I just came back from a hackers conference about internet security and I'm interested in learning web security and protecting companies from hackers. But I don't know where to start and what languages to learn..
Could anybody point me in the right direction for this?
This is kind of an enormous field. People make lifetime careers from it. As a beginner, you'll want to learn:
That should be a good start.
The classic article 'Smashing the Stack for Fun and Profit' is a must read.
It deals with buffer overflows - a very common exploit. Although it's relatively low-level, understanding buffer overflows is definitely a first step in learning about security.
Languages don't matter, not really, security is an approach more than an implementation. You can use numerous languages and frameworks to write internet applications, and the securing of the applications should be built in, not layered on top. If you want to protect existing web sites then it involves rewriting the vulnerable code, or putting a web application firewall between the application and the internet.
You'd be better off focussing on the concepts first, and learning how to apply them in languages of your choice. The Microsoft Secure Development Lifecycle, and the work they've done around Threat Modelling is something else should examine - as it covers building it in from the beginning and creating feedback loops with each iteration of development.
(Oh, and I did write a book on ASP.NET security grin)
One of the most important lessons to be learned when implementing security in any application is NOT to use home-brewed security systems - you always end up making the application less secure.
Do not attempt to write a new hash algorithm, or streaming encryption method, or any of 100 other pieces.
Always use well known, well tested modules and algorithms such as OpenSSL, Blowfish encryption and salted password hashes.
One of the more interesting ways (albeit possibly less extension) of learning about web security is to do challenges where your goal is to exploit vulnerabilities. You can't patch vulnerabilities you don't know exist.
There are a number of these challenge sites, but I think my favorite are
and
Challenges will have pre-requisite knowledge, but it certainly motivates you to learn.
There's a huge list of sites on this aggregator: http://wechall.net
Everyone has their own philosophy of security. Developing your own philosophy is vital. This is the reason why Bruce Schneier is so popular, and I read every blog post.
In the current state of security the landscape is littered with security systems that fail. I believe this is because of the following quote.
"What I cannot create, I do not understand."
--Richard Feynman
Learning how to break software is the most important step in learning in how to protect it from attack. You must find vulnerabilities in software and write exploit code.
The best place to start is the OWASP (Open Web Application Security Project). They have lots of resources, including the OWASP Top Ten, including the 10 most critical vulnerabilities/risks for web applications and their Secure Code Development Guide that can be read online (wiki) or downloaded in PDF.
They also have the Web Goat, a vulnerable web application that people can download and play with to learn about vulnerabilities, how they work and the best approach to correct them. It's pretty interesting and it comes with tips and solutions.
They also organize conferences (check the video session of the web site, they usually publish the videos and slides of the talks) and the chapters in different cities organize meetings where people talk about interesting aspects of web app security. You should consider joining one in your area.
You can all the information in the OWASP web site: http://www.owasp.org