SecurityDrops is about giving You essential, need-to-know knowledge regarding web security in an easily consumable, causal format: a security-drop!
What's in it for you?
First, learning about security as a software engineer is a smart career move. You can't avoid it in the long run, and yet if you are confident in the field, you are more valuable to your Team and your company. During your career, you will inevitably have to deal with security-related problems, and you better be prepared!
Second, having this knowledge makes you a better engineer. You see problems and opportunities others don't. Your out-of-the-box thinking is more advanced as security requires a whole lot of it. You are also able to combine ideas from software engineering and security to come up with better solutions.
And third, security is a timeless knowledge. Principles don't change. Simple attacks like XSS and SQL injection were here ten years ago, and they are still prominent today. Modern security constructs, like OAuth, will be with us for decades to come. Encryption, authentication, authorization and the like will never go out of style. This knowledge is independent of languages and frameworks. It stood the test of time and will stand it again and again.
So, what stands in the way?
Information is out there, lots of it. Today, the problem is not availability but relevancy and organization. There are lots of great resources, think Mozilla's MDN, countless security books, hacker sites, and numerous blog posts and Q&A sites. For instance, I think you can learn decent web security from Stack Exchange.
Dangerous? Maybe, why? Because you don't know what to trust yet. It is only an excellent resource if you know what they are talking about. For someone in security, SE deepens their knowledge. For someone unfamiliar with the topic, it seems chaotic and full of conflicting answers.
Unknown unknowns
What about blog posts? It depends. If you are lucky, it answers just the question you have. Here is the catch: how did you come up with the problem? Is it the right question to ask? A quick example.
A junior comes to you asking how you sort and filter a list quickly. You discuss different filtering APIs and talk about sorting techniques, and you end up suggesting quicksort. In the end, driven by curiosity you ask what exactly your apprentice is trying to achieve?
Oh, I need to filter and sort the results I got back from MySQL
Just as he starts to leave, you scream STOP and take a deep breath. Once he returns you calmly tell him to use SQL for this.
See how you answered the question you were asked correctly, but in the end, it would have resulted in something way off track.
That's why you need to know the context. With security, it is a bit harder, as a lot of concepts are unnecessarily complicated and obscured. Secure coding is on the borderline of software engineering and security expertise. To reap the benefits, you need to know when, and how to get help. The wise saying applies here; you are most dangerous when you know just enough to think you know everything.
Where to next?
What's missing is a structure to the learning process; a system to show you exactly where you are and where you need to go. Having such a system can significantly increase the speed and depth of learning. It also helps you connect different pieces of knowledge to form a more effective network.
The goal is to be confident enough in this field to trust what you know and recognize the gaps you need to explore further. How?
By having a solid foundation, you can build on, knowing the jargon and seeing the big picture. This is what SecurityDrops offers. A systematic learning and introduction to save you lots of time and allow you to enjoy the process of exploring the field of web security. And, my mission is to guide you along the way.
Ready, let's move out!