Security Pointers

Tools and Resources

Books and Articles on Cryptography

Open Source libraries/packages
  • OpenSSL : I like this one. It comes with three fold advantage, (1) It implements Secure Sockets Layer (SSL v2/v3), (2) It also implements Transport Layer Security (TLS v1), which is an successor of SSL and (3) It also implements almost all common crypto algorithms we need to build new security protocol. Thanks to  Eric A. Young and Tim J. Hudson for their great contribution to crypto developer community. It supports Apache-style licensing.
  • cryptlib : It is like a magic box. Put something inside it, shake it, take it out… Your data is encrypted. This is an well researched and user friendly ( I feel Peter Gutman has done a very good user research ..). It is very powerful and you can add your own encryption algorithm into it in a plug& play manner. You can also use a cut down version of the library (reduced fingerprint, with only required algorithms) to put into a resource constrained device. It supports and well tested in almost all type of processor arch and operating systems including VxWorks, WindowsXX, Linux, ..etc. It has long list of algorithms included in it.
  • OpenSSH: OpenSSH is a FREE and Open source version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. It supports all strong encryption algorithms : 3DES, Blowfish, AES, Arcfour). Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions (1.3, 1.5, and 2.0). You can use this one to build your own secure FTP server.
  • Bouncy Castle: This is a collection of APIs and which are claimed to be light-weight. It includes APIs for both the Java and the C# programming languages. The word “light-weight” is the bigest selling point and also it’s applicability to mobile devices as well as the combination with J2Me made it big success. It has provider implementation for Java Cryptography architechture, implementation for JCE, and many more implementations for PGP, SMIME, X.509…. The next point would be WS – Security.
Commercial libraries/packages
Anti Virus
  • Sophos Threat Detection: Sophos Threat Detection Tests quickly performs a scan and find any viruses, spyware, adware or zero-day threats that might have by-passed your existing protection. The test can be run without uninstalling or deactivating your current anti-virus software.The test utilizes award-winning Sophos Anti-Virus detection, certified by ICSA Labs, West Coast Labs, and Virus Bulletin.
Vulnerabilities & Exploits
  • MilW0rm: Exploit database… for corresponding CVEs.
  • NVD (National Vulnerability Database) : NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.
  • CVE (Common vulnerability Exposure) : CVE® International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures.CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.
  • Security Focus ( weekly Newsletters) :
    • BugTraq is a high volume, full disclosure mailing list for the detailed discussion and announcement of computer security vulnerabilities. BugTraq serves as the cornerstone of the Internet-wide security community.
    • The SecurityFocus Vulnerability Database provides security professionals with the most up-to-date information on vulnerabilities for all platforms and services.
  • Network Computing and the SANS Institute
  • NIPC CyberNotes – biweekly issues
  • ISS – monthly Security Alert Summary
  • Government
  • OSVDB : OSVDB is an independent and open source database created by and for the community. Our goal is to provide accurate, detailed, current, and unbiased technical information.
  • WVE : WVE is a standardized nomenclature for Vulnerabilities in wireless protocols and products, and the Exploits which take advantage of these vulnerabilities. It is also a database or catalog of these vulnerabilties and exploits.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: