I just came back from a hackers conference about internet security and I'm interested in learning web security and protecting companies from hackers. But I don't know where to start and what languages to learn..

Could anybody point me in the right direction for this?

+1  A: 

This is kind of an enormous field. People make lifetime careers from it. As a beginner, you'll want to learn:

  • Javascript, and once you know it, read about cross-site scripting attacks
  • SQL, and once you know the basics, injection attacks
  • Basics about hashes, salts, public key encryption, and how HTTPS works
  • How certificates work

That should be a good start.

+1  A: 

The classic article 'Smashing the Stack for Fun and Profit' is a must read.

It deals with buffer overflows - a very common exploit. Although it's relatively low-level, understanding buffer overflows is definitely a first step in learning about security.

That paper is a bit dated, these attacks won't work a modern system. Although I gave you a +1 because I agree that understanding the attackers preservative is vital.
+1  A: 

Languages don't matter, not really, security is an approach more than an implementation. You can use numerous languages and frameworks to write internet applications, and the securing of the applications should be built in, not layered on top. If you want to protect existing web sites then it involves rewriting the vulnerable code, or putting a web application firewall between the application and the internet.

You'd be better off focussing on the concepts first, and learning how to apply them in languages of your choice. The Microsoft Secure Development Lifecycle, and the work they've done around Threat Modelling is something else should examine - as it covers building it in from the beginning and creating feedback loops with each iteration of development.

(Oh, and I did write a book on ASP.NET security grin)

That's very nice for you. I strongly reject any thought that your comment is helpful.
In 2006 46% of all CVE numbers issued where PHP related. A building will crumble if it is built on a weak foundation. Microsoft has the worst history of security. Although they have improved, they still have to bribe people to write blogs about how "secure" their platform is. Further more an 0-day was just patched in IE, leaving their users vulnerable to attack for about a month. This is completely and totally irresponsible behavior.
Uh-huh. And yet that's kind of orthogonal to the original question (and the comment you removed). The common web vulnerabilities are platform independent, and heck you provided this with the one you're so proud of (which was admittedly hilarious). For beginners the platform simply doesn't matter, it's the concepts and the way of thinking.
@blowdart I believe my argument is a straight line and there for perpendicular is more apt than orthogonal.
@blowdart Systematics aside, platform specific attacks is the basis of my Defcon talk masSEXploitatoin, and i would be delighted if you saw it. In this talk I provide anecdotal evidence to support my foundation argument. In my talk I am discussing methods of bypassing advanced security systems such as SELinux and AppArmor. Currently these systems do not exist for Windows, thus exploitation for this platform is more simplistic.
I've only been in the US for six months, and I'm still thinking about which conferences to attend. I'm skipping Blackhat, and I'm not sure about Defcon yet, we'll see. I'll watch online if I can't make it in person :)
@blowdart very cool :)

One of the most important lessons to be learned when implementing security in any application is NOT to use home-brewed security systems - you always end up making the application less secure.

Do not attempt to write a new hash algorithm, or streaming encryption method, or any of 100 other pieces.

Always use well known, well tested modules and algorithms such as OpenSSL, Blowfish encryption and salted password hashes.


One of the more interesting ways (albeit possibly less extension) of learning about web security is to do challenges where your goal is to exploit vulnerabilities. You can't patch vulnerabilities you don't know exist.

There are a number of these challenge sites, but I think my favorite are


Challenges will have pre-requisite knowledge, but it certainly motivates you to learn.

There's a huge list of sites on this aggregator:

Jamie Wong
+2  A: 

Everyone has their own philosophy of security. Developing your own philosophy is vital. This is the reason why Bruce Schneier is so popular, and I read every blog post.

In the current state of security the landscape is littered with security systems that fail. I believe this is because of the following quote.

"What I cannot create, I do not understand."

--Richard Feynman

Learning how to break software is the most important step in learning in how to protect it from attack. You must find vulnerabilities in software and write exploit code.

I'm not quite sure if I would go as far as saying "you must write exploit code", but I'd agree with "you must have reproduced a vulnerability at least once". E.g. you must have tried `password = "' OR 1 = 1"` at least once to get an appreciation for SQL injection. +1 anyway.
@deceze If all you can leverage is a simple tautology, then this is all you can antiquity defend against. How do you go about testing a patch?
+1  A: 

The best place to start is the OWASP (Open Web Application Security Project). They have lots of resources, including the OWASP Top Ten, including the 10 most critical vulnerabilities/risks for web applications and their Secure Code Development Guide that can be read online (wiki) or downloaded in PDF.

They also have the Web Goat, a vulnerable web application that people can download and play with to learn about vulnerabilities, how they work and the best approach to correct them. It's pretty interesting and it comes with tips and solutions.

They also organize conferences (check the video session of the web site, they usually publish the videos and slides of the talks) and the chapters in different cities organize meetings where people talk about interesting aspects of web app security. You should consider joining one in your area.

You can all the information in the OWASP web site: