PKI Deployment and Usage 
• PKI: Past, Present and Future 
• A Critical View on Public Key Infrastructures 
• Turvalliset sähköisen allekirjoituksen luomisvälineet - vaatimusten arviointi (finnish)
• EEMA PKI Challenge Final Paper 
• Colliding X.509 Certificates based on MD5-collisions
• 5th Annual PKI R&D workshop proceedings
• Third European PKI Workshop 2006 presentations

    Finnish Electronic Identity (fineid)

• Finnish Electronic ID card  
• HSTYA-projekti (finnish)
• VRK:n HST-esimerkkikoodi (finnish)
• HST-ryhmä (finnish)
• CSC PKI-starttipaketin oppitunnit (finnish)
• Väestörekisterikeskuksen varmennepalvelun selvitystyöryhmän raportti (finnish)

    Tools

• OpenCA project 
• Mozilla Open Source PKI-projects 
• dumpasn1.c, dumpasn1.cfg, guidumpasn 
• dumpasn1obj 
• Enterprise Java Beans Certificate Authority 
• CAcert - the community non-profit Certificate Authority  

LDAP, Directories

• An LDAP Roadmap & FAQ
• OpenLDAP - Open Source implementation of LDAP
• Directory Services Markup Language 
• Distributed Management Task Force 
• Object Identifiers 
• Linux Directory Services
• Understanding LDAP (IBM redbook)
• NetworkWorldFusion - directory newsletters 
• Directory resources
• Directory Services Markup Language 
• LDAPguru: LDAP resources 
• Directory Management Buyer's Guide 
• Thesis: Directory Services for Linux in comparison with Novell NDS and Microsoft AD 
• Business Scenario: The Executive on the Move 

    Articles & presentations

• Directory services security threat
• Directory software market buzzing
• Why do I need a Directory when I could use a Relational Database?
• a programmer's guide to directory development  
• Secure Directory Services for E-Business, Part 1 & Part 2 & Part 3
• LDAP security - slides 
• LDAP untangled
• Sizing up LDAP servers 
• Sizing up LDAP-servers -Oracle 
• The DIRECT Project - Directory Replication Coordination 
• Assuring Interoperability for the Directory-Enabled Enterprise 
• LDAP - use as directed 
• NWFusion Directory resources 
• Understanding the Role of Directory Services Versus Relational Databases 
• Directory Services - The Role of LDAP and X.500 
• Deficiencies in LDAP when used to support a PKI 
• Comparing iPlanet Directory Server with Microsoft Active Directory 
• LDAP and OpenLDAP (on the Linux platform) 
• How to Port OpenLDAP to Windows 
• OpenLDAP Developers' Day - Proceedings - 2003 
• Directory Security Solutions 
• SUN JNDI Presentations and articles 
• LDAP Injection: Are Your Web Applications Vulnerable? 
• Supporting Large-scale Deployments through Virtual Directory Technology 
• A Comparative Performance Analysis of Seven LDAP Directories  (ppt)

    Free tools

• LDAP Browser/Editor (Java-based) 
• SoftTerra LDAPBrowser 
• DirectoryMark - The LDAP server benchmarking tool 
• LDAP Schema Viewer / Proposer
• Netscape Directory Server LDAP log analyzer 
• DSML Tools 
• LDAP Account Synchronization Project 
• JLDAP
• PWsynch - Password Synchronization Server 

Virtual Private Networks

• VPN Information
• Virtual Private Network Consortium
• RFP: VPNs Across Multiple Sites
• ICSA Certified IPsec Products 
• VPN high-availability test 
• VPNlabs 
• OpenVPN 
• IKE Interoperability Demonstration 2001 
• A Comparative Analysis of IPSEC and SSL 
• IPSEC vs. SSL: Why Choose?
• SSL VPN Gateways - comparison
• SSL-Explorer - Open Source VPN

Firewalls

• Firewalls Complete 
• ICSA certified firewall products 
• Linux Firewall and Security
• IP Filter Based Firewalls HOWTO
• Personal Internet Firewalls
• PhoneBoy's FireWall-1 FAQ
• T.Rex OpenSource firewall 
• Defending Your Turf From Within (Network Computing article about personal firewalls) 
• Unverified fields - a problem with firewalls today 
• Linux firewall design tool 
• Smoothwall - Linux firewall 
• Pushing firewall performance 
• Personal Firewalls article 
• ObjectWall - protecting CORBA applications 
• Personal Firewalls Spring Security Leaks 
• Why your firewall sucks :-) 
• To Protect and to Surf - PC magazine personal firewall test 
• Some firewall tools 
• NIST Guidelines of Firewalls and Firewall Policy 
• Firewall Builder 
• Stinghorn
• Firewall Leak Tester
• Application Assurance Platforms Arise from Web App Firewall Market's Ashes 
• Web Application Firewall Evaluation Criteria
• Web Application Firewall Reviews and Evaluations
• NSS Labs WAF tests
• Protocol Cheat Sheets

Crypto

    General

• Cryptome
• Schneier's collection of cryptography papers
• Cryptography A-2-Z 
• RSA Cryptography FAQ 
• The European Cryptography Page
• Ron Rivest Cryptography and Security links 
• Cryptography and Liberty 1999
• Cipher newsletter
• Cracking DES
• IETF - Secure Shell 
• Open SSH 
• Network Encryption - history and patents 
• Snake Oil Warning Signs: Encryption Software to Avoid 
• Ross Anderson's collection of papers 
• Diceware
• FIPS 140-2: Security Requirments For Cryptographic Modules 
• godzilla crypto tutorial by Peter Gutmann 
• Passive Analysis of SSH (Secure Shell) Traffic 
• Attack on Private Signature Keys of the OpenPGP format 
• Why Cryptosystems Fail 
• Cryptographic Software for Linux 
• crypto.com, Matt Blaze's cryptography resource 
• Cryptix - Open Source crypto libraries 
• Crypto benchmark 
• SSHarp: SSH for fun and profit 
• Master-Keyed Lock Vulnerability  
• AES 
• NIST CSRC Cryptographic Toolkit 
• Cryptography Quotations 
• U.S. Export controls on commercial encryption product 
• Cryptanalysis of Block Ciphers Based on SHA-1 and MD5 
• NSA Cryptologic History 
• LavaRnd - random number generator using chaotic sources  
• HotBits - random numbers generated by radioactive decay 
• Codes and Ciphers in the Second World War 
• PuTTY for Symbian OS (Nokia Series 60 mobile phone)
• Research  - Understanding Security APIs
• I know your PIN (ppt)
• An Illustrated Guide to Cryptographic Hashes
• RainbowCrack
• MD5 online cracking
• Cryptographic Key Size Recommendations
• Attacking Hash Functions by Poisoned Messages
• RainbowCrack.com
• NIST: Guideline for Implementing Cryptography in the Federal Government 
• University of Washington - Practical Aspects of Modern Cryptography 2006 - slides
• Cryptographic hash workshop 2005 - slides
• Free Rainbow Tables
• The unbearable lightness of PIN cracking 
• Online Elliptic Curve Cryptography Tutorial
• Lest We Remember: Cold Boot Attacks on Encryption Keys
• Factsheet: Vulnerabilities in the internet PKI caused by use of MD5 
• Cryptool - cryptographic analyzer
• A stick figure guide to the AES
• Cryptographic Key Length Recommendation
• European Network of Excellence in Cryptology
• Cryptool Online

    IPSEC

• A Cryptographic Evaluation of IPsec 
• Free S/WAN 
• Openswan 
• IETF - IPSEC charter 
• A closer look at what goes on behind the scene during the setup of an IPSec remote access VPN connection
• IKECrack

    SSL/TLS

• Introduction to SSL 
• OpenSSL project 
• IETF - TLS charter 
• SSLdump 
• dsniff 
• Stunnel -- Universal SSL Wrapper 
• Attacking RSA-based Sessions in SSL/TLS 
• Webwasher SSL-scanner 
• SSLLabs - How Well Do You Know SSL
• SSL/TLS Hardening and Compatibility report 2010

    Email

• International PGP 
• GnuPG 
• IETF - S/MIME Mail Security
• Secure Messaging with PGP and S/MIME 
• Why Johnny Can't Encrypt: - A Usability Evaluation of PGP 5.0
• TFS Secure Messagin Server 
• OpenPGP Best Practices

    Cryptanalysis

• Basic Cryptanalysis 
• Self-Study Course in Block Cipher Cryptanalysis 

Biometrics

• Biometrics briefings and reviews 
• Why I love Biometrics 
• Layered biometric tools boost security 
• Links to Biometrics 
• International Biometric Industry Association (IBIA)
• The Biometric Consortium
• BioAPI Consortium
• Biometric Interoperability, Performance, and Assurance Working Group
• The Common Biometric Exchange File Format
• Enhancing security and privacy in biometrics-based authentication systems 
• Your Face Is Not a Bar Code 
• Gummy fingers -fooling fingerprint readers 
• Biometric Access Protection Devices and their Programs Put to the Test 
• A Practical Guide to Biometric Security Technology 
• European Biometrics Forum
• OECD: Biometric-Based Technologies
• Biometrics: A Look at Facial Recognition
• Biometrics Explained 
• Sisäasiainministeriön Biometria-hanke (finnish)
• BioSec - Biometric Security
• Biometrisen tunnistamisen tietoturvallisuus ja yksityisyydensuoja (finnish)
• NIST ITL Biometrics Resource Center

Unix

• YASSP - a tool for improving Solaris security
• Trinux - Linux Security toolkit
• Unix security page 
• Bastille Linux (Linux hardening scripts)
• Linux Administrator's Security Guide  
• LinuxSecurity.com 
• NSA / Security-Enhanced Linux 
• Argante - Virtual Operating system 
• Linux-Sec.net 
• Grsecurity - Linux security patches 
• The Unix Auditor Handbook 
• High Availability Linux project 
• Linux Security Controversy Part I, Part II and Part III
• The LiveCD List

Windows

• Building a Windows NT bastion host
• Windows IT security
• NTBugtraq 
• Securing Windows NT installation & Configuration (US Navy) 
• NT Security resources 
• MS SQL Server security 
• Hardening Windows 2000 
• NSA Windows Security Recommendation Guides 
• IIS 4.0 hardening guide 
• IIS 4.0 Secure Setup Guide 
• Guide to the Secure Configuration of iPlanet Web-Server  
• Windows Security Administrator 
• The Knowledge Behind The Windows 2000 Encrypting File System 
• The CIS Benchmarks and Scoring Tool for W2K  
• Understanding the Windows EAL4 Evaluation 
• Microsoft Windows 2000 Security Configuration Guide 
• Windows as a Security Appliance 
• Windows Server 2003 Security Guide 
• Explanations of Windows Task List programs 
• NIST: Guidance for Securing Microsoft Windows XP Systems for IT Professionals
• Windows XP SP2: The Inside Story
• Microsoft Security Guidance
• Windows Vista Network Attack Surface Analysis 

Mobile & Wireless

• Mobile Applications Initiative
• Wap Forum  
• SmartTrust 
• Hacking WAP 
• M-Commerce Security a Moving Target 
• Bluetooth 
• AirSnort - WLAN encryption key "recovery" 
• Security of the WEP algorithm
• wepcrack 
• Security Issues for Ad-hoc Wireless Networks 
• vomit - voice over misconfigured internet telephones 
• Wireless Access Points and ARP Poisoning 
• Malicious ActiveX Controls 
• Results of Security in ActiveX Workshop 
• IBM Wireless Security Auditor 
• NIST: Wireless Network Security (draft)  
• Wellenreiter (Wireless War-driver perlgtk Application)  
• Wireless Vendor Woes and Shame 
• NIST 802.11 Wireless LAN Security Workshop presentations 
• Antennas Enhance WLAN Security 
• GSM Security FAQ
• Diplomityö: Langattomien lähiverkkojen turvallisuus (finnish, pdf)
• Hacking Bluetooth enabled mobile phones and beyond 
• Thesis: Wireless technologies in E-Business: Services, Security and Management 
• How To: Building  a Bluesniper Rifle
• Trifinite - Bluetooth Security
• CIS: Wireless Networking Benchmark 
• Information Security threats and solutions in mobile world 
• Mobiilimaailman tietoturvauhkat  ja ratkaisut - palvelunkehittäjän näkökulma (finnish)
• Exploiting Open Functionality in SMS-Capable Cellular Networks 
• With VoIP, it's dèjá vu all over again
• Cisco SAFE: Wireless LAN Security in Depth 
• Bluejacking Tools
• Wi-Foo

Ethics

• Ethics in Computing 
• Are 'Good' Computer Viruses Still a Bad Idea?
• Ethical Decision-Making in the Development,  Communication and Enforcement of Information Security Policy

Privacy

• Tietosuojavaltuutettu (finnish)
• Electronic Privacy Information Center
• Junkbuster 
• Ad-blocking with host-file
• Carnivore 
• Center for Democracy and Technology 
• Privacy & Security Page 
• Privacy Analysis of your Internet Connection 
• Internet Explorer - browser check 
• IDs - Not That Easy: Questions about nationwide identity systems
• AD-Aware 
• Parasite Programs; Adware, Spyware, and Stealth Networks 
• The Underground Web  
• Documentation of Gator Advertisements and Targeting 
• Disk and File Shredders: A Comparison 
• Stay safe online 
• NSA Guide to Securing Netscape Navigator 7.0 
• Browser security test 
• The Cloak - anonymous web-surfing
• Anonymizer - private web-surfing  
• Eraser - An Advanced Secure Data Removal Tool for Windows 
• Windows XP Surviving the First Day 
• Personal Firewalls 
• Symantec security test 
• Cyber Security Tips 
• Office 2003/XP Add-in: Remove Hidden Data 
• Computer Virus Myths and hoaxes 
• Virus Hoaxes and Netlore 
• Hoax Busters
• Measurement and Analysis of Spyware in a University Environment 
• SpywareBlaster
• SafeXP
• Tor - An anonymous Internet communication system
• The Emergence of a Global Infrastructure for Mass registration and Surveillance 
• Secretmaker
• FDIC: Putting an End to Account-Hijacking Identity Theft Study
• SecureTrayUtil
• tutkimus: Suomalaiset ja henkilötietojen suoja (finnish)
• VirusTotal - service for scanning suspicious files using several antivirus engines
• The 2007 International Privacy Ranking
• Kuluttajaviraston huijaussivusto (finnish)
• Cartoon: Under Surveillance
• Identity Finder

    Spam  

• Reading email-headers
• Tracking Spam
• SpamCop   
• Spam Eater 
• SpamAssassin 
• sneakemail.com 
• Roskapostipaketti (finnish)

    Phishing

• Anti-Phishing Working Group
• The Phishing Guide - understanding and preventing phishing attacks 
• SpoofGuard
• The Phuture of Phishing
• Why phishing works 

    Are you being monitored?

• Companies and Products Used for Monitoring Computer Use 
• KeyKatcher 
• Spector 
• TrapWare - snooper detector  
• KeyGhost 
• Spector 
• Anti-Spy tools 
• ncrypt 
• Truecrypt
• USB hacks

• Security Issues and Recommendations for Online Social Networks 
• On the Leakage of Personally Identifiable Information Via Online Social Networks
• Social media and PR crisis communication
• Sophos social media security toolkit

• Security Guidance for Critical Areas of Focus in Cloud Computing 
• Microsoft Cloud Security Whitepaper 
• Above the Clouds: A Berkeley View of Cloud Computing 
• ENISA:Cloud Computing Risk Assessment
• Cloud Software Program
• Economist: Securing the Cloud 
• Cloud Security Alliance
• Cloud Software Program
• Azure Security Notes

Incidents, exploits, hacks, vulnerabilities

• An Analysis Of Security Incidents On The Internet 1989-1995
• PCWeek: Attacked and hacked 
• http://www.2600.com/hacked_pages/
• Flashback - hacked web-sites 
• How we defaced www.apache.org
• How to Hack a Bank  
• eWeek's Openhack - lessons learned  
• Hack alert: where's the outrage? 
• Cracked! 
• Rome Labs Case / Kuji
• Internet Worm (Morris 1988)  
• The Zapatista Tactical FloodNet 
• Top Ten Defacements of the Year 2000 
• The Forensic Challenge 
• Media Examples of Security Breaches 
• Analysis of compromised Red Hat 6.2 Linux system 
• SANS Emergency Incident Handler 
• Autopsy of a successful intrusion 
• Safemode the defaced web sites archive 
• German TV Hackers Crack Bank Server 
• Computer Intrusion Cases
• Analysis of NTDLL.DLL webdav exploit 
• U.S. Department of Justice Computer Intrusion Cases
• Sobig.e - Evolution of the Worm 
• Web defacements archive 
• Defeating Microsoft Windows 2003 Stack Protection 
• Exploiting the MSRPC Heap Overflow 
• True Spy Stories 
• Microsoft DCOM/RPC Buffer Overflow Vulnerability Analysis 
• Banking Scam Revealed 
• The Rise of the Spammers 
• Paris Hilton hack started with old-fashioned con
• Real World Hacking URLs
• The Invasion of Chinese Cyberspies
• The Web Hacking Incidents Database
• The Athens Affair

Hackers, crackers, script-kiddies,...

• Hack alert: where's the outrage? 
• Hacker News network
• hackers.com 
• Cult of the Dead Cow
• L0pht Heavy Industries
• 2600
• Attrition
• EliteHackers 
• Antionline
• Antioffline
• Rain Forest Puppy 
• Password Cracking 
• Cyberarmy 
• w00w00 
• Nomad Mobile Research Center 
• Terrorists, Freedom Fighters, Crusaders,Propagandists, and Military Professionals on the Net 
• Happy Hacker 
• hack in the box 
• sshsniff & co.  
• Ethical hacking 
• Jerome Heckenkamp 
• Hackers: a Canadian police perspective Part I and Part II
• angrypacket 
• malware.com 
• Hacker resources 
• Cracker Tools and Techniques 
• phenoelit 
• Cracking the hackers' code 
• Washington Post Russian hacker story, Part I, Part II and Part III 
• The Hacker's Choice 
• Phenoelit 
• 0day 
• Simple Nomad 
• Rating the hacker 
• zone-h 
• securiteam - exploits 
• cnhonker - exploits 
• Hackers: who are they and how can they be stopped? 
• A peek at script kiddie culture
• Hacker Highschool
• Gray-World.net
• Whitehat project
• Xfocus
• K-OTik
• XSS cheatsheet
• T-Nas
• GreyHats Security Group
• Core Hackers
• The nerd who saw too much
• Progenic Top 100
• Remote-exploit
• Hacking Illustrated
• Eyeballing - A Brief Hacker History
• How Does The Hacker Economy Work?
• Money Laundering Fraud
• Shadow Server Foundation
• The 10 Most Mysterious Cyber Crimes
• Zero for Owned eZine 1, 2, 3, 4 and 5

Infowar, Hactivism, Network Centric Warfare

• Cyber Attacks During The War on Terrorism: a predictive analysis 
• Hacktivists or Cyberterrorists? The Changing Media Discourse 
• The Information Warfare Site 
• Network Centric Warfare 
• Understanding Information Age Warfare 
• Complexity Theory and Network Centric Warfare 
• The Terrorism Research Center
• Future Character of Conflict

Traditional Security

• Pelastustoimi (finnish)
• Turvallisuus.net (finnish)
• SPEK: Suomen Pelastusalan Keskusjärjestö (finnish)
• Turvallisuussuunnittelun tietopankki (finnish)
• Sisäasianministeriö: sisäisen turvallisuuden ohjelma (finnish)
• Public Register of Authentic Identity and Travel Documents Online

People

• Matt Bishop 
• Gene Spafford 
• Ronald L. Rivest
• Bill Cheswick
• Peter G. Neumann  
• Marcus J. Ranum 
• Dorothy Denning 
• Peter Gutmann 
• Ross Andersson 
• Ronald L. Rivest 
• M.E.Kabay 
• D. J. Bernstein 
• Bruce Schneier 
• Steve Bellovin 
• Rob Slade
• David A. Wheeler
• Gary McGraw
• Who's Who In Infosec
• The 59 Top Influencers in IT Security

Fun

• Cartoons
• Virus writing is a hate-crime? 
• Story: Chasing the Wind  
• The Microsoft-English Dictionary 
• Human Virus Scanner 
• The Cracker Sisters 
• If hackers ruled the world...
• Hackers beg boring people to stop encrypting email
• Turvallisuusohjeita lennoille
• If Microsoft Had Written Nmap...
• Stupid Security Competition
• Alternative interpretations of Dept. of Homeland Security's new warning signs
• The Page of Spaf's Analogies
• Stupid Security 
• Unusual devices running Snort 
• Hackles cartoon 
• How To Destroy Your Computer 
• Security Cartoons 
• Joy of Tech Comics 
• Cartoons
• Nmap instructor
• Know Your Enemies
• How much information?
• BOFH
• Urban legends: Crime and Punishment
• Dangerous Hacker?
• How far could I go before they would check my credit card signature?
• The Underhanded C Contest
• RFID blocking wallet
• Security Problem Excuse Bingo
• Laws of Software Development
• Science Fiction in the News
• Safety (not really) at Work Contest Winners 
• aspamaday
• Murphys Laws
• Physical Security Maxims
• Optical Illusions
• Bruce Schneier (fun) facts
• Security Buzzword Generator
• Computer Criminals of the Future (1981)
• Free "Security Strategy"

• Video: Hacking with Ramzi
• The Broken hacking videos
• Hack-TV
• Exit Frame
• PacketSniffers
• Moloch TV
• Rootsecure Video clips
• The Scene
• IronGeek Hacking Illustrated
• Hak5
• iTunes: OnSecurity Video
• AT&T Tech Channel
• H*Commerce: The Business of Hackin You
• SecurityTube
• Awareness tests: Whodunnit, Person Swap,  Phone Joke
• Security Video Library

    Blogs & Podcasts

• TaoSecurity
• Static in Ether
• Digital Identity
• joatBlog
• F-Secure Antivirus Research Team Weblog
• Dana Epp's Weblog
• A Day in the Life of an Information Security Investigator
• Bruce Schneier's Weblog
• Michael Howard's Weblog
• Secure Coder
• Security Awareness for Ma, Pa and the Corporate Clueless
• Security Chief
• Digital Identity Management
• Teleware (finnish)
• Financial Cryptography
• 1Raindrop - distributed systems, seurity and software
• IdentityBlog
• Online Crime Bytes
• The Identity Corner
• Burton Group Blogs
• Threats and Countermeasures - secure software
• Identity Management and PKI Security News
• The Quiet Earth
• Network Security Blog
• Microsoft Security Response Center
• Microsoft tietoturva
• SecuriTeam
• CSI Blog
• Discovering Identity
• SOA Security Architect
• ha.ckers
• Network Security
• Browser Fun
• Managing Intellectual Property & IT Security
• matasano chargen
• Michael Howard's Web Log
• RiskBloggers
• McAfee Avert Labs Blog
• Secunia Security Watchdog Blog
• Microsoft Application Threat Modeling Blog
• The SPI Laboratory
• Jeremiah Grossman
• Justice League - The Cigital Software Security and Quality Blog
• Michael Sutton's (SPI Dynamics) Blog
• Burton Identity and Privacy Strategies Blog
• Matt Blaze's Exhaustive Search
• Worse Than Failure
• Burton Group identity blog
• Burton Group security and risk management strategies blog
• The Security Development Lifecycle
• Frequency X,  the X-Force blog
• DHS Daily Open Source Infrastructure Report
• Steve Bellovin's Blog
• Tactical Web Application Security
• Security Blogger's Network
• Matt Blaze's Exhaustive Search
• Writing Secure Software
• (ISC)2 Blog
• Washington Post Security Fix Blog
• StorefrontBacktalk Securityfraud
• Microsoft Security Development Lifecycle Blog
• Microsoft Security Research & Defense Blog
• Spire Security Viewpoint
• Geekonomics
• Security Twits
• Rational Survivability
• Light Blue Touchpaper
• SANS: The Application Security Street Fighter Blog
• SafeCode
• The Guerilla CISO
• The CodeGuard Blog
• The StopBadware Blog

• Reviews of Security Podcasts
• MightySeek podcasts - Web Application Security and Development
• The Silver Bullet Security Podcast
• CERT's Podcast Series - Security for Business Leaders
• CSO Podcasts
• InformIT
• OWASP Podcast
• Exotic Liability
• The Digital Underground
• Network Security Podcast
• The Reality Check Security Podcast
• Social Media Security