Resources: Whitepapers


Most of these computer security white papers have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS Software Security attempts to ensure the accuracy of information, but papers are published "as is".

Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

Application and Database Security
Top 5 Considerations for Multicloud Security Brandon Evans Apr 22, 2020
How to Secure App Pipelines in AWS Dave Shackleford Oct 16, 2019
JumpStart Guide to Application Security in Amazon Web Services Nathan Getty Sep 27, 2019
Adapting AppSec to a DevOps World Rebecca Deck Jul 16, 2019
Runtime Application Self-Protection (RASP), Investigation of the Effectiveness of a RASP Solution in Protecting Known Vulnerable Target Applications Alexander Fry May 1, 2019
One-Click Forensic Analysis: A SANS Review of EnCase Forensic Jake Williams Jun 27, 2018
Cloud Security: Are You Ready? Dave Shackleford Jun 18, 2018
Tailoring Intelligence for Automated Response Sonny Sarai May 2, 2018
Bug Bounty Programs: Enterprise Implementation Jason Pubal Jan 17, 2018
2017 State of Application Security: Balancing Speed and Risk Jim Bird Oct 24, 2017
AppSec: ROI Justifying Your AppSec Program Through Value-Stream Analysis Jim Bird Oct 4, 2017
Asking the Right Questions: A Buyer's Guide to Dynamic Scanning to Secure Web Applications Barbara Filkins Sep 12, 2017
Testing Web Apps with Dynamic Scanning in Development and Operations Barbara Filkins Jun 15, 2017
Security by Design: The Role of Vulnerability Scanning in Web App Security Barbara Filkins Jun 7, 2017
Using Cloud Deployment to Jump-Start Application Security Adam Shostack May 24, 2017
Moving Toward Better Security Testing of Software for Financial Services Steve Kosten Feb 9, 2017
2016 State of Application Security: Skills, Configurations and Components Johannes Ullrich, PhD Apr 26, 2016
Protection from the Inside: Application Security Methodologies Compared Jacob Williams Apr 27, 2015
Web Application Firewalls Jason Pubal Mar 18, 2015
Protecting Access to Data and Privilege with Oracle Database Vault Pete Finnigan Jan 29, 2015
Data Encryption and Redaction: A Review of Oracle Advanced Security Dave Shackleford Nov 25, 2014
Secure Design with Exploit Infusion Wen Chinn Yew Nov 11, 2014
Building an Application Vulnerability Management Program Jason Pubal Jul 28, 2014
Incident Response in a Microsoft SQL Server Environment Juan Walker Jul 9, 2014
SANS Survey on Application Security Programs and Practices Jun 17, 2014
Oracle Advanced Security Tanya Baccam Jun 17, 2014
Next-Generation Datacenters = Next-Generation Security Dave Shackleford Jun 17, 2014
SANS Institute Review: Oracle Database Vault Tanya Baccam Jun 17, 2014
2013 SANS Mobile Application Security Survey Jun 17, 2014
Integrating Security into Development, No Pain Required Dave Shackleford Jun 17, 2014
Security of Applications: It Takes a Village Dave Shackleford Jun 17, 2014
Application Security: Tools for Getting Management Support and Funding John Pescatore Jun 17, 2014
Securing Web Applications Made Simple and Scalable Gregory Leonard Jun 17, 2014
Enabling Social Networking Applications for Enterprise Usage Eric Cole, PhD Jun 17, 2014
Oracle Database Security: What to Look for and Where to Secure Tanya Baccam Jun 17, 2014
Making Database Security an IT Security Priority Tanya Baccam Jun 17, 2014
Database Activity Monitoring and Audit: A Review of Oracle Audit Vault and Database Firewall Tanya Baccam Jun 17, 2014
Survey on Application Security Programs and Practices Jun 17, 2014
How to Win Friends and Remediate Vulnerabilities Chad Butler Mar 27, 2014
Introduction to the OWASP Mutillidae II Web Pen-Test Training Environment Jeremy Druin Dec 4, 2013
Protecting applications against Clickjacking with F5 LTM Michael Nepomnyashy Dec 4, 2013
A Hands-on XML External Entity Vulnerability Training Module Carrie Roberts Dec 4, 2013
Web Application Injection Vulnerabilities: A Web App's Security Nemesis? Erik Couture Jun 14, 2013
Setting Up a Database Security Logging and Monitoring Program Jim Horwath May 10, 2013
Endpoint Security through Application Streaming Adam Walter Mar 25, 2013
Auditing ASP.NET applications for PCI DSS compliance Christian Moldes Feb 7, 2012
Securing Blackboard Learn on Linux David Lyon Dec 1, 2011
Mass SQL Injection for Malware Distribution Larry Wichman Apr 28, 2011
Four Attacks on OAuth - How to Secure Your OAuth Implementation Khash Kiani Mar 24, 2011
Protecting Users: The Importance Of Defending Public Sites Kristen Sullivan Jan 18, 2011
Reducing Organizational Risk Through Virtual Patching Joseph Faust Jan 11, 2011
AppSec - Cross Site Request Forgery: What Attackers Don't Want You to Know Jason Lam & Johannes B. Ullrich May 22, 2009
AppSec - Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them Ed Skoudis and Frank Kim Mar 3, 2009
Web Based Attacks Justin Crist Jan 4, 2008
Analyzing Attack Surface Code Coverage Justin Seitz Nov 14, 2007
Forensic Analysis of a SQL Server 2005 Database Server Kevvie Fowler Sep 28, 2007
Automated Scanning of Oracle 10g Databases Rory McCune Aug 7, 2007
Using Oracle Forensics to determine vulnerability to Zero Day exploits Paul Wright Feb 28, 2007
Security in Sun Java System Application Server Platform Edition 8.0 Sid Ansari Jun 29, 2005
Web Browser Insecurity Paul Asadoorian Jun 2, 2005
Application Firewalls: Don't Forget About Layer 7 Russell Eubanks May 17, 2005
Reining in the LAN client David Monaco Feb 25, 2005
Papers taken from SANS Reading Room.
Bye Bye Passwords: New Ways to Authenticate Matt Bromiley Jul 23, 2019
Authentication: It Is All About the User Experience Matt Bromiley Jun 12, 2019
A Swipe and a Tap: Does Marketing Easier 2FA Increase Adoption? Preston Ackerman Nov 19, 2018
The Algorithm of You: Defeating Attackers by Being Yourself Matt Bromiley Oct 17, 2018
Impediments to Adoption of Two-factor Authentication by Home End-Users Preston Ackerman Feb 10, 2017
Implementing Least Privilege in an SMB Tim Ashford Jan 20, 2016
Two-Factor Authentication (2FA) using OpenOTP Colin Gordon Jul 17, 2015
SSL/TLS: What's Under the Hood Sally Vandeven Dec 30, 2014
Implementing a Shibboleth SSO Infrastructure Rich Graves Nov 17, 2014
Beyond the cookie: Using network traffic characteristics to enhance confidence in user identity Courtney Imbert Aug 19, 2014
SANS Institute Product Review: Demystifying External Authorization: Oracle Entitlements Server Product Review Tanya Baccam Jun 17, 2014
SANS Institute Product Review: Self-Service Provisioning Made Simple: A Review of Oracle Identity Manager 11g R2 Dave Shackleford Jun 17, 2014
Adding Enterprise Access Management to Identity Management J. Michael Butler Jun 17, 2014
Extending Role Based Access Control J. Michael Butler Jun 17, 2014
Smart Strategies for Securing Extranet Access Dave Shackleford Jun 17, 2014
An Architecture for Implementing Enterprise Multifactor Authentication with Open Source Tools Tom Webb Mar 27, 2014
Implementing IEEE 802.1x for Wired Networks Johan Loos Mar 14, 2014
The Dangers of Weak Hashes Kelly Brown Dec 4, 2013
Daisy Chain Authentication Courtney Imbert Sep 18, 2013
Two-Factor Authentication: Can You Choose the Right One? Emilio Valente Oct 15, 2009
OS and Application Fingerprinting Techniques Jon Mark Allen Oct 22, 2008
Simple Formula for Strong Passwords (SFSP) Tutorial Bernie Thomas May 17, 2005
Installing a Secure Network DHCP Registration System Pam Fournier May 5, 2005
Secure implementation of Enterprise single sign-on product in an organization Ravikanth Ponnapalli Jan 18, 2005
Papers taken from SANS Reading Room.
Securing Code
Defending Infrastructure as Code in GitHub Enterprise Dane Stuckey Jan 21, 2020
Changing the DevOps Culture One Security Scan at a Time Jon-Michael Lacek Aug 28, 2019
Finding Secrets in Source Code the DevOps Way Phillip Marlow Jun 5, 2019
Content Security Policy in Practice Varghese Palathuruthil Jul 6, 2018
Increase the Value of Static Analysis by Enhancing its Rule Set Michael Matthee Jan 30, 2018
The Role of Static Analysis in Hardening Open Source Intrusion Detection Systems Jeff Sass Mar 29, 2016
Agile defensive perimiters: forming the security test regression pack Michael Hendrik Matthee Nov 20, 2014
Application Security: Tools for Getting Management Support and Funding John Pescatore Jun 17, 2014
Survey on Application Security Programs and Practices Jun 17, 2014
Web Application Injection Vulnerabilities: A Web App's Security Nemesis? Erik Couture Jun 14, 2013
Which Disney© Princess are YOU? Joshua Brower Mar 18, 2010
Secure Authentication on the Internet Roger Meyer Feb 1, 2008
Software Engineering - Security as a Process in the SDLC Nithin Haridas Aug 7, 2007
How to Avoid Information Disclosure when Managing Windows with WMI Alex Timkov Jul 17, 2007
Threat Modeling: A Process To Ensure Application Security Steven Burns Oct 5, 2005
Papers taken from SANS Reading Room.
Applications and Systems Development Security
Paper Author Date
Building Security into the System Development Life Cycle (SDLC): A Case Study James Purcell Aug 9, 2007
Application Security Dan McGinn-Combs Apr 9, 2007
Defining and Understanding Security in the Software Development Life Cycle James Purcell Apr 6, 2007
Outsourcing Daniel Accioly Rosa Mar 30, 2007
Comparing Software Development Life Cycles Jim Hurst Mar 23, 2007
Comparison of Java Applets and ActiveX Controls Jim Hurst Mar 23, 2007
Employee Management Security Controls James E. Purcell Mar 23, 2007
The Capability Maturity Model and Its Applications Jim Hurst Mar 20, 2007
Overview and Tutorial on Artificial Intelligence Systems Jim Hurst Mar 20, 2007
Comparison of Software Development Lifecycle Methodologies James Purcell Feb 12, 2007
Papers taken from the CISSP® certification prep domain.