8

I would like to get into computer security in my career. What are the best ways to learn how to program securely?

It seems to me that, besides textbooks and taking classes in the subject, perhaps learning how to "hack" would be one of the best ways to learn. My reason for thinking this is the thought that the best way to learn how to prevent someone from doing what you don't want them to is to learn what they're capable of doing.

If this is the case, then this poses another question: How would you go about learning to hack in an ethical manner? I definitely don't want to break laws or cause harm in my quest.

Peter Mortensen
  • 1,050
  • 2
  • 12
  • 14
Kenneth
  • 2,703
  • 2
  • 21
  • 30
  • Everyone justifies hacking by adding "ethical". Why not just download http://www.porcupine.org/satan/ and enjoy yourself without claiming it's "ethical"? – S.Lott Mar 09 '11 at 19:53
  • Not trying to justify it. Just seems like that in order to stop a hacker you need to know how they can hack. Seems to me that on some level this almost requires experience with hacking. In the end the hacking isn't my ultimate goal. If you have a better alternative I'm open to suggestions which is the purpose of this post. Thanks! – Kenneth Mar 09 '11 at 20:35
  • "If you have a better alternative"? I believe I provided an answer. Do you need more information? Also, are you aware that most hackers use SATAN? – S.Lott Mar 09 '11 at 20:45
  • for information on how they can hack, here is a link to the top 10 security holes in 2010. http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf – Evan Mar 09 '11 at 21:11
  • @SLott - most use SATAN? Hmmmm - I'd be surprised, as we see them using way better tools! – Rory Alsop Mar 09 '11 at 23:25
  • Head on over to [security.stackexchange.com](http://security.stackexchange.com/), and more specifically questions tagged [Education](http://security.stackexchange.com/questions/tagged/education). Loads of good info for you there. – Rory Alsop Mar 09 '11 at 23:28

3 Answers3

5

Have you looked at OWASP? Also, here is a more direct link to the top 10 security problems.

Josh K
  • 23,019
  • 10
  • 65
  • 100
S.Lott
  • 45,264
  • 6
  • 90
  • 154
5

There's plenty out there on "ethical hacking" - one frequent hit word is "penetration testing". There's also codes of ethics out there on how to go about it - but my one rule of thumb would be the same as kindergarten rules - don't tough stuff that isn't yours.

If you're interested in both sides of the coin, I'd suggest home projects - build a simple application and then try to hack it. Then you have the code available so you can break it and fix it to your heart's content.

The other thing is sites like OWASP (see other answer). There's a ton of known vulnerabilities out there. Learning about them and learning how to prevent them is a great step that cuts short the trial and error of DIY hacking. Also learning about mechanisms for confidentiality, integrity, identification, and availability for software, networks, and computers in general is a great step. Having experience in implementing these mechanisms in your language/deployment of choice is a great way to build up sofware security skills.

bethlakshmi
  • 7,625
  • 1
  • 26
  • 35
2

One way would be to look at the tools that can be used to penetration test a system. You can download some specialized penetration-test Linux distributions for a start.

Another part of your learning quest is to read the literature out there. OWASP as suggested by @S.Lott is an amazing resource for web-application security. SafeCode is a more generalised source, but it is definitely a lot less detailed.

Peter Mortensen
  • 1,050
  • 2
  • 12
  • 14
Dan McGrath
  • 11,163
  • 6
  • 55
  • 81