Security Pointers

Tools and Resources

• Openssl : the openssl wiki document is very usefull reference for reading command options

Books and Articles on Cryptography

• Applied Cryptography, Second Edition, by Bruce Schneier
• Handbook of Applied Cryptography, by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone
• Critics on Cryptography books, http://www.youdzone.com/cryptobooks.html, has near about 147 listing. good collection in one place with comments.
• Security Engineering, Ross J. Anderson (professor), A very good reference book on security and little bit on cryptography associated with it.
• Secure Programming Cookbook for C and C++, By Matt Messier, John Viega, Secure Programming Cookbook for C and C++ is an important new resource for developers serious about writing secure code for Unix® (including Linux®) and Windows® environments.

Open Source libraries/packages

• OpenSSL : I like this one. It comes with three fold advantage, (1) It implements Secure Sockets Layer (SSL v2/v3), (2) It also implements Transport Layer Security (TLS v1), which is an successor of SSL and (3) It also implements almost all common crypto algorithms we need to build new security protocol. Thanks to  Eric A. Young and Tim J. Hudson for their great contribution to crypto developer community. It supports Apache-style licensing.
• cryptlib : It is like a magic box. Put something inside it, shake it, take it out… Your data is encrypted. This is an well researched and user friendly ( I feel Peter Gutman has done a very good user research ..). It is very powerful and you can add your own encryption algorithm into it in a plug& play manner. You can also use a cut down version of the library (reduced fingerprint, with only required algorithms) to put into a resource constrained device. It supports and well tested in almost all type of processor arch and operating systems including VxWorks, WindowsXX, Linux, ..etc. It has long list of algorithms included in it.
• OpenSSH: OpenSSH is a FREE and Open source version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. It supports all strong encryption algorithms : 3DES, Blowfish, AES, Arcfour). Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions (1.3, 1.5, and 2.0). You can use this one to build your own secure FTP server.
• Bouncy Castle: This is a collection of APIs and which are claimed to be light-weight. It includes APIs for both the Java and the C# programming languages. The word “light-weight” is the bigest selling point and also it’s applicability to mobile devices as well as the combination with J2Me made it big success. It has provider implementation for Java Cryptography architechture, implementation for JCE, and many more implementations for PGP, SMIME, X.509…. The next point would be WS – Security.

Commercial libraries/packages

• Microsoft CryptoAPI: CryptoAPI is intended for use by developers of applications based on the Microsoft Windows Server and Microsoft Windows operating systems that will enable users to create and exchange documents and other data in a secure environment, especially over nonsecure media such as the Internet.

Anti Virus

• Sophos Threat Detection: Sophos Threat Detection Tests quickly performs a scan and find any viruses, spyware, adware or zero-day threats that might have by-passed your existing protection. The test can be run without uninstalling or deactivating your current anti-virus software.The test utilizes award-winning Sophos Anti-Virus detection, certified by ICSA Labs, West Coast Labs, and Virus Bulletin.

Vulnerabilities & Exploits

• MilW0rm: Exploit database… for corresponding CVEs.
• NVD (National Vulnerability Database) : NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.
• CVE (Common vulnerability Exposure) : CVE® International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures.CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.
• Security Focus (SecurityFocus.com weekly Newsletters) :
  • BugTraq is a high volume, full disclosure mailing list for the detailed discussion and announcement of computer security vulnerabilities. BugTraq serves as the cornerstone of the Internet-wide security community.
  • The SecurityFocus Vulnerability Database provides security professionals with the most up-to-date information on vulnerabilities for all platforms and services.
• Network Computing and the SANS Institute
• NIPC CyberNotes – biweekly issues
  
• ISS – monthly Security Alert Summary
  
• Government Security.org
• OSVDB : OSVDB is an independent and open source database created by and for the community. Our goal is to provide accurate, detailed, current, and unbiased technical information.
• WVE : WVE is a standardized nomenclature for Vulnerabilities in wireless protocols and products, and the Exploits which take advantage of these vulnerabilities. It is also a database or catalog of these vulnerabilties and exploits.
• http://www.opensecurityfoundation.org/
  
• http://ha.ckers.org/