References¶
- AFL
Michał Zalewski, american fuzzy lop. http://lcamtuf.coredump.cx/afl/, retrieved 2019-05-29.
- AminiPortnoy
Pedram Amini & Aaron Portnoy, Fuzzing Sucks! Introducing Sulley Fuzzing Framework. Blackhat US 2007. https://github.com/OpenRCE/sulley/raw/master/docs/introducing_sulley.pdf, retrieved 2019-05-29.
- ASVS
OWASP, Application Security Verification Standard 4.0. https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf, retrieved 2019-04-15.
- BSI
Hubert Garavel, Formal Methods for Safe and Secure Computers Systems. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/formal_methods_study_875/formal_methods_study_875.pdf?__blob=publicationFile, retrieved 2019-05-28.
- BSIMM
Gary McGraw, Sammy Migues, and Jacob West, Building Security In Maturity Model (BSIMM) Version 9. https://www.bsimm.com/content/dam/bsimm/reports/bsimm9.pdf, retrieved 2019-07-01.
- BeyondGrep
Andy Lester, More tools for searching source code. https://beyondgrep.com/more-tools/, retrieved 2019-04-23.
- Böck
Hanno Böck, The Fuzzing Project. https://fuzzing-project.org/, retrieved 2019-05-29.
- Boofuzz
Joshua Pereyda, boofuzz: Network Protocol Fuzzing for Humans. https://github.com/jtpereyda/boofuzz, retrieved 2019-05-29.
- CAPEC
MITRE, Common Attack Pattern Enumeration and Classification. http://capec.mitre.org/, retrieved 2019-04-19.
- CATB
Eric Raymond, The Cathedral and the Bazaar. http://www.catb.org/esr/writings/cathedral-bazaar/cathedral-bazaar/, retrieved 2019-05-31.
- Cheung
Chun Yu Cheung, Threat Modeling Techniques. Draft 0.91. http://www.safety-and-security.nl/uploads/cfsas/attachments/SPM5440%20%26%20WM0804TU%20-%20Threat%20modeling%20techniques%20-%20CY%20Cheung.pdf, retrieved 2019-04-19.
- CII3Years
https://www.coreinfrastructure.org/blogs/core-infrastructure-initiative-celebrates-3-year-anniversary/, retrieved 2019-02-13.
- CIIBadge
https://www.coreinfrastructure.org/programs/badge-program/, retrieved 2019-07-08.
- CioInsight
Michael Vizard, App Testing Now Consumes a Quarter of IT Budget. https://www.cioinsight.com/it-strategy/application-development/slideshows/app-testing-now-consumes-a-quarter-of-it-budget.html, retrieved 2019-05-21.
- CodeSearch
Google, CodeSearch. https://github.com/google/codesearch, retrieved 2019-04-23.
- ComputerWeekly
Cliff Saran, Application testing costs set to rise to 40% of IT budget. https://www.computerweekly.com/news/4500253336/Application-testing-costs-set-to-rise-to-40-of-IT-budget, retrieved 2019-05-21.
- Cscope
Sourceforge.net, Cscope. http://cscope.sourceforge.net/, retrieved 2019-04-23.
- Ctags
Sourceforge.net, Exuberant Ctags. http://ctags.sourceforge.net/, retrieved 2019-04-23.
- CVE
MITRE, Common Vulnerabilities and Exposures. http://cve.mitre.org/index.html, retrieved 2019-02-15.
- CVSS
NIST, Vulnerability Metrics. https://nvd.nist.gov/vuln-metrics/cvss, retrieved 2019-02-15.
- CWE
MITRE, Common Weakness Enumeration. http://cwe.mitre.org/, retrieved 2019-04-19.
- Danezis
George Danezis, Principles of Computer Security. https://handouts.secappdev.org/handouts/2014/George%20Danezis/SecAppDev-2014-01-Principles.pdf, retrieved 2019-05-29.
- DeepSpec
DeepSpec, About. https://deepspec.org/page/About/, retrieved 2019-05-21.
- FFS
T.C. Hemel and J.A. de Vries, Framework Secure Software. http://www.securesoftware.nl/resources/FrameworkSecureSoftware_v1.pdf, retrieved 2019-05-17.
- Github
Github, About security alerts for vulnerable dependencies. https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/, retrieved 2019-02-15.
- Fogel
Karl Fogel, Producing Open Source Software: How to Run a Successful Free Software Project. https://producingoss.com/, retrieved 2019-06-05.
- GotoFail
https://www.imperialviolet.org/2014/02/22/applebug.html, retrieved 2019-04-22.
- Grönke
Stefan Grönke, Hardening Open Source Development. https://media.ccc.de/v/34c3-9249-hardening_open_source_development, retrieved 2019-06-07.
- Hound
Kelly Norton & Jonathan Klein, Hound. https://github.com/hound-search/hound, retrieved 2019-04-23.
- iPhoneHacks
Rajesh Pandey, Apple’s Bug Bounty Program Fails to Take off as iOS Bugs Are Too Valuable to Disclose. http://www.iphonehacks.com/2017/07/apples-bug-bounty-program-fails-take-off-ios-bugs-valuable-disclose.html, retrieved 2019-05-31.
- JurczykColdwind
Mateusz Jurczyk and Gynvael Coldwind, FFmpeg and a thousand fixes. https://security.googleblog.com/2014/01/ffmpeg-and-thousand-fixes.html, retrieved 2019-05-29.
- Kadlec
Tim Kadlec, Understanding Responsible Disclosures. https://snyk.io/blog/understanding-responsible-disclosures/, retrieved 2019-05-31.
- Knuth
D.E. Knuth, Notes on the van Emde Boas construction of priority deques: an in-structive use of recursion, Classroom notes Stanford University, March 1977. https://staff.fnwi.uva.nl/p.vanemdeboas/knuthnote.pdf, retrieved 2019-05-28.
- KohnfelderGarg
Kohnfelder, Loren; Garg, Praerit (April 1, 1999). “The threats to our products”. https://adam.shostack.org/microsoft/The-Threats-To-Our-Products.docx, retrieved 2019-02-19.
- LakhaniWolf
Karim R. Lakhani & Robert G. Wolf, Why Hackers Do What They Do: Understanding Motivation and Effort in Free/Open Source Software Projects. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.85.2689&rep=rep1&type=pdf, retrieved 2019-06-05.
- Levefre
François Lefèvre, Docker and IPtables. https://fralef.me/docker-and-iptables.html, retrieved 2019-06-04.
- LINDDUN
DistriNet Research Group, LINDDUN: Privacy Threat Modeling. https://linddun.org/, retrieved 2019-06-07.
- LinuxBugsNotShallow
Sean Michael Kerner, Why All Linux (Security) Bugs Aren’t Shallow. February 2015. https://www.esecurityplanet.com/open-source-security/why-all-linux-security-bugs-arent-shallow.html, retrieved 2019-02-13.
- LinuxFoundation
Ibrahim Haddad & Brian Warner, Understanding the Open Source Development Model. http://www.ibrahimatlinux.com/uploads/6/3/9/7/6397792/00.pdf, retrieved 2019-06-04.
- LXR
The LXR Project Web-Site. https://lxr.sourceforge.io/en/index.php, retrieved 2019-04-23.
- MASVS
OWASP, Mobile AppSec Verification, Version 1.1. https://github.com/OWASP/owasp-masvs/releases/download/1.1/OWASP_Mobile_AppSec_Verification_Standard_v1.1.pdf, retrieved 2019-04-19.
- McGraw
Gary McGraw, Software Security, Building Security In. Addison-Wesley, 2006.
- Meyer
Bejamen Meyer, Docker Network bypasses Firewall, no option to disable. https://github.com/moby/moby/issues/22054, retrieved 2019-06-04.
- MITRE
MITRE, Sample Secure Code Review Report. https://www.mitre.org/sites/default/files/publications/secure-code-review-report-sample.pdf, retrieved 2019-04-25.
- Mozilla
Mozilla, Handling Mozilla Security Bugs. https://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/, retrieved 2019-05-31.
- NCCGroup
NCCGroup, Fix Bounty. https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/march/fix-bounty/, retrieved 2019-06-05.
- OpenGrok
Oracle, {OpenGrok. https://oracle.github.io/opengrok/, retrieved 2019-04-23.
- OSSFuzz
Google, OSS-Fuzz - continuous fuzzing of open source software. https://github.com/google/oss-fuzz/, retrieved 2019-05-29.
- OSSSurvey2017
Open Source Survey 2017. https://opensourcesurvey.org/2017/, retrieved 2019-02-13.
- OWASP
OWASP. OWASP™ Foundation, the free and open software security community. https://www.owasp.org/index.php/Main_Page, retrieved 2019-06-05.
- OWASPCRG
OWASP, OWASP Code Review Guide. https://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents, retrieved 2019-04-25.
- OWASPDAST
OWASP, Category:Vulnerability Scanning Tools. https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools, retrieved 2019-05-29.
- OWASPPTM
OWASP, Penetration testing methodologies. https://www.owasp.org/index.php/Penetration_testing_methodologies, retrieved 2019-05-29.
- OWASPTG
OWASP, OWASP Testing Guide v4. https://www.owasp.org/index.php/OWASP_Testing_Project, retrieved 2019-05-29.
- RFC3833
Atkins & Austein, Threat Analysis of the Domain Name System (DNS). August 2004. https://www.ietf.org/rfc/rfc3833.txt, retrieved 2019-04-19.
- RFC3552
Rescorla & Korver, Guidelines for Writing RFC Text on Security Considerations. July 2003. https://www.ietf.org/rfc/rfc3552.txt, retrieved 2019-04-19.
- RFC6819
Lodderstedt, et al., OAuth 2.0 Threat Model and Security Considerations. January 2013. https://www.ietf.org/rfc/rfc6819.txt, retrieved 2019-04-19.
- RFC7132
Kent & Chi, Threat Model for BGP Path Security. February 2014. https://www.ietf.org/rfc/rfc7132.txt, retrieved 2019-04-19.
- SAFECode
Stacy Simpson, Fundamental Practices for Secure Software Development - A Guide to the Most Effective Secure Development Practices in Use Today. October, 2008. http://safecode.org/publication/SAFECode_Dev_Practices1108.pdf, retrieved 2019-04-22.
- SAMATE
NIST. Source Code Security Analyzers. https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html, retrieved 2019-05-19.
- SAMM
OWASP, OWASP SAMM Project. https://www.owasp.org/index.php/OWASP_SAMM_Project, retrieved 2019-07-01.
- Sarkar
Sarkar, Advait. (2015). The impact of syntax colouring on program comprehension. http://www.ppig.org/sites/default/files/2015-PPIG-26th-Sarkar.pdf, retrieved 2019-04-23.
- Schneider
Fred B. Schneider, Blueprint for a science of cybersecurity. https://www.cs.cornell.edu/fbs/publications/SoS.blueprint.pdf, retrieved 2019-05-29.
- Schneier2002
Bruce Scheier, Crypto-Gram May 15, 2002. https://www.schneier.com/crypto-gram/archives/2002/0515.html, retrieved 2019-05-31.
- Schneier2008
Bruce Scheier, Random Number Bug in Debian Linux. May 2008. https://www.schneier.com/blog/archives/2008/05/random_number_b.html, retrieved 2019-04-22.
- Seacord
Robert Seacord, fgets() and gets_s(). September 2005. https://www.us-cert.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s, retrieved 2019-04-22.
- Shostack
Adam Shostack, Threat Modeling, designing for security. Wiley, 2014.
- STH
Software Testing Help, Top 10 Most Popular Code Review Tools for Developers and Testers. https://www.softwaretestinghelp.com/code-review-tools/, retrieved 2019-04-26.
- Traxiom
Traxiom Security, Disadvantages of a Bug Bounty Program. https://www.triaxiomsecurity.com/2018/12/10/disadvantages-of-a-bug-bounty-program/, retrieved 2019-06-05.
- TUF
The Update Framework. https://theupdateframework.github.io/, retrieved 2019-06-07.
- UserFriendly
Iliad, User Friendly cartoon for Oct 02, 2000. https://web.archive.org/web/20011218081203/http://ars.userfriendly.org:80/cartoons/?id=20001002, retrieved 2019-04-27.
- Wheeler
High Assurance (for Security or Safety) and Free-Libre / Open Source Software (FLOSS)… with Lots on Formal Methods / Software Verification. https://dwheeler.com/essays/high-assurance-floss.html, retrieved 2019-06-05.
- WikipediaLinusLaw
https://en.wikipedia.org/wiki/Linus’s_Law, retrieved 2019-02-13.
- WikipediaObscurity
https://en.wikipedia.org/wiki/Security_through_obscurity, retrieved 2019-02-13.
- Winkler
Ira Winkler, A simple cure for the cybersecurity skills shortage. https://www2.computerworld.com/article/2488336/a-simple-cure-for-the-cybersecurity-skills-shortage.html, retrieved 2019-06-04.
- Zerodium
Zerodium, Our Exploit Acquisition Program. https://zerodium.com/program.html, retrieved 2019-05-31.