
Ask HN: Best Practical InfoSec Resources for Developers? - dasil003
I&#x27;m a long-time web developer and tech lead with good fundamentals on basic implementation level security (ie. injection, SQL, data leakage, auth schemes).  I&#x27;ve also been responsible for infrastructure for several smaller companies.<p>Now I&#x27;m transitioning into a security role where I&#x27;ll need to shift my perspective towards compliance and risk assessment, and generally think more holistically about the overall infrastructure and human processes required to keep critical data secure in a mid-stage company.<p>What resources (books, blogs, whitepapers, standards, meetups, conferences, etc) would you recommend for a developer to make this transition and get their arms (and psychology) around the big picture of InfoSec?
======
chasb
Hey, wanted to reply and drop you a note. I'm a co-founder at Aptible, and we
spend a lot of time thinking about how to help developers in your situation.

In terms of general reading, I'd suggest:

\--------------

Blogs:

Bruce Schneier [0]

Brian Krebs [1]

\--------------

Whitepapers:

\- Google's BeyondCorp paper touches on issues that most cloud-first companies
will find familiar [2]

\- AWS has a few that are good for seeing how a large company communicates the
scope of it's security program to customers and potential customers. [3] I'd
start with "Introduction to AWS Security Processes" aka "Overview of Security
Processes" and "AWS Risk and Compliance".

\- Verizon's Data Breach Investigations Reports [4]

\--------------

Standards:

\- Request your IaaS provider's SOC 2 Type II report

\- ISO 27001 is worth buying

\- The Cloud Security Alliance's CCM tries to cross-map different frameworks,
and is a good reference for a high-level rundown of various security
management controls and activities [5]

\--------------

In terms of books, conferences, and meetups, I'm sure there is good stuff out
there that I'm not aware of because of limitations on my time, sorry.

I hope this is helpful. Good luck! You (or anyone reading) can reach out to me
at the email in my profile to chat about any of this.

p.s. Shameless plug: We are launching a product for managing infosec +
compliance programs at companies like yours.

\--------------

[0] [https://www.schneier.com/](https://www.schneier.com/)

[1] [https://krebsonsecurity.com/](https://krebsonsecurity.com/)

[2]
[https://static.googleusercontent.com/media/research.google.c...](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf)

[3] [https://aws.amazon.com/security/security-
resources/](https://aws.amazon.com/security/security-resources/)

[4] [http://www.verizonenterprise.com/verizon-insights-
lab/dbir/](http://www.verizonenterprise.com/verizon-insights-lab/dbir/)

[5] [https://cloudsecurityalliance.org/group/cloud-controls-
matri...](https://cloudsecurityalliance.org/group/cloud-controls-matrix/)

