Security Entities and Centers

• CERT Coordination Center (CERT/CC)
  Computer Emergency Response Team (CERT) / Control Center.
  CERT/CC were started by the Defense Applied Research Projects Agency (DARPA, U.S. Department of Defense) in December 1988, after the Morris Worm incident crippled approximately 10% of all computers connected to the Internet. The CERT/CC is a center of Internet security research and development, operated by Carnegie Mellon University, Software Engineering Institute (SEI).
  Vulnerabilities, incidents and fixes; Security practices and evaluations; Survivability research and analysis; Training and education. Alerts, Events, Papers, FTP Archives, Tech Tips, Annual Reports, Other Sources (books, groups and mailing lists, tools, Internet Security Glossary [RFC-2828]).
  
  • Vulnerability Notes Database
  • Automated Incident Reporting (AirCERT)
  • CERT Advisories 1988-2004
• Internet Security Alliance (ISA)
  Despite the very real threats present, ISA provides members with a single portal for up to-the-minute threat reports, best security practices, risk management strategies, and more, which will give them the edge in the competitive and volatile environment of the Internet. Working Groups, Conferences, News, Resources.
  The alliance is a collaborative effort between CERT Coordination Center (CERT/CC) at Carnegie Mellon University's SEI, and the Electronic Industries Alliance (EIA), a federation of trade associations.
• FIRST - Forum of Incident Response and Security Teams
  Founded in 1990, this forum congregates incident response and security teams across the world to ensure a safe internet for all, providing global coordination, standards aiming that incident responders around the world speak and understand the same global language, policy and governance.
  FIRST Standards: Traffic Light Protocol (TLP) (set of designations used to ensure that sensitive information is shared with the appropriate audience), Common Vulnerability Scoring System (CVSS) (rules to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity), Information Exchange Policy (IEP).
  FIRST Members Information.
• CSRC - Computer Security Resource Center, NIST
  National Institute of Standards and Technology (NIST), USA.
  Projects and research in computer security (Cybersecurity Framework, National Vulnerability Database - NVD, and many others), Publications (Federal Information Processing Standards - FIPS - security standards, NIST Special Publications - SP - security guidelines and recommendations).
• Center for Education and Research in Information Assurance and Security (CERIAS)
  Purdue University
  CERIAS is a world's foremost university center for multidisciplinary research and education in areas of information security (computer, network, and communications security), and information assurance. The pioneer laboratory COAST - Computer Operations, Audit, and Security Technology, of Purdue University Computer Science Department, is now part of CERIAS.
  COAST Projects and Tools, COAST Library.
• SANS Institute - System Administration, Networking, and Security
  Resources, Security Digests, Events, Publications, Alerts and Analysis.
  Critical Security Controls - The Top 20 Internet Security Threats - How To Eliminate - SANS Resources.
  
  • SANS - Internet Storm Center (ISC)
    Cooperative Cyber Threat Monitor and Alert System - Current infosec news and analysis.
  • SANS Newsletters
    SANS NewsBites and @RISK: The Consensus Security Alert - weekly.
• US-CERT - Cybersecurity and Infrastructure Security Agency (CISA)
  National Cyber Awareness System of USA Government, United States Computer Emergency Readiness Team (US-CERT). Established in 2003 to protect the United States Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation.
  Home and Business Resources. Cyber Security Tips.
• ISSA - Information Systems Security Association
  ISSA is the world's premier association for information security professionals, with 22 years of existence (since 1985) and over 100 chapters around the world.
• Institute for Security and Open Methodologies (ISECOM)
  ISECOM is an open-source, collaborative, non-profit (in the USA and Spain since January 2001), scientific security research organization and community, registered in Catalunya, Spain. They are dedicated to providing practical security awareness, research, certification and business integrity. ISECOM provides certification, training support, and project support services for non-partisan and vendor-neutral funding of projects and infrastructure. Their research, training programs, standards, and best practices are truly neutral, performed without commercial, national or partisan influence. All documents are available under Copyleft and the Open Methodology License.
  Research - Business: Business Integrity Testing (BIT), Security Metrics (ravs), Security Employee Evaluation (JAT), Security Maturity Model (SOMA), Security Testing and Analysis (OSSTMM - Open Source Security Testing Methodology Manual), Security Testing Tools, Sourcecode Analysis (SCARE), Software Security Testing (STICK), Secure Programming Standards (SPSMM - Methodology Manual); Home and Family: Home Security (HSM), Child Security Awareness, Teen Security Awareness (Hacker Highschool), Smarter Safer Better, Bad People Project; Academic: Networking Protocols (OPRP), Trusted Computing (AVIT), Hacker Profiling Project (HPP).
• Computer Security Institute (CSI)
  CSI is the world's leading membership organization specifically dedicated to serving and training the information, computer and network security professional, since 1974.
  CSI/FBI Annual Computer Crime and Security Survey (PDF download, through free registration). Eleventh Annual CSI/FBI Computer Crime and Security Survey 2006, 2005 CSI/FBI Survey .
• Computer Security Institute (CSI)
  CSI was a professional organization of security practitioners, from system administrators to CISO, founded in 1974. CSI is best known for the annual survey that began to conduct in 1996 in collaboration with the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad and researchers from University of Maryland: CSI/FBI Annual Computer Crime and Security Survey. In 2007, FBI disappeared from the title of the study reports. The 15th and last edition was released in 2010/2011.
  2000, 2001 - 2007, 2008, 2009, 2010/2011.
• Computer Crime & Intellectual Property Section (CCIPS)
  United States Department of Justice. Computer Crime, Intellectual Property, Electronic Evidence, Other High Tech Legal Issues.
• AusCERT - Australian Computer Emergency Response Team
  Resources: Security Advisories and Bulletins, Security Tools Archive, AusCERT Papers, References and other sources of information.
• CERT.br -- Computer Emergency Response Team Brazil
  Brazilian Computer Emergency Response Team. Antigo NBSO - NIC BR Security Office, que passou a se chamar CERT.br em 31 de maio de 2005. Created by The Brazilian Internet Steering Committee and maintained by the Brazil's Network Information Center (NIC.br). NBSO acts by coordinating the actions and providing information to sites involved on security incidents. The Network Security Working Group has several subgroups working on security tools, docs and drafts for emergency procedures and organizational standards for the Internet/BR.
  Cartilha de Segurança para Internet, destinada a usuários da Internet (HTML e PDF).
  Práticas de Segurança para Administradores de Redes Internet, manual and checklist (HTML and PDF).
  
  • Brazilian CSIRTs Contact Information
• RNP CAIS - Centro de Atendimento a Incidentes de Segurança [Portuguese]
  By RNP - National Research Network, Brazil. O CAIS registra e acompanha problemas de segurança no backbone e PoPs da RNP, incluindo auxílio à identificação de invasões e reparo de danos causados por invasores. Cabe, ainda, ao CAIS a disseminação de informações sobre ações preventivas relativas a segurança de redes. Filiado ao FIRST desde setembro de 2001.
• ICSA Labs
  A division of Verizon Enterprise (icsa.net).
  ICSA Labs sets standards and certification for commercial security products. ICSA Product Certification: Anti-Virus Software, Network Firewalls, IPSec Products, Cryptography Products.
  ICSA Labs also coordinates numerous industry consortia to facilitate information sharing and standardization practices within the security industry. Consortia and communities: Anti-Virus, Cryptography, Firewall, IDS - Intrusion Detection Systems, IPSec, ISPSec - Internet Service Providers Security, PKI - Public Key Infrastructure.
• West Coast Lab's Checkmark
  Checkmark is a system which tests and certifies computer security products. Anti-Virus Level 1, Anti-Virus Level 2, Trojan, Firewall, VPN, Application Gateway. check-mark.com.
• IETF Security Area
  Internet Engineering Task Force (IETF).
• IEEE Technical Committee on Security and Privacy (TCSP)
  IEEE Computer Society.
  Cipher: The Newsletter of the IEEE Computer Society Technical Committee on Security and Privacy. Cipher Past Issues Archive. Cipher Book Reviews.
• Stanford Information Security Office
  SUNSeT - Stanford University Network Security Team.

Vulnerability Databases

• Common Vulnerabilities and Exposures (CVE)
  Common Vulnerabilities and Exposures (CVE) is a list or dictionary that provides standardized common names for vulnerabilities and other information security exposures. CVE aims to standardize the names of all publicly known vulnerabilities and security exposures, making it easier to share data across separate network security databases and tools that are CVE-compatible. CVE also provides a baseline for evaluating the coverage of an organization's security tools. CVE content is determined by the CVE Editorial Board, composed of experts from the international information security community. The MITRE Corporation maintains CVE and manages the Editorial Board.
• National Vulnerability Database (NVD)
  National Institute of Standards and Technology (NIST), sponsored by DHS National Cyber Security Division/US-CERT.
  NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.
• CVE Details
  cvedetails.com provides an easy to use web interface to CVE vulnerability data. You can browse for vendors, products and versions and view cve entries, vulnerabilities, related to them. You can view statistics about vendors, products and versions of products. CVE details are displayed in a single, easy to use page. CVE vulnerability data are taken from National Vulnerability Database (NVD) xml feeds provided by National Institue of Standards and Technology.
• Secunia Advisories
  By Secunia Computer Security - Software and Alerts.
  Secunia monitors vulnerabilities in more than 4000 products, including: operating systems, browsers, IMs, anti-virus, firewalls, routers, and much, much more.
  Secunia Blog, used to communicate their opinions about vulnerabilities, security, ethics, and their responses to articles, research papers, and other blog entries regarding Secunia and vulnerabilities.
  Secunia Vulnerability Review.
• SecurityFocus - Vulnerabilities
  Vulnerabilities search by vendor or CVE.
• Exploit Database (EDB)
  The Exploit Database is an ultimate archive of exploits and vulnerable software. A great resource for penetration testers, vulnerability researchers, and security addicts alike. Our aim is to collect exploits from submittals and mailing lists and concentrate them in one, easy to navigate database.
• Open Sourced Vulnerability Database (OSVDB)
  OSVDB's goal is to provide accurate, detailed, current, and unbiased technical security information. The project currently covers almost 100000 vulnerabilities.

---

Security Information Centers from Vendors

Microsoft

• Microsoft Security Central
  Security Bulletins, Resources, Information, Tools & Checklists, Products & Technologies, MSDN Security Site, Security Updates.
• Microsoft Security Intelligence - Antimalware and Cybersecurity Portal
  Malware and Threat Encyclopedia.
• Microsoft Security at Home
  Protect your computer - 4 steps to protect your PC:
  • Keep your firewall turned on
  • Keep your operating system up-to-date
  • Use updated antivirus software
  • Use updated antispyware technology
  Protect yourself:
  • Follow Internet safety guidelines
  • Protect your personal information from ID theft
  • Use anti-spam and anti-phishing technologies
  Protect your family - Parental supervision and age-based guidance:
  • Keep communication open
  • Set clear rules for Internet use
  • Keep personal data private
  • Use technology to help reduce risks
• TechNet Security Site
  Microsoft TechNet Security Tools and Checklists, Security Administration: Best Practices, Internet/Intranet, Messaging and Collaboration, Database, Network. Hot Fix Central, Security Resources, Security Updates.
  Microsoft IT Pro Security Zone: Microsoft security newsgroups, chats and communities.
• Microsoft Baseline Security Analyzer (MBSA)
  As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). MBSA Version 1.2 includes a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows 2000, Windows XP, and Windows Server 2003 systems and will scan for common system misconfigurations and missing security updates for the following products: Windows NT4, 2000, XP and 2003, Internet Information Server (IIS), SQL Server, Internet Explorer, Exchange Server, Windows Media Player, Microsoft Data Access Components (MDAC), MSXML, Microsoft Virtual Machine (MSVM), Commerce Server, Content Management Server, BizTalk Server, Host Integration Server, Office.
  MBSA uses HFNetChk technology from Shavlik.
• Internet Explorer Downloads
  Critical Updates, Recommended Updates, other downloads.
  Microsoft Internet Explorer Home: Technical Resources, Downloads, general information about IE.
• Windows High Encryption Packs (128-bit)
  128-bit Security cryptography for IE/Windows, now available worldwide (outside USA).
  Internet Explorer High Encryption Pack (128-bit), Windows 2000 High Encryption Pack (128-bit). Download (EN).
• Microsoft Windows Update
  Online utility for download Critical and Recommended Windows security updates.
  Manual Download of Updates and Service Packs:
  • Windows XP Downloads Professional & Home Edition: Windows XP Security Updates and News, Windows XP Service Pack 3.
• Microsoft Office Online Updates
  Microsoft Office Downloads.
  Microsoft Office Resource Kit - ToolBoox.
• Microsoft Technical Security Notifications
  Get notified of important security updates. To help you maintain a safe computing environment, Microsoft offers e-mail alerts that notify you when we release an important security bulletin or virus alert, or when you might need to take action to guard against a circulating threat.

Oracle

• Oracle Technology Network - Security
  Oracle Platform Security.
  Oracle Critical Patch Updates and Security Alerts.
• Oracle Security Blog By Oracle Corp. See also: Oracle Cloud Security, Oracle Database Insider - Security Blog.

Mozilla & Netscape

• Mozilla Security Center
  
  • Mozilla Foundation Security Advisories for all products, by date since January 21, 2005.
  • Known Vulnerabilities in Mozilla Products: Firefox browser, Thunderbird e-mail client, SeaMonkey suite, older (Mozilla Suite) products advisories.
  • Security - Mozilla Firefox
  • Mozilla Security Blog
  • Mozilla Security Projects
  • Mozilla Firefox Web Browser - Safe Web Browsing
  • Additional information on Firefox Releases, Thunderbird Releases.
• Fortify for Netscape
  Outside USA, Fortify is a wat to update your Netscape browser to support maximum strong cryptography. Fortify for Netscape is a program that provides world-wide, unconditional, full strength 128-bit cryptography to users of Netscape Navigator (v3, v4) and Communicator (v4). Free for non-commercial use.

Apache Software Foundation

Apache httpd

• Apache httpd 2.4 vulnerabilities
  See also Apache httpd 2.2 vulnerabilities.
• Apache HTTP Server - Security Tips
  See also 2.0 Security Tips e 1.3 Security Tips.
• Secunia vulnerability reports for Apache httpd
• Apache Security
  Portal of resources, updates, and news maintained by Ivan Ristic, author of book Apache Security (O'Reilly, 2005, 420 pp., ISBN-10: 0-596-00724-8).
• Apache Security - CGISecurity.com
  By CGI Security.
• Securing Apache 2: Step-by-Step
  By Artur Maj, 2004-06-21.

Apache Tomcat

• Apache Tomcat 6.x vulnerabilities
  See also Apache Tomcat 5.x vulnerabilities, Apache Tomcat 4.x vulnerabilities, Apache Tomcat JK Connectors vulnerabilities.
• Secunia vulnerability reports for Apache Tomcat: Apache Tomcat 6.x, Apache Tomcat 5.x, Apache Tomcat 4.x, Apache Tomcat JK Web Server Connector 1.x.

Others

• Adobe Security Bulletins and Advisories
  Security patches, bulletins and technical briefs about Adobe products.
  Adobe Security.
• Red Hat IT Security
  Security Resource Center.
  Red Hat Security Response Team.
• PayPal Security Center
• McAfee Labs
  Formerly McAfee Research and NAI Labs, is a research and development center for advanced technology on network security and information systems. McAfee Advanced Threat Research.
• McAfee Security Research
  McAfee Research (former NAI Labs) is a world lead in research and development of advanced network and information systems security technology, with international reputation for excellence in this field of research.

---

Information Systems Audit, Forensics and Control

• Category: Information technology audit
  From Wikipedia, the free encyclopedia. Information technology audit, Information security audit.
• Information Systems Audit and Control Association (ISACA)
  Serving IT Governance Professionals.
  Val IT: governance framework and supporting publications addressing the governance of IT-enabled business investments.
  Professional Certification: Certified Information Systems Auditor (CISA); Certified Information Security Manager (CISM).
• ISACA Capítulo SP [Em Português]
  Atendendo aos Profissionais de Governança de TI.
• CNASI - Congresso Nacional de Auditoria de Sistemas, Segurança da Informação e Governança [Em Português]
  Evento anual organizado por IDETI.
• Category: Forensics
  From Wikipedia, the free encyclopedia. Computer forensics.
• Perícia Forense Aplicada à Informática [Em Português]
  Artigos. Informações: Quiz, Notícias, Cursos, Links, Livros, Grupo de Discussão. Revista Evidência Digital.
• IBP Brasil - Instituto Brasileiro de Peritos em Comércio Eletrônico e Telemática
• DFRWS - Digital Forensic Research Workshop
  DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. As a non-profit, volunteer organization, DFRWS sponsors annual conferences, technical working groups, and challenges to help drive the direction of research and development.
• Digital Evidence
  Digital Investigation / Forensics and Evidence Research. By Brian Carrier.
• Open Source Digital Forensics
  By Brian Carrier.

---

Certification for Security Professionals

• (ISC)2
  (ISC)² - International Information Systems Security Certification Consortium.
  CISSP - Certified Information Systems Security Professional.
  SSCP - Systems Security Certified Practitioner.
  Official (ISC)² Textbooks - Guides to CISSP, ISSAP, ISSMP, CAP, CCFP, CSSLP, SSCP, HCISPP CBKs.
• CompTIA Security+ Certification
  CompTIA Security+ is a vendor-neutral certification exam endorsed by many large companies worldwide as a reference of competency for foundation-level security practitioners. Domains of Security+ Objectives: General Security Concepts (30%), Communication Security (20%), Infrastructure Security (20%), Basics of Cryptography (15%), Operational/Organizational Security (15%).
• ISECOM/OSSTMM Certification
  By Institute for Security and Open Methodologies (ISECOM).
  OOSTMM Professional Security Analyst (OPSA), Professional Security Tester (OPST), Professional Security Expert (OPSE), Wireless Security Expert (OWSE), Certified Trust Analyst (CTA), Security Awareness Instructor (SAI). Hacker Highschool Teacher (HSST).
• cccure.org - The CISSP and SSCP Open Study Guides Web site
  By Clement and Nathalie. On this site you will find resources to help you prepare and study for the CISSP, SSCP, CAP, ISSEP, CISM, CISA, ISSPCS, SANS GIAC GCFW certifications. Study Guides, Tips, Links, Forums & mailing lists, Quizzes.
• Cissp.com
  Web portal for certified information systems security professionals.
• CISSPstudy -- The CISSP Study Mailing list
  By ccure.org.