Appendix

External references and resources

In addition to the references spread in the chapters - most often as “Further reading” - here is an extended list of hacking and security resources.

It is important that you rate those resources for yourself. I have my personal categories.

• ALERT: Resources being fast on alerting. But I do not expect in depth coverage
• DEEP: Slow (months after the incident) but incredibly deep coverage
• SIMPLE: Resources to share with non-tech people
• KNOWLEDGE: General knowledge covering specific technology. Not a source for threat intelligence

All of them have their benefits and you should always use the proper source for the task at hand.

Books

Book: Practical Internet of Things Security

Practical Internet of Things Security by Drew Van Duren, Brian Russell

A very methodical book covering

• Threat modelling
• Design
• Life cycle
• Basic Cryptography
• Authentication/Authorization
• Compliance monitoring
• IoT Incidence Response

A good overview.

Potential improvement: Go deeper into details and specific technology. For example: Crypto chapter is a good start but really using crypto will require more books to be read. Says the one writing a “security overview book”…I know….

Book: “Test driven development for embedded C”

Test Driven Development for Embedded C by James W. Grenning

A pragmatic and step-by-step approach how to develop for embedded systems in C and still benefit from unit tests.

This book will improve your software quality and security.

The Browser Hacker’s Handbook

The Browser Hacker’s Handbook by Michele Orru , Christian Frichot , Wade Alcorn. Essential knowledge how to hack and secure a browser. Lots of focus on Beef technology.

Book: IoT Penetration Cookbook

IoT Penetration Cookbook by Aaron Guzman, Aditya Gupta

Wide spectrum of offensive technologies. Good to create a checklist what to protect. Be prepared to read more in-depth books for the technologies you are interested in.

Book: Pragmatic Thinking and Learning

Pragmatic Thinking and Learning, by Andy Hunt

Explains your most important tool as a computer expert: Your brain. How to use it, how to learn. A very important book for me. Written for the engineer.

Driving Technical Change

Driving Technical Change, by Terrence Ryan

A book explaining how to introduce new technologies in a team or company. Simple to read but with very essential tricks for the tech guy how to get mental boulders blocking change out of the way.

Anti Patterns

Anti Patterns, Refactoring Software, Architectures, and Projects in Crisis by William H. Brown Raphael C. Malveau, Hays W. “Skip” McCormick III, Thomas J. Mowbray

A book showing typical anti-patterns that just happen in larger (software) projects. Your project will also suffer from some of those. Read this to understand those patterns and learn how to eliminate them.

Conferences

An important criterion for conferences added here is online publication of talks and papers.

When you know where to look you will find lots of awesome conferences with different priorities and a different focus.

CCC

The Chaos Computer Club has several conferences in Germany. Those have different focus and size. If you are interested in computer security, the MRMCD and the Congress are the most valuable ones for you. Talks are recorded and can be found on media.ccc.de

Usenix (scientific security conference)

Usenix is a high tech security and academic conference. Bleeding edge technology but a bit harder to get it into a product than with other conferences.

Usenix 2016

Usenix 2017

Usenix 2018

Usenix 2019

Usenix 2020

Hack.lu

Hack.lu is a security conference in Luxembourg. Talks are recorded, but it seems there is no central storage besides YouTube where you can find them.

OWASP

• German OWASP Day 2019

Blackhat

Blackhat is a security conference with events in US, Europa and Asia (so don’t get confused).

• Blackhat USA 2019 Playlist
• Blackhat Europe 2019 Playlist
• Blackhat Asia 2019 Playlist

Shmoocon 2006 - 2020

Shmoocon

• 2006
• 2007
• 2008
• 2009
• 2010
• 2011
• 2012
• 2013
• 2014
• 2015
• 2016
• 2017
• 2018
• 2019
• 2020

Defcon

• Defcon 26
• Defcon 28
  • Main stage on youtube
• Defcon 29

BSides

BSides

BsidesSF 2021

[BSides TLV 2021] (https://www.youtube.com/playlist?list=PLkNlAwTF5yEvS0IDS8zRanqUfTWxadcV4)

Radare Con

2020:

• https://github.com/radareorg/r2con2020

Purdue University seminar

Purdue

Virus Bulletin

Virus Bulletin is an Anti-Virus community magazine, tester and conference.

Especially the conference has in-depth talks covering malware and malware actors. Some of those talks can be found on YouTube.

Virus Bulletin videos

Blogs

Blogs are a good resource for in-depth malware analysis or content of almost any complexity. I suggest you check out which ones cover topics you are interested in and then start monitoring them for changes.

Security perspective from a bank, check out articles, blogs, handbooks, white-papers: Bank indosecurity

Deep analysis and IOCs: Cylance

Team Cymru blog covers threat intelligence.

Malware must die blog contains malware information

Malware don’t need coffee focuses on Exploit kits and their distribution.

Cyber crime Magazine focuses more on the crime aspect.

Internet Storm Center

Cloudflare

HITBSecNews

Citizen lab - big game hunting

Also Brian Krebs is very well known for his investigations into the crime part of the topic.

To stay in the world of crime: Europol will also cover it. But not focused on computer security.

The Anti Virus companies also have blogs. Sometimes several blogs. With a focus on end-users or tech nerds. Those can vary in depth.

• Emsisoft
• Kaspersky
• Kaspersky technical
• Bitdefender
• Eset
• Malwarebytes

Just to name a few.

News

Hacker news portals:

• The hacker news
• CNET security
• Bleeping Computer

Podcasts

• Security Now
• The Silver Bullet
• Darknet Diaries

Magazines

Magazines (called Zines) are a part of the hacker culture. And they still exist.

• Pagedout magazine
• POC or GTFO Also available on other mirrors and as books
• Spuz.me pen testing

Videos

• “Administraitor” talks
• Hak5

Workshops and Training

• Open Security Training
• Reverse Engineering for Beginners

CTF

Capture the flags (CTF) are challenges to test your own skills in hacking. A good way to do that without committing any crimes.

• Gruyere CTF
• Vulnhub
• CTF by Samsung
• CTF list

Background and some help:

• Awesome CTF

There are also CTF competitions:

• https://ctftime.org/

Lists and bookmarks

• Offensive security bookmarks (2015)
• Security resource list

Glossary

0-day: An exploit used by the attackers before the vulnerability is known to the defender. They are expensive on the black market. Typical malware does not need 0-days. As many users do not patch their systems.

ABAC: Attribute based access control. A logic decides based on attributes of different objects (subject, resource, action, environment) if access is permitted.

Adware: Malware that shows Ads. As the Ad ecosystem generates money for viewed Ads this is how attackers convert infections to money

Amplification attacks: Are attacks where a 3rd party is used to attack the target with amplified bandwidth. Services emitting more data than they receive are vulnerable. Often uses stateless protocols like UDP because the initiator is different from the victim.

Anycast: Servers share the same IP address. The client connects to the closest one. Relevant if only one of them is hacked and serves malware…

Approved List: A list of url/hashes/… that got approved as being harmless

APT: Advanced Persistent Threat. Advanced malware. Often government backed. Or just very advanced malware.

ASLR: Mitigation strategy to load code into random areas of the memory. Makes writing of exploits harder

ASVS: Application Security Verification Standard: This OWASP project lists different ways to verify the security of an application.

Backdoor: A constructed way for an attacker to connect to a vulnerable system and execute code

Beacon: The C2 server on the public internet which is contacted by the implants on the victims local network. Connection is usually done in a regular interval. Depending on the malware this can be from minuets to months. Using this short beacon messages the implant fetches new instructions

Blacklist: Deprecated, see “Block List”

Block List: A list of items like URLs, hashes, … that trigger a blocking

BLE: Bluetooth Low Energy

BLE Characteristic: Value + Descriptor

BLE GAP: Advertisements, connection handling, defining device roles in communication

BLE GATT: Organizes the data offered by the device

BLE L2CAP: Encapsulating data into packets

BLE Service: Several Characteristics combined create a service. A default service for BLE would contain device information

BLE Profile: Profiles combine several services. They standardize specific device classes

Bot: An infected machine that can be remote controlled by the attacker

Botnet: Infected machines centrally controlled by the attacker using a C&C

Bug: Error made in the programming phase. Not all bugs are vulnerabilities

Campaign: Malware campaigns are events where a malware actor spreads malware by phishing, infected sites, … As malware is a business with division of work, one malware type can be spread by different actors in separate campaigns in parallel

Canary: A trigger that will alert in an intrusion attempt. Code canaries for example are values in the code that trigger when being overwritten

CAPEC / Common Attack Pattern Enumeration and Classification: A MITRE taxonomy for attack patterns. https://capec.mitre.org/

C&C aka C2: Command and Control server. Central control over a botnet

Class break: A Class break is a vulnerability that breaks the whole device class. Instead of just one single device. Example: Same master key on all devices leaks

CORS/ Cross-origin-resource-sharing: Mechanism to define exceptions for the SOP (Same-origin-policy) in the HTTP header

CERT: Computer Emergency Response Team. Handles security breaches in organisations or nations.

Command injection: If the attacker is able to inject a command to the system shell (and the data is not sanitized) this is a command (line) injection. See OWASP

Common Platform Enumeration: A unique ID for software products, can be used to query vulnerability databases and software asset management

CRITs / Collaborative Research Into Threats Threat intelligence sharing platform by MITRE. See TIP. https://crits.github.io/

CSRF aka XSRF - Cross site request forgery: The attacker tricks the user to issue a HTTP requests on a site where the user has an open session. This HTTP request triggers an action on the server on behalf of the user.

Dark Web: Intentionally hidden parts of the web. Most common TOR pages

DAST: Dynamic Application Security Testing. Testing by executing the program in a special test harness. Maybe compiler flags like ASan

Deep Packet Inspection: A filter looks into the deeper layers of packets. Complex, and causes issues with encrypted data. Better don’t do it.

Deep Web: Parts of the web, that is not indexed by search engines (intranets, everything behind a login, ….)

Dedik: Stolen RDP access to a windows server. Used as first step for Ransomware attacks (2020: 70% of Ransomware attacks started that way). Dedik = Dedicated server

DEP: Data execution prevention. Parts of the memory are marked as non-execute (=NX)

DFIR: Digital forensics and incident response

DGA / Domain generation Algorithm: An malware algorithm generating domain names based on a counter/time to connect to.

Differential privacy: Is a way to collect statistical data on clients/users without compromising the privacy of specific users

Domain Flux: Way to hide C&C servers. A domain name generator creates changing domain names

DOS: Denial Of Service - Attack that exhausts resources of the target (CPU, memory, network, storage)

DDOS: Distributes DOS - Attack is done by many systems in parallel

DNG / Domain Name Generator: Part of a malicious script generating possible URLs for C&C servers by time. By registering some of them the attacker can reduce take downs and still get connecting bots.

DTLS: Datagram TLS - TLS for short UDP messages (see: IoT)

DVA / Damn Vulnerable Application (Also: Damn Vulnerable Web application): A insecure application to train hacking on or test tools

Dynamite phishing: Automated spear phishing. The malware silently collects mail communication to later fake new phishing mails for new victims

EDR /Endpoint Detection and Response: Endpoint protection with a deeper analysis system and an array of potential responses to attacks

ELF: Linux executable file format

EMET: Enhanced Mitigation Experience Toolkit for Windows hardening. Now integrated into Windows Defender Exploit Guard

EPP / End Point Protection: Passive Endpoint protection

Evercookies: Are snippets stored in the browser like cookies. Storage is JavaScript Local storage, Flash storage, … hard to delete those data snippets. AKA Zombie Cookies

Exploit: Attack on a vulnerability

Exploit Kit: A ready to run malware spreading tool. Normally uses infected web pages to spread the exploit.

Fast Flux: Using Round-Robin DNS to hide a C&C server. One URL gets multiple IPs that way.

Flaw: Error made in the design phase. Not all flaws are vulnerabilities

FP: False Positive. A harmless URL or file is detected as malicious

Firewall: Network filter. Can reduce allowed traffic on a network connection. Smarter firewalls can maintain some state and decided based on who initiated a connection - internal or external computer ?

Heap Spraying: Loading the exploit code several times into different memory areas. Also uses NOP slides

Honeypot: A Honeypot is a simulated vulnerable system to attract attackers. The attacks will then be analysed to learn about the attackers.

HVCI: Hypervisor Protected Code Integrity, aka “memory integrity”, a Windows feature HVCI

IDS / Intrusion Detection System: Monitor in a network to analyse that for malicious activity. Using rules it can notify admins if anomalies are detected

IPS / Intrusion Prevention System: IDS with the ability to automatically stop potential attacks (firewall up, terminate processes, …)

Implant: A tool used by the attacker to maintain access to an exploited system. Normally has some form of connection to the attacker’s infrastructure to be controlled

IOC: Indicator of Compromise. A file-hash, URL, registry key or similar feature left by the malware when a system is infected.

JWT: JSON web token. A “cookie” for authentication with added data. Stored on the client. The JWT is signed by the server.

Kerckhoff’s Principle: A cryptosystem should be secure, even if everything about the system, except the key, is public knowledge.

Key rotation: Periodically change the encryption key

Kill chain: Phases of an attack

Living off the land: A tactics where the attacker uses pre-installed software for the attack. This reduces detectable malware on the system

MAEC5: Malware sample description language. Covers static features like hashes and behaviour. MAEC5

MBEC: mode-based execution control: Windows memory integrity feature, requires CPU support

Malware: Malicious software

MaaS / Malware as a service: Organised crime split malware creation and using malware against a target into different roles. Malware creators offer malware “as a service” to the second group

MISP: Open standard for threat information sharing. Also a sharing platform. Focus on IOC. MISP. See also. TIP

MISRA C: Guidelines for safe C programming. Tools (compiler and static code analyser) support it. Some of the safety issues are also security issues. Check it out. Low hanging fruit.

MITM: Man/Monster in the Middle. Network connections are broken up in the middle by the attacker to spy or modify network packets

MITRE: Non profit organisation doing security research

MITRE Att@ck: A taxonomy for attacker TTPs. see: MITRE

mutual TLS / mTLS: Both sides, client and server, authenticate to each other using certificates

NOP slide: Increases the target the instruction pointer has to hit to get to the exploit code. Done by adding NO operation codes to the beginning.

Open redirect: A vulnerability where a legitimate website can be tricked into HTTP redirecting a visitor to a url supplied by the attacker

Patch gap: Gap between a security patch in a 3rd party library and a patched release of the main product using this library

Patch Guard: Windows kernel patch protection, protects some memory structures from being modified

PE: Portable Executable file. On Windows .exe and .dll (and some others). Starts wit a DOS Header (MZ)

Persistence: Attackers can do a hit and run - stealing data - or try to maintain access to the target by running implants there or getting the credentials. That way the “attack survives a reboot”. This would be called “persistence”.

Persistence(system): System level persistence can be gained by running code on a single system. Often done as a hidden rootkit in kernel mode

Persistence(network): Persistence by controlling several systems by either stolen credentials or compromise of a core infrastructure in the network.

Phishing: Attack using social engineering to get credentials. Can involve malware or exploits as well

POLA / Principle Of Least Authortity see POLP

POLP / Principle Of Least Privilege: Users are granted the smallest set of privileges they need to get their assigned tasks done

POMP / Principle Of Minimal Privilege: see POLP

QUIC: A Google protocol based on UDP to replace TCP. By adding TCP features to UDP

RAT / Remote access trojan: An implant to gain persistence. Can remote control OS functionalities.

RBAC / Role based Access Control: Every user has a role. Those roles come with permissions

RBN / Russian Business Network: Rogue ISP offering bullet proof hosting (take downs by police not easy)

RCE: Remote Code Execution. An attacker is able to execute code without physical access to the system. Very bad.

Regular Expression DOS: Non optimized regular expressions can require lots of CPU. If the attacker is able to submit an own Regex, it is possible to DOS the target system OWASP

Reproducible Build: The software build chain must create hash-identical software on different build systems. That way some supply chain attacks can be mitigated.

Reverse shell: A command shell running on a hacked PC. To get out through NAT/Firewall it connects back from the infected PC to a server the attacker controls.

ROI: Return on investment. A business metric. But as attackers want to make money, make them pay for it by detecting their tools, sharing this knowledge. And make it very expensive for them to attack.

ROP / Return Oriented Programming: If an executable is compiled with DEP it is not possible to insert new shellcode to execute. ROP uses existing code from the victim-executable and chains those ROP gadgets into a new order to achieve the goal.

Round-Robin DNS: Old system for load balancing that does not work with modern clients or IPv6. TTL is short lived.

SafeSEH: A windows compiler feature to mitigate attacks abusing the Exception Handler. Attackers can modify the the exception table. The cause an exception. By that they then can control program flow. SafeSEH mitigates that.

SAST: Static Application Security Testing. This can be compiler warnings or special tools

SBOM Software Bill of Materials

SCA: Software Component Analysis: Check external software components for vulnerabilities and license compliance issues

Self guided malware: Malware for air-gapped systems. Does not need a connection to a control server. Has all the propagation/infection logic built in. Not a common thing. But Stuxnet was one of those.

Session fixation: Vulnerability caused by not creating a new session on login but recycling an old one. The attacker injects his token into the victims browser. As soon as the victim logs in, the attacker has parallel access to the account.

Session Hijacking: The login token of a session is stolen. While this is valid the attacker has access

Shellcode: The payload in an exploit. Shellcode either pops a shell or establishes a connection to the attacker in the internet, … This is where malicious things happen.

Side Channel: Using side effects to hack a system. For crypto a side channel can be timing differences between a right and a wrong password.

SIEM / Security Information and Event Management: Collect and analyse different security relevant data into logs. Actions are triggered based on this data.

Sigma rules: Sigma rules are for logs what Yara is for files https://github.com/Neo23x0/sigma

SKF: Security Knowledge Framework: OWASP expert system to build and verify secure software https://owasp.org/www-project-security-knowledge-framework/

SNI / Server Name Indicator: Part of the header to indicate which one of the hosted servers to contact. Could be encrypted if ESNI (Encrypted SNI) is used.

SOC / Security Operations Center: The team running SIEMs in an organisation.

SOP / Same-origin-policy: Web browser security principle: Elements of a web site must be from the same server

Spam: Unwanted Advertising mails. Or similar messages on other channels. Often sent from hacked PCs to abuse their bandwidth.

Spear Phishing: Targeted phishing. Learn about the target first to create better social engineering attack

SQLI / SQL Injection: SQL commands can be sent through the user interface to the database backend. Instead of just values (which was the developer’s intention)

Stack Clash: A vulnerability on Linux/BSD systems. Stack Guard Page should protect against Stack-Overflows. But it can be tricked into overwriting memory. A compiler switch can protect against Stack Clash.

Static Code analysis: Analyse code without executing it. Compiler warnings are the best known example. Also linters.

STIX2: A data format to exchange threat intel. More focused on Attack Groups/Identity/Threat actor/Campaign. STIX2

StrongNaming: Authentication for .NET libraries. Signed binaries with version verification and pinned key.

Sub domain hijacking aka sub domain takeover: The attacks is able to claim an abandoned web host with still existing DNS entries. Now it is compromised….

Supply chain attack: The attacker manipulates a software, library or compiler used by the victim to attack the victim or the victims’s customer

Suricata: Open Source IDS Suricata

Threat intelligence: A service offered by security companies (or peer-to-peer). Can start with sharing IOCs and end with detailed reporters on attacks and threat actors. Focus is on Advanced attacks

TIP / Threat intelligence platform: Threat intelligence sharing between organisations. See MISP or CRITs by MITRE

TLP / Traffic Light Protocol by DHS: defines threat intelligence information sharing policy. From public to secret. Using 4 coloured levels

TOR: The Onion Router. Overlay network over the internet to ensure anonymity of clients and servers

Trust boundary: Who do you trust with what ? If your project integrated 3rd party compilers, tools, library, … you are already trusting someone. Knowing who you trust and how far is the trick.

Trusted Computing Base (TCB): The part of a system that MUST work properly to ensure security. Keep this small.

UAF / Use After Free vulnerability: Typical memory corruption bug

VBS. Virtualization Based Security, a Windows feature to isolate parts of the memory from the OS. VBS

Vulnerability: A bug or a flaw that has security implications

Warning fatigue: A psychological aspect for secure UI design. If you display to many warning UIs your users will be trained to ignore them.

Waterhole attack: Targeted phishing attack using a hacked/manufactured homepage the victim is known to visit and trust

Weaponizing: Making an exploit easy and reliable to use.

Whitelist: Deprecated term. See “Approved List”

XSS, Persistent: An attacker can store a script on the web server that is for another user rendered. As it is a script it will execute in the context of the victim’s page.

XSS, Reflected: The attacker can add a script to a url parameter which is part of the rendered page. This script will then run in page context

XXE: XML External Entity injection: The attacker uses modified XML sent to the server to access internal data like files

Zero Trust: All network requests must be authenticated. Even those originating from the own network

The author

I have to tell you my origin story. Because you should know where we are going if you join me by reading this book. I hope it is not boring as no radioactive spiders are involved….

Trouble shooter and one-man-team somehow happened to be my role. This and team expert for security. I am a software developer and engineer who also took the role of architect/project manager in security related projects. Which gave me a good and wide perspective on things in the IT world.

After studying Computer Science (Dipl. Ing FH at University Ravensburg Weingarten, a German title) I went to Avira. An Anti-Virus/Endpoint bolt-on-security company. I handled core detection projects as part of teams. I was focused on the engineering/architect and developer roles. Amongst the things I did is:

• An AI SPAM filter in C: String processing in C….
• A full Anti-Virus engine. Cross-compilable. For WinCE, Linux, PalmOS and Symbian. C
• A generic module to detect malware in homepages. Building a kind of DOM. String processing. In C.
• Management security consulting
• Browser extension development - self learning phishing detection. JavaScript
• A government founded research project:
  • Split an OS into several virtual machines for segmentation
  • Scan into these virtual machines without installing anything (Volatility)
  • Classify malware based on behaviour (Cuckoo Sandbox)
• Create the architecture of a security/privacy focused Chromium based browser
• Went to the Embedded and IoT world at Feo, another company
• Mvoing to Avast I wrote a simulation environment to experiment with advanced attacks named PurpleDome

Right in the middle of doing all those things I started to sort my knowledge and experience. Resulting in this book.

Currently I am Lead Security expert at Primion where I can use all my knowledge.

You can reach me

• On Twitter: @ThorstenSick
• On Mastodon: @thorsi@chaos.social

Thorsten Sick

The origin story: External brain

This book was already written once. As my external brain. Just for me. I collect my knowledge in “external brains” a private wiki. My security knowledge external-brain just grew to a stage where I thought “well, you just wrote a book”. And after finding leanpub which fits my style of tackling projects I decided I can transfer my external brain (written for me) into a book (written for tech people world wide).

And this is currently happening.

Authors

My goal is to write an anthology. Contributions from experts in their fields are welcome. Everyone contributing a chapter gets half a page of biography.

I just do not want to start asking for contributions now. Not until the book has a well tested and established structure. I would hate to force external authors to re-write their chapter several times just because the structures is still developing….

Credits

Credits are for all the contributors.

Changelog

I want to “release early - release often”. For this reason I will add a changelog to make it simpler for you to find the new sections.

Aug 2025

• RSS feed space started
• AV behaviour based classification extended
• Principles extended
• Anti Virus sharing samples extended
• Google dork extended
• Browser security extended
• Cryptographic algorithms extended
• Passwords extended
• Threat modelling extended
• TLS extended
• Secret scanning extended

April 2023

• ZAP updated
• Passwords updated
• Vulnerabilities updated
• Python updated
• Git hardening updated

December 2022

• Added Secret Scanning
• Improved ZAP
• Improved Git hardening

November 2022

• Updating my Author-page
• Update in Vulnerabilities
• Updated Git hardening chapter
• Adding ZAP

July 2022

• Small extensions to video.txt, testing_compiling.txt, presentations.txt
• Extended external references
• Text cleanup based on vale
• Improved behaviour classification
• Added CAPEv2 chapter

October 2021

• Fixed safari links (now learning.oreilly)
• Cleaned up and extended glossary

June 2021

New:

Big additions:

• Added Nmap chapter

Small additions:

• Extended Glossary
• Behaviour based classification
• Kill chain
• Passwords
• Vulnerabilities

April 2021

• Extended glossary
• Extended “design”
• Extended python %% TODO: Fix the whole book thing

February 2021

• Extended glossary
• Updated python chapter

October 2020

• Extended Behaviour based classification
• Added Antivirus detection chapter
• Extended glossary
• Extended Kill chain
• Extended External References
• Extended SSH

August 2020

• Extended External References

May 2020

• Extended Glossary
• Extending Git hardening (turning it into CI/CD + Security)
• Replacing whitelist/blacklist with approved list and block list

April 2020

• Reworked layout. Removed headers from chapters
• Extended Glossary
• Extended Glossary

March 2020

• Extended passwords
• Extended external references
• Extended fuzzing
• Extended Glossary

February 2020

• Glossary extended

January 2020

• Extended external references
• Extended glossary
• Programming/compiling: visual studio added
• Testing-compiling extended
• Decission: I will remove the target audience from all chapters. Also the author as long as it is just me. 3rd party authors will get the credits.

December 2019

• Thug chapter extended
• TLS chapter extended

November

• Spelling and quality improvements
• fixed ../../images/tls_simple.png
• Adding Recon-NG
• Small fuzzing upgrade
• Upgrade in vulnerabilities
• The part planning got a proper review.

August/September/October 2019

• Improved mitmproxy
• Improved browser
• Added kill chain
• Added the practical parts to thug
• Extended glossary

July 2019

• Extended Glossary
• Updated Thug
• Extended Browser
• Extended security process
• Added mitmproxy
• Extended “Threat modelling” with MITRE attack

June 2019

• Chapter for thug added - a honey client to investigate malicious web pages

May 2019

• Some cleanup
• Extended “security process”
• Added python security

April 2019

• Added “Threat modelling”
• Extended Glossary
• Added “git hardening”
• Added “JavaScript security”

March 2019

• Extending testing compiled binaries
• Most readers read PDF ⇒ Focus on PDF layout now.
• Old PDF setting: A5 (14.8cm x 21.0cm ) to get a book style size
• New PDF setting: A4 (21.0cm x 29.7cm) for more table space and better screen readability
• Tables set from default to wide
• extended content
• extended glossary
• extended browser
• extended security_process
• Full quality check for “background” section
• Added Censorship

February 2019

• Cleaning up the author page. Adding Mastodon and Twitter
• Extended Attacker’s goals
• Extended know your enemies
• Small extensions to principles
• Extending TLS
• Extending browser
• Starting vulnerabilities
• Starting security process

January 2019

• Added Software design checklist (initial version)
• Added Google Dorks
• Added Glossary
• Added part Appendix
• Added basic beef chapter
• Added basic burp suite chapter
• Added IOC sources chapter
• Extended TLS
• Updated content
• Intro for background added
• Intro for planning added
• Intro to programming added
• Intro to testing added
• Updated samples
• Intro for tools
• Reworking first chapters: re-write, remove or move to the end of parts. Reason: I want to get people to encounter the core book faster.
  • Structure: removed unnecessary things
  • The origin (moved to the author)
  • stages of learning moved to part “psychology toolbox” (which is not active yet)
  • random encounter removed
• More glossary entries

December 2018

• Enhanced book list of defensive programming
• SSH chapter added
• Added Code Coverage chapter
• Improved Fuzzing chapter
• Added Vagrant to compiling chapter
• Extended CppCheck
• Small things in:
  • Antivirus sharing samples
  • clang

November 2018

• Enhanced defensive programming
• Added design
• Enhanced “attacker’s goals”
• Enhanced passwords
• Enhanced clang
• Cleaning up the book, adding parts
  • Chapters got moved around
• Enhanced This book
• Enhanced The author
• Enhanced structure
• Clean up crypto algorithm tables
• Enhanced antivirus testing
• Added antivirus testing to the sample
• unhooked external references
• Kehrwoche: Aspell for all text parts in “sample”

October 2018

• Added crypto algorithms
• Re-worked Asserts
  • It got an own chapter
  • Python added
  • JavaScript added
• Extended principles
• Added testing chapter. Especially for unit testing and bug bounties (basics)
• TLS got a diagram and minor improvements
• Clang chapter added
• Added crypto algorithms to Sample

September 2018

• CAN bus hacking
• Bluetooth LE (BLE)
• Added code analysis tools requirements table for an overview
• URLs now in footnotes
• Content chapter added
• Chapter Antivirus Behaviour classification added
• added code analysis tools requirements to Sample

August 2018

This is the holiday release: Focus is on improving text quality of existing chapters.

• Extended “Principles”
• Added new chapter “browser security” (not finished yet)
• Added new chapter “IoT security” (not finished yet)
• Quality improvements in
  • defensive programming
  • know your enemies
  • principles
  • structure
  • this book

July 2018

• Added attacker’s goals
• Added antivirus-tests
• Added antivirus-integration
• Changed PDF to A5 for a typical book-size PDF
• Added basic fuzzing chapter
• Extended “Defensive programming”
• Extended “principles”
• Extended “TLS chapter”
• Extended “External references”
• Added antivirus-sharing-samples
• Added antivirus virustotal
• Added Cppcheck chapter
• Added Testing compiling chapter
• Added kill chain chapter to offense

June 2018

• Added TLS chapter
• Extended principles
• Added passwords
• Added basic compiling
• Improved external references
• Extended update
• Added flawfinder chapter

May 2018, initial release

• Added principles chapter
• Added updates chapter
• Added Know your enemies chapter
• Added UX chapter
• Added structure chapter
• Added external references chapter
• Added “The Author” chapter
• Added “This book” chapter
• Added “Defensive programming chapter” for default defensive programming

License

This book is licensensed under CC-BY-SA 4.0

The source of this book