Security Education

alter-text

Here you’ll find some pared down security education resources, I’ve tried to not leave a dump of all the security education things ever and instead offer something tailored and curated. There are some amazing resources and repos out there filled with loads of stuff and some will be linked in here. There are also plenty of non-security materials here as well, as there is much to learn that can be brought into security 😁

Table of Contents

The Stuff I Use and Like πŸ–€

It’s way too easy to get overloaded trying to “keep up to date”, especially in security. I used to subscribe to loads of newsletters and listen to a bunch of podcasts but now I’ve stripped it all back and below are a few of the things I like and resources I turn to:

Podcasts πŸŽ™οΈ

Risky Biz Podcast

Host: Patrick Gray http://risky.biz/netcasts/risky-business | Link

  • “Easily my favourite, no fluff and a nice international view of the security news and world with some great guests”

Security Cryptography Whatever

Hosts: David Adrian, Deirdre Connolly, and Thomas Ptacek https://securitycryptographywhatever.com/about/ | Link

  • “A great technical podcast that often digs into details that go well beyond my crypto and security knowledge but that’s the part I also really enjoy”

Newsletters πŸ—žοΈ

tl;dr sec

Creator: Clint Gibler Link

  • “Great resource for research, tools, tips and other bits in security. I had this recommended to me by almost all the folks on an AppSec team I was on. Clint is Head of Security Research @semgrep.”

Risky Biz News

Author: Catilin Cimpanu Link

  • “Really nice short and punchy newsletter, easy to skim through and grab out the latest things going on with some great stuff delivered a couple of times a week, there’s a podcast too but I like the newsletter”

Disernible

Authors: Whole team of amazing people Link

  • “Excellent content spanning across security and privacy, with a focus on communication, one of, if not, the most valuable thing in security”

Books πŸ“—

A short list of some books I’ve enjoyed, some may be security adjacent, there is so much to learn outside of security that can easily apply.

Title πŸ“—Author ✍️Year Published ⏳Comment πŸ’¬
The Cuckoo’s EggCliff Stoll1989“A really fun, non-technical read on early hacking” Reprint in 2005.
Security Chaos EngineeringKelly Shortridge with Aaron Rinehart2023“I’m actually reading and re-reading this book right now, and it is excellent! Great thoughts, examples and insight into building resilience into security. Approaching things from a more platform oriented, design and product perspective this book reimagines security to get away from an older broken model. This book really is a tome, well worth the time. “Security becomes invisible to people, while security successes become visible”
Mismatch - How Inclusion Shapes DesignKat Holmes2020“Such an approachable book, that talks about the responsibility of inclusion, and how this can and should be a source of innovation and growth. Kat describes how inclusive design is a process and not just an outcome, and the importance of ensuring this is not a retroactive action. Kat suggests part of this process is to build an extended network of “exclusion experts” who contribute to your design process, which I love. I believe anyone could take something from this book, it’s not just for “designers” in the way you might read that traditionally, almost everyone is a designer in some way, creating solutions or working on a project, initiative or program that serves communities.If you’re in security have a quick think about this quote: “Designing with our own abilities as a baseline can lead to solutions that work well for people with similar abilities, but can end up excluding many more people”
Threat Modeling: Designing for SecurityAdam Shostack2014“This is the reference guide for understanding threat modeling for software. Microsoft-focused, but applicable more broadly. Find tools and a framework for structured thinking about what can go wrong and accessibly learn to discern changing threats and discover the easiest ways to adopt a structured approach to threat modeling. Authored by a Microsoft professional who is one of the most prominent threat modeling experts in the world”
Zero Trust Networks: Building Secure Systems in Untrusted NetworksEvan Gilman & Doug Barth2017“This book was used as a great starter for new joiners at Duo introducing an understanding to the principles of Zero Trust”
Cult of the Dead CowJoseph Menn1994”This was a fun read, recognising people and all the different things that have happened over the years. I enjoyed the focus on ethics and moral issues within tech & I of course smiled with every mention and quote from Dug Song (I’m entirely biased reading this!), knowing and having experienced how much of an extraordinary leader and person he is. I re-read this line Joseph wrote a few times: “Song believes that professional ethics require him to contribute to the social good”. I was lucky enough to spend some great moments with Dug and cannot understate the impact that he had on me and my journey in security and how that guides me now. There were so many amazing people in Duo, and Cisco, that had a profound impact on the way I think about and understand security, and I still learn from them all the time. Dug really solidified my belief that we all have the power for change and impact, and can make differences for good.Back to the book, well worth a read.”
Teaching to Transgress - Education as the Practise of FreedomBell Hooks1994β€œThis was a stunning book. I enjoyed all the ways in which Bell Hooks talks about teaching and the phrase education as the practise of freedom has really stuck with me. Though US-centric at times this book amplifies the importance and responsibility that comes with teaching. Although the perspective is from teaching in the higher education system this of course applies to all teaching moments, that could even be a workshop at work or even a presentation. The classroom should never be a boring place. If that is the case, pedagogical practises should look to change and interrupt, perhaps disrupt this. An excellent read, part of 3 essays and next I’ll look to check out Teaching Community.”

One of my favourite resources for books in security is the Ohio State University Cyber Canon: https://icdt.osu.edu/cybercanon/bookreviews


Some of my Favourite Articles πŸ“„

Alienating the Audience: How Abbreviations Hamper Scientific Communication” by Andrew H. Hales, Kipling D. Williams, and Joel Rector

  • I have a strong dislike for acronyms and initialisms, the exclusive nature of them frustrates me, and security is rife with them! This is an interesting piece of writing on the topic of abbreviations with a lot of linked research to check out. Here’s another article with an example of how Shopify moved to encouraging clarity and accessibility for all: https://slab.com/blog/shopify-highly-aligned-loosely-coupled/

Creating a Security Culture Where People Can Admit Mistakes” by Karen Spiegelman

  • This article features some great people talking about building trust into security practises and programs in order to enable a positive security culture

Why Don’t You Go Dox Yourself” by Zoe Lindsey

  • 10/10 DJ and all-round amazing person. Zoe had given a great talk about doxxing yourself and turned it into an amazing series of 6 blog posts written “to inform readers about how doxxing happens, and how you can protect yourself from this very real and growing problem by doxxing yourself”

Safety Hierarchy: Design Vs. Warnings” by Dr. Marc Green

  • Human Factors has so much to teach us in security, this is a great article from Marc Green talking about warnings and design. “Conversely, businesses and authorities can promote safety based on the realities of human nature and on what people actually do rather than what would be convenient for them to do”. Dr. Green is referenced a few times in Kelly Shortridge’s amazing book Security Chaos Engineering

Coordination Headwind - How organizations Are Like Slime Mould” by Alex Komoroske


Communication πŸ“Ÿ

Comments that are easy to grok: Conventional Comments

  • Conventional comments are often used in software development but these kinds of guides and helpers can be used anywhere, giving feedback in a doc? Replying in a thread on Slack? “Labeling comments encourages collaboration and saves hours of undercommunication and misunderstandings”.

Blameless Retrospectives: Who Destroyed Three Mile Island? - Nickolas Means

  • A great talk, draws you in talking about the Three Mile Island nuclear incident and really hammers home the importance of system design and blameless retrospectives, searching for “second stories” as a key to learning and adapting. Find the real causes, look for what’s wrong in the way the system is designed, don’t blame people!

Communications Centre of Excellence: Disernible

  • There’s a great newsletter which I mentioned above but also loads of blog posts that are great to read and plenty of posts on LinkedIn if that’s your thing, focussed on security and privacy and how good communication is everything.

Security papers πŸ“œ

A collection of seminal papers folks have suggested, meaning that they should remain relatively fresh as they are considered highly influential. Note, this isn’t a list of “the best security papers”, you don’t have to (and maybe shouldn’t) agree with everything written, read critically. Some of these are grabbed from some collecting the amazing Helen Patton did.

New to academic literature? Skim judiciously. You can get the key ideas of most papers just by reading the abstract, the introduction, and conclusion sections. After that, dive deeper into the other sections if you’re interested. How to read a paper (this github repo is an excellent resource called Papers We Love, worth checking out for papers across soooo many topics).

Title πŸ“—Author ✍️Year Published ⏳Comment πŸ’¬
This World is OursJames Mickens2014Duo’s security team had a bot automatically post this paper annually, at the start of every year! A critique of threat modeling, risk evaluation, and the way the Security community approaches this information and disseminates it to people. Snarky and fun, also teaches you not to take yourself too seriously.
Smashing The Stack For Fun And ProfitAleph One1996From issue 49 of Phrack Magazine, 1996, this has long been the go-to for anyone looking to learn how buffer overflow attacks work, though things have changed and moved on it’s a great article to check out
Why Information Security is Hard – An Economic PerspectiveRoss Anderson2001Outlining the non-technical challenges that arise when dealing with security (and basically giving rise to InfoSec Economics).
All Systems will be Gamed: Exploitive Behavior in Economic and Social SystemsArthur, W. B.2016A paper on the nature of exploitative behaviour.
On the Dangers of Stochastic Parrots: Can Language Models Be Too Big?Emily M. Bender, Timnit Gebru, Angelina McMillan-Major, Shmargaret Shmitchell2021Comment from Helen Patton: “Now seems quite prescient given the hallucinations we’ve seen in recent GPT models, but which will nonetheless begin to mediate our experience of the internet and other tech.”
An Evening with Berferd In Which a Cracker is Lured, Endured, and StudiedBill Cheswick1997A great read, an inside look at managing an active incident. Simple in scope but shows how decisions made affect options, and the need to know what you intend to achieve.
Straight Talk: New Yorkers on Mobile Messaging and Implications for Privacy”Ame Elliott2016Particularly around the adversarial use of family plans. Not enough technologists or businesspeople consider the human implications of their tech and business model decisions.
Authentication and Authorization (v2)Epping, M. & Morowczynski, M.2021It’s very easy, even as security professionals, to conflate and misunderstand the basics of these concepts. This article describes the fundamentals of authentication and authorization, two core components of Identity and Access Management. It also delves into federation and Identity Providers, common tools for performing authentication and authorization in an organization.
The Market for Silver BulletsIan Grigg2008Picks up on Akerlof et al’s Nobel-worthy work on information asymmetry and applies to security purchases.
Secure Deletion of Data from Magnetic and Solid-State MemoryPeter Gutmann1996It brought the risk of remnant data on digital media to the forefront & highlighted the many risks. It’s 27 years old, but still quite relevant!
So Long and No Thanks for the Externalities: The Rational Rejection of Security Advice by UsersCormac Herley2010A great paper on the rejection of security advice!
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill ChainsEric M. Hutchins, Michael J. Cloppert, Rohan M. Amin2011If you’re going to mock the cyber kill chain, at least read the paper first πŸ˜‰
The Moral Character of Cryptographic WorkPhillip Rogaway2015The moral aspects of our security work.
An investigation of the Therac-25 accidentsLeveson, Nancy G., Turner, Clark S.1993It may not be directly security related, but it deals with system assumptions and the failures of those systems.
Opportunity Cost and Missed Chances in Optimizing CybersecurityKelly Shortridge, Josiah Dykstra2023A strong recommendation for security teams, though this lays out a great way of approaching things for all teams. As we think about how we operate, and the services we offer, the concepts raised in this article are important to consider and working from a null baseline “the costs and benefits of an option must be compared with those of doing nothing. This is known as the null baseline.”.

Tooling I Use to Learn πŸ› οΈ

Note Taking: I use Obsidian

  • There is a whole industry on youtube of people chasing the perfect productivity and switching apps every two seconds. I’ve learnt that just finding something you mostly like and sticking with it, maybe a little bit of refining works best. Otherwise all that productivity goes on learning and messing with new productivity tools. Robert Kerby turned me onto Obsidian and I’m a big fan, easy to use for the most part and I can easy integrate it into other things so notes are getting thrown into there for me to refer to later.

Collating Information: I collate stuff in one place using Readwise Reader

  • This is something new for me and instead of death by emails and bookmarks I now just chuck papers, blog posts, articles and have all newsletters run through this. The best part is that I can highlight things and make notes on there, these notes then sync to Obsidian and now I have something in my vault. Can do the same with Youtube videos too and it works for me.

Mindmaps: I use Miro in the browser and desktop and Mindnode on iOS

  • Miro has been a go to tool for mindmaps and also for way more, I was introduced to Miro when doing a Design Thinking course at Cisco years agao and since then it’s facilitated loads of great chats, meetings, workshops and I personally use it to lay out ideas and thoughts too. Mindnode works really well for mindmaps on iOS too, and all of this can always be pulled into Obsidian along with any notes on a subject.

Repos and Other Resources πŸŽ“

Awesome Security: https://github.com/okhosting/awesome-cyber-security

  • This Github repo links out to a bunch of community gathered resources, really varied and there is almost too much to run through but if you’re looking for something it’ll likely be linked in one of the other repos, great stuff

Awesome Secure Defaults: https://github.com/tldrsec/awesome-secure-defaults

  • Recently added this is a great curated set of secure by default open source libraries you can use today.

Threat Modeling: https://shellsharks.com/threat-modeling

  • One of my favourite resources for threat modeling, lots to learn

Security Certs: https://pauljerimy.com/security-certification-roadmap/

  • If certs are your thing this site is the best I’ve come across for sectioning them and listing them out, has pricing in there (in USD)

Papers: https://github.com/papers-we-love/papers-we-love?tab=readme-ov-file

  • A HUGE resource for papers that is kept pretty up to date, mentioned it above but might have something of interest buried in there

Starting Up Security: https://scrty.io/

  • Ryan McGeehan’s excellent writing aimed at new leadership for new security teams

Semgrep Academy: https://academy.semgrep.dev/

  • The amazing Tanya Janka joined Semgrep and brought WeHackPurple with her and now there’s Semgrep Academy

Colour and Design: Colour Contrast by WebAIM

  • Accessibility is key, not just important. This is a nice simple colour contrast tool that’s easy to use and means you can start by making sure you’re making accessible decisions from the start. There’s a lot more in colour theory you can go into but this is just a nice simple tool.