Here you’ll find some pared down security education resources, I’ve tried to not leave a dump of all the security education things ever and instead offer something tailored and curated. There are some amazing resources and repos out there filled with loads of stuff and some will be linked in here. There are also plenty of non-security
materials here as well, as there is much to learn that can be brought into security π
Table of Contents
The Stuff I Use and Like π€
It’s way too easy to get overloaded trying to “keep up to date”, especially in security. I used to subscribe to loads of newsletters and listen to a bunch of podcasts but now I’ve stripped it all back and below are a few of the things I like and resources I turn to:
Podcasts ποΈ
Risky Biz Podcast
Host: Patrick Gray http://risky.biz/netcasts/risky-business | Link
- “Easily my favourite, no fluff and a nice international view of the security news and world with some great guests”
Security Cryptography Whatever
Hosts: David Adrian, Deirdre Connolly, and Thomas Ptacek https://securitycryptographywhatever.com/about/ | Link
- “A great technical podcast that often digs into details that go well beyond my crypto and security knowledge but that’s the part I also really enjoy”
Newsletters ποΈ
tl;dr sec
Creator: Clint Gibler Link
- “Great resource for research, tools, tips and other bits in security. I had this recommended to me by almost all the folks on an AppSec team I was on. Clint is Head of Security Research @semgrep.”
Risky Biz News
Author: Catilin Cimpanu Link
- “Really nice short and punchy newsletter, easy to skim through and grab out the latest things going on with some great stuff delivered a couple of times a week, there’s a podcast too but I like the newsletter”
Disernible
Authors: Whole team of amazing people Link
- “Excellent content spanning across security and privacy, with a focus on communication, one of, if not,
the
most valuable thing in security”
Books π
A short list of some books I’ve enjoyed, some may be security adjacent, there is so much to learn outside of security that can easily apply.
Title π | Author βοΈ | Year Published β³ | Comment π¬ |
---|---|---|---|
The Cuckoo’s Egg | Cliff Stoll | 1989 | “A really fun, non-technical read on early hacking” Reprint in 2005. |
Security Chaos Engineering | Kelly Shortridge with Aaron Rinehart | 2023 | “I’m actually reading and re-reading this book right now, and it is excellent! Great thoughts, examples and insight into building resilience into security. Approaching things from a more platform oriented, design and product perspective this book reimagines security to get away from an older broken model. This book really is a tome, well worth the time. “Security becomes invisible to people, while security successes become visible”” |
Mismatch - How Inclusion Shapes Design | Kat Holmes | 2020 | “Such an approachable book, that talks about the responsibility of inclusion, and how this can and should be a source of innovation and growth. Kat describes how inclusive design is a process and not just an outcome, and the importance of ensuring this is not a retroactive action. Kat suggests part of this process is to build an extended network of “exclusion experts” who contribute to your design process, which I love. I believe anyone could take something from this book, it’s not just for “designers” in the way you might read that traditionally, almost everyone is a designer in some way, creating solutions or working on a project, initiative or program that serves communities.If you’re in security have a quick think about this quote: “Designing with our own abilities as a baseline can lead to solutions that work well for people with similar abilities, but can end up excluding many more people”” |
Threat Modeling: Designing for Security | Adam Shostack | 2014 | “This is the reference guide for understanding threat modeling for software. Microsoft-focused, but applicable more broadly. Find tools and a framework for structured thinking about what can go wrong and accessibly learn to discern changing threats and discover the easiest ways to adopt a structured approach to threat modeling. Authored by a Microsoft professional who is one of the most prominent threat modeling experts in the world” |
Zero Trust Networks: Building Secure Systems in Untrusted Networks | Evan Gilman & Doug Barth | 2017 | “This book was used as a great starter for new joiners at Duo introducing an understanding to the principles of Zero Trust” |
Cult of the Dead Cow | Joseph Menn | 1994 | βThis was a fun read, recognising people and all the different things that have happened over the years. I enjoyed the focus on ethics and moral issues within tech & I of course smiled with every mention and quote from Dug Song (I’m entirely biased reading this!), knowing and having experienced how much of an extraordinary leader and person he is. I re-read this line Joseph wrote a few times: “Song believes that professional ethics require him to contribute to the social goodβ. I was lucky enough to spend some great moments with Dug and cannot understate the impact that he had on me and my journey in security and how that guides me now. There were so many amazing people in Duo, and Cisco, that had a profound impact on the way I think about and understand security, and I still learn from them all the time. Dug really solidified my belief that we all have the power for change and impact, and can make differences for good.Back to the book, well worth a read.β |
Teaching to Transgress - Education as the Practise of Freedom | Bell Hooks | 1994 | βThis was a stunning book. I enjoyed all the ways in which Bell Hooks talks about teaching and the phrase education as the practise of freedom has really stuck with me. Though US-centric at times this book amplifies the importance and responsibility that comes with teaching. Although the perspective is from teaching in the higher education system this of course applies to all teaching moments, that could even be a workshop at work or even a presentation. The classroom should never be a boring place. If that is the case, pedagogical practises should look to change and interrupt, perhaps disrupt this. An excellent read, part of 3 essays and next Iβll look to check out Teaching Community.β |
One of my favourite resources for books in security is the Ohio State University Cyber Canon: https://icdt.osu.edu/cybercanon/bookreviews
Some of my Favourite Articles π
“Alienating the Audience: How Abbreviations Hamper Scientific Communication” by Andrew H. Hales, Kipling D. Williams, and Joel Rector
- I have a strong dislike for acronyms and initialisms, the exclusive nature of them frustrates me, and security is rife with them! This is an interesting piece of writing on the topic of abbreviations with a lot of linked research to check out. Here’s another article with an example of how Shopify moved to encouraging clarity and accessibility for all: https://slab.com/blog/shopify-highly-aligned-loosely-coupled/
“Creating a Security Culture Where People Can Admit Mistakes” by Karen Spiegelman
- This article features some great people talking about building trust into security practises and programs in order to enable a positive security culture
“Why Don’t You Go Dox Yourself” by Zoe Lindsey
- 10/10 DJ and all-round amazing person. Zoe had given a great talk about doxxing yourself and turned it into an amazing series of 6 blog posts written “to inform readers about how doxxing happens, and how you can protect yourself from this very real and growing problem by doxxing yourself”
“Safety Hierarchy: Design Vs. Warnings” by Dr. Marc Green
- Human Factors has so much to teach us in security, this is a great article from Marc Green talking about warnings and design. “Conversely, businesses and authorities can promote safety based on the realities of human nature and on what people actually do rather than what would be convenient for them to do”. Dr. Green is referenced a few times in Kelly Shortridge’s amazing book Security Chaos Engineering
“Coordination Headwind - How organizations Are Like Slime Mould” by Alex Komoroske
- I love this for many reasons, great content, presented in an approachable and fun way. Well worth the time flipping through. Talks about the headwinds that can occur and in orgs and thoughts on what you can do. Also Slime Moulds are amazing, there’s a fun rabbit hole to fall down here: https://www.wired.com/2010/01/slime-mold-grows-network-just-like-tokyo-rail-system/
Communication π
Comments that are easy to grok: Conventional Comments
- Conventional comments are often used in software development but these kinds of guides and helpers can be used anywhere, giving feedback in a doc? Replying in a thread on Slack? “Labeling comments encourages collaboration and saves hours of undercommunication and misunderstandings”.
Blameless Retrospectives: Who Destroyed Three Mile Island? - Nickolas Means
- A great talk, draws you in talking about the Three Mile Island nuclear incident and really hammers home the importance of system design and blameless retrospectives, searching for “second stories” as a key to learning and adapting. Find the real causes, look for what’s wrong in the way the system is designed, don’t blame people!
Communications Centre of Excellence: Disernible
- There’s a great newsletter which I mentioned above but also loads of blog posts that are great to read and plenty of posts on LinkedIn if that’s your thing, focussed on security and privacy and how good communication is everything.
Security papers π
A collection of seminal
papers folks have suggested, meaning that they should remain relatively fresh as they are considered highly influential. Note, this isn’t a list of “the best security papers”, you don’t have to (and maybe shouldn’t) agree with everything written, read critically. Some of these are grabbed from some collecting the amazing Helen Patton did.
New to academic literature? Skim judiciously. You can get the key ideas of most papers just by reading the abstract, the introduction, and conclusion sections. After that, dive deeper into the other sections if youβre interested. How to read a paper (this github repo is an excellent resource called Papers We Love, worth checking out for papers across soooo many topics).
Title π | Author βοΈ | Year Published β³ | Comment π¬ |
---|---|---|---|
This World is Ours | James Mickens | 2014 | Duo’s security team had a bot automatically post this paper annually, at the start of every year! A critique of threat modeling, risk evaluation, and the way the Security community approaches this information and disseminates it to people. Snarky and fun, also teaches you not to take yourself too seriously. |
Smashing The Stack For Fun And Profit | Aleph One | 1996 | From issue 49 of Phrack Magazine, 1996, this has long been the go-to for anyone looking to learn how buffer overflow attacks work, though things have changed and moved on it’s a great article to check out |
Why Information Security is Hard β An Economic Perspective | Ross Anderson | 2001 | Outlining the non-technical challenges that arise when dealing with security (and basically giving rise to InfoSec Economics). |
All Systems will be Gamed: Exploitive Behavior in Economic and Social Systems | Arthur, W. B. | 2016 | A paper on the nature of exploitative behaviour. |
On the Dangers of Stochastic Parrots: Can Language Models Be Too Big? | Emily M. Bender, Timnit Gebru, Angelina McMillan-Major, Shmargaret Shmitchell | 2021 | Comment from Helen Patton: “Now seems quite prescient given the hallucinations weβve seen in recent GPT models, but which will nonetheless begin to mediate our experience of the internet and other tech.” |
An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied | Bill Cheswick | 1997 | A great read, an inside look at managing an active incident. Simple in scope but shows how decisions made affect options, and the need to know what you intend to achieve. |
Straight Talk: New Yorkers on Mobile Messaging and Implications for Privacyβ | Ame Elliott | 2016 | Particularly around the adversarial use of family plans. Not enough technologists or businesspeople consider the human implications of their tech and business model decisions. |
Authentication and Authorization (v2) | Epping, M. & Morowczynski, M. | 2021 | It’s very easy, even as security professionals, to conflate and misunderstand the basics of these concepts. This article describes the fundamentals of authentication and authorization, two core components of Identity and Access Management. It also delves into federation and Identity Providers, common tools for performing authentication and authorization in an organization. |
The Market for Silver Bullets | Ian Grigg | 2008 | Picks up on Akerlof et alβs Nobel-worthy work on information asymmetry and applies to security purchases. |
Secure Deletion of Data from Magnetic and Solid-State Memory | Peter Gutmann | 1996 | It brought the risk of remnant data on digital media to the forefront & highlighted the many risks. Itβs 27 years old, but still quite relevant! |
So Long and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users | Cormac Herley | 2010 | A great paper on the rejection of security advice! |
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains | Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin | 2011 | If youβre going to mock the cyber kill chain, at least read the paper first π |
The Moral Character of Cryptographic Work | Phillip Rogaway | 2015 | The moral aspects of our security work. |
An investigation of the Therac-25 accidents | Leveson, Nancy G., Turner, Clark S. | 1993 | It may not be directly security related, but it deals with system assumptions and the failures of those systems. |
Opportunity Cost and Missed Chances in Optimizing Cybersecurity | Kelly Shortridge, Josiah Dykstra | 2023 | A strong recommendation for security teams, though this lays out a great way of approaching things for all teams. As we think about how we operate, and the services we offer, the concepts raised in this article are important to consider and working from a null baseline “the costs and benefits of an option must be compared with those of doing nothing. This is known as the null baseline.”. |
Tooling I Use to Learn π οΈ
Note Taking: I use Obsidian
- There is a whole industry on youtube of people chasing the perfect productivity and switching apps every two seconds. I’ve learnt that just finding something you mostly like and sticking with it, maybe a little bit of refining works best. Otherwise all that productivity goes on learning and messing with new productivity tools. Robert Kerby turned me onto Obsidian and I’m a big fan, easy to use for the most part and I can easy integrate it into other things so notes are getting thrown into there for me to refer to later.
Collating Information: I collate stuff in one place using Readwise Reader
- This is something new for me and instead of death by emails and bookmarks I now just chuck papers, blog posts, articles and have all newsletters run through this. The best part is that I can highlight things and make notes on there, these notes then sync to Obsidian and now I have something in my vault. Can do the same with Youtube videos too and it works for me.
Mindmaps: I use Miro in the browser and desktop and Mindnode on iOS
- Miro has been a go to tool for mindmaps and also for way more, I was introduced to Miro when doing a Design Thinking course at Cisco years agao and since then it’s facilitated loads of great chats, meetings, workshops and I personally use it to lay out ideas and thoughts too. Mindnode works really well for mindmaps on iOS too, and all of this can always be pulled into Obsidian along with any notes on a subject.
Repos and Other Resources π
Awesome Security: https://github.com/okhosting/awesome-cyber-security
- This Github repo links out to a bunch of community gathered resources, really varied and there is almost too much to run through but if you’re looking for something it’ll likely be linked in one of the other repos, great stuff
Awesome Secure Defaults: https://github.com/tldrsec/awesome-secure-defaults
- Recently added this is a great curated set of secure by default open source libraries you can use today.
Threat Modeling: https://shellsharks.com/threat-modeling
- One of my favourite resources for threat modeling, lots to learn
Security Certs: https://pauljerimy.com/security-certification-roadmap/
- If certs are your thing this site is the best I’ve come across for sectioning them and listing them out, has pricing in there (in USD)
Papers: https://github.com/papers-we-love/papers-we-love?tab=readme-ov-file
- A
HUGE
resource for papers that is kept pretty up to date, mentioned it above but might have something of interest buried in there
Starting Up Security: https://scrty.io/
- Ryan McGeehan’s excellent writing aimed at new leadership for new security teams
Semgrep Academy: https://academy.semgrep.dev/
- The amazing Tanya Janka joined Semgrep and brought WeHackPurple with her and now there’s Semgrep Academy
Colour and Design: Colour Contrast by WebAIM
- Accessibility is key, not just important. This is a nice simple colour contrast tool that’s easy to use and means you can start by making sure you’re making accessible decisions from the start. There’s a lot more in colour theory you can go into but this is just a nice simple tool.