1. Web Developer Security Checklist – https://www.powerdown.io/blog/posts/stories/web-developer-security-checklist.html
2. Top 125 Security Tools:  http://sectools.org
3. Free Security Software downloads:  http://www.oldergeeks.com
4. How to Geek (Shortcuts/Cheatsheets): https://www.howtogeek.com
5. Linux 101 Hacks E-Book, How-to Cheatsheets: https://www.thegeekstuff.com
6. Edit the cookie: http://www.editthiscookie.com
7. Ghostery (Ad Blocker): https://www.ghostery.com
8. No Scripts (Blocks malicious scripts, plug-ins, and other Web attack code) – https://noscript.net
9. EFF Privacy Badger (Blocks spying ads & invisible trackers) – https://www.eff.org/privacybadger
10. SysInternals Suite: https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
11. OS Forensics (Free) – https://www.osforensics.com
12. WinHex Forensics & Data recovery – http://www.x-ways.net/winhex/
13. Sandboxie Isolation Technology (Programs from OS): https://www.sandboxie.com
14. Windows Powershell – https://docs.microsoft.com/en-us/powershell/scripting/setup/starting-windows-powershell
15. Windows Powershell help – https://docs.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help?view=powershell-6
16. PDQ Inventory – https://www.pdq.com
17. Software update bots. – https://ninite.com
18. Windows Patching – https://batchpatch.com
19. Choclatee Package Manager – https://chocolatey.org
20. NMAP – https://nmap.org
21. Wireshark – https://wireshark.org
22. TCPDump – http://www.tcpdump.org
23. Home network protection and performance – https://www.fing.io
24. AES Encrypt File encryption – https://www.aescrypt.com
25. Anonymous browsing – https://tails.boum.org
26. Tor Project – http://www.torproject.org
27. Anonymous  – http://anonymouse.org
28. Proxies – http://www.econsultant.com/proxylist/index.html
29. OWASP Zed Attack Proxy – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
30. Portswigger Burp Suite – https://portswigger.net/burp
31. Guardicore Infection Monkey – https://www.guardicore.com/infectionmonkey/
32. Metasploit – https://www.metasploit.com
33. Lenny’s Security Cheatsheets – https://zeltser.com/cheat-sheets/
34. Windows Malware Archeology – Cheatsheet : https://www.malwarearchaeology.com/cheat-sheets/
35. Geolocation services – http://www.geocreepy.com
36. People search – https://www.peekyou.com
37. Free Microsoft books – https://blogs.msdn.microsoft.com/mssmallbiz/
38. 2016 Security tools –  http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/
39. Password Generator – http://passwordsgenerator.net
40. Open Source CA – https://www.ejbca.org
41. Free SSL/TLS certificates – https://letsencrypt.org
42. Deploying LetsEncrypt on AWS – https://medium.com/@gnowland/deploying-lets-encrypt-on-an-amazon-linux-ami-ec2-instance-f8e2e8f4fc1f
43. Deploying LetsEncrypt for CloudFront – https://www.cgmartin.com/2016/01/19/securing-aws-cloudfront-with-free-ssl-certificates-from-lets-encrypt/
44. OpenSSL Cheatsheets:
    • https://medium.freecodecamp.org/openssl-command-cheatsheet-b441be1e8c4a
    • https://gist.github.com/davewongillies/7050080
45. Linux Privilege Escalation – https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
46. Windows Privilege Escalation – https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
47. Prowler – Raspberry based Network Scanner – https://www.kitploit.com/2018/05/prowler-distributed-network.html

Github Security Best Practices

• Snyk Cheatsheet: https://snyk.io/blog/ten-git-hub-security-best-practices/

AWS Cloud Security & Auditing tools on Github & Others

• AWS CIS Benchmark Quickstart: https://aws.amazon.com/quickstart/architecture/accelerator-cis-benchmark/
• Scout2: https://github.com/nccgroup/Scout2
• Prowler https://github.com/toniblyx/prowler
• AWS Resource Counter (Quick Inventory Checks): https://github.com/disruptops/resource-counter
• Netflix Security Monkey (Track Policy and Config Changes): https://github.com/Netflix/security_monkey
• CapitalOne Cloud Custodian (Policy & Encryption): https://github.com/capitalone/cloud-custodian
• Common Mistakes and Gotchas: http://flaws.cloud/
• AWS Attack library: https://github.com/carnal0wnage/weirdAAL/wiki
• AWS Guard Duty Tester Template – SSH and RDP Bruteforce test, Cryptojacking: https://github.com/awslabs/amazon-guardduty-tester
• AWS Cloud Network Diagram – Cloud Mapper: https://github.com/duo-labs/cloudmapper
• Quick CIDR Maker: http://cidr.xyz

S3 Bucket Security

• S3 Bucket Policy Report: https://github.com/bear/s3scan
• S3 Bucket Scanner (Find Open ones without policies) : https://github.com/sa7mon/S3Scanner

AWS IAM and Access Key Management

• Access Key Credential Scanner (in Files and Jenkins): https://github.com/disruptops/cred_scanner
• AWS IAM Key Disabler: https://github.com/te-papa/aws-key-disabler
• Netflix Repokid – AWS Access Advisor for Least Privileges: https://github.com/Netflix/repokid
• Git Secret Manager (Prevents storing AWS secrets in Git): https://github.com/awslabs/git-secrets
• Stuhirst Arsenal: https://github.com/stuhirst/awssecurity/blob/master/arsenal.md

Java Cryptography

• OWASP Examples of JCE: https://www.owasp.org/index.php/Using_the_Java_Cryptographic_Extensions
• OWASP Examples of JSSE: https://www.owasp.org/index.php/Using_the_Java_Secure_Socket_Extensions (I wrote the code for Core Security Patterns book)

Post Quantum Crypto – PQCrypto, SafeCrypto Algorithms

• Open Quantum Safe: OQSKEM (OpenSSL Fork): https://github.com/open-quantum-safe/openssl
• Open Quantum Safe (liboqs): https://github.com/open-quantum-safe/liboqs
• ISARA PQC Testing Samples: https://github.com/isaracorp/Toolkit-Samples

 

 

Thanks to Glenn Brunette, Ron Woerner, Stu Hirst and many friends/contributors for sharing pointers and motivating me to put this page…. and it keeps growing!