https://github.com/mccright/references
Collection of reusable references
https://github.com/mccright/references
application-security cheatsheet checklist sdr secure-coding security-tools static-code-analysis vulnerability-assessment
Last synced: about 2 months ago
JSON representation
Collection of reusable references
- Host: GitHub
- URL: https://github.com/mccright/references
- Owner: mccright
- License: other
- Created: 2014-03-07T20:16:54.000Z (about 12 years ago)
- Default Branch: main
- Last Pushed: 2026-01-01T14:21:58.000Z (3 months ago)
- Last Synced: 2026-01-06T17:16:11.119Z (3 months ago)
- Topics: application-security, cheatsheet, checklist, sdr, secure-coding, security-tools, static-code-analysis, vulnerability-assessment
- Homepage: https://mccright.github.io/references/
- Size: 1.45 MB
- Stars: 13
- Watchers: 1
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
references
==========
Remember: "[Things can be different...](https://earthrights.co.uk/2020/12/23/lets-not-waste-this-moment/)"
>"However the future unfolds, it's not something to be predicted, like the passage of a comet. It's something we build." *[by Robert Kunzig - behind a National Geographic paywall](https://www.nationalgeographic.com/magazine/article/lets-not-waste-this-crucial-moment-we-need-to-stop-abusing-the-planet-feature)*
>"What matters most, is what people, human people, **we**, do. Not what other people do…" *[Timothy Holborn](https://www.w3.org/community/humancentricai/2023/04/05/join-the-w3c-human-centric-ai-community-group-and-help-build-a-better-future-for-all/)*
>"The fact that there are pressures and costs does not absolve people of their moral responsibility. The primary custodian of one's actions is oneself." *[Noam Chomsky Tue, 3 Apr 2018 - quoted by Timothy Holborn](https://www.w3.org/community/humancentricai/)*
>"A lie is a fiction made up to take away someone else's power." *[Elizabeth Mitchell, Guernica Magazine. Essay/Lit World/Politics, January 15, 2021](https://www.guernicamag.com/in-the-land-of-fiction-and-fake-news/)*
Core Values Matter: Guiding principles shape our lives -- don't drift, [identify your priorities](https://www.thebehavioralscientist.com/list-of-values)
>To write is to act. (*Scribere est agere.*) Withholding the truth suggests falsehood. (*Suppressio veri suggestio est falsi.*)
>"Draw close what you want more of, push away what you want less." *by [Angela Duckworth](https://angeladuckworth.com/) - in the [NYT](https://www.nytimes.com/2025/12/28/opinion/willpower-doesnt-work-this-does.html)* and in Latin: Accede quod vis plus, repelle quod vis minus.
>and *If you're not paying for it, you're the product.* (*Si non solvente pro eo, productum es.*)🫲🏼
Si non solvente pro eo, productum es
This is a collection of reusable references. Hosted at: [https://mccright.github.io/references/](https://mccright.github.io/references/)
[2025](https://mccright.github.io/references/2025-calendar.md), [2026](https://mccright.github.io/references/2026-calendar.md)
### Putin's war:
* Don't ignore it. See: [Wikipedia: Russo-Ukrainian War](https://en.wikipedia.org/wiki/Russo-Ukrainian_War). And resist/confront [Trump 47’s shameful early efforts](https://www.axios.com/2025/03/04/trump-russia-ukraine-policy-pro-putin) to strengthen ties with Putin by making material concessions **before** any negotiations about ending Putin's war with Ukraine.
### Trump's Indictments:
* Don't ignore them -- after thorough trials on two unrelated sets of allegations Trump (*who said he was not guilty*) was convicted. See: [Wikipedia: Indictments against Donald Trump](https://en.wikipedia.org/wiki/Indictments_against_Donald_Trump). Update March 2025: The combination of Trump's election to the U.S. Presidency and his *"total immunity" [gift from the U.S. Supreme Court](https://en.wikipedia.org/wiki/Trump_v._United_States_(2024))* any judicial activity on this front seems unlikely and he will be free from all pending criminal prosecutions. Adults, though, can still acknowledge his 34 felony convictions and consider Trump's past and ongoing behaviors in the context of U.S. democracy, more than 200 years of executive branch norms, his activities to disassemble/eliminate administrative and scientific functions across the Federal government, his large-scale firings and other administrative shrinking of cybersecurity [threat monitoring, alarming and education](https://en.wikipedia.org/wiki/Cybersecurity_and_Infrastructure_Security_Agency) across agencies that previously had strong capabilities, along with his increasingly frequent pattern of ignoring Court orders, his grift/extortion/corruption associated with cryptocurrency and access to power schemes, his firing of governmental & military leaders he perceives as exhibiting insufficient fealty to him, his pardoning of many convicted criminals (*and some simply allies indicted or under investigation*) who he believes have demonstrated their fealty to him, his pattern of removing female and *non-white* governmental & military leaders *without cause*, and his turning the U.S. military against "*Democratic*" cities -- his likely criminality is an extreme outlier. Ugg...
### Agnotology – the study of the cultural production of ignorance:
* (*[Agnotology](https://en.wikipedia.org/wiki/Agnotology)*) -- There is a broad cultural movement to intentionally induce ignorance and/or doubt across broad swaths of science, medicine, politics, *news* reporting, the humanities and much more. This activity is manifest via the *publication* of intentionally inaccurate or misleading *ideas* and *data* through all communication media (**fiction and lies as fact**). This movement has sufficient traction and mass to drive its *ideas* and "*data*" into the most politically and financially powerful organizations across the globe -- creating *useful* narritive and manufactured controversy to achieve varied goals. The U.S. government's executive leadership currently seems a concentrated expression of this movement -- consider their treatment of migrants, their attacks on *[individual & group rights](https://en.wikipedia.org/wiki/Individual_and_group_rights)* and on the *[rule of law](https://en.wikipedia.org/wiki/Rule_of_law)*, cryptocurrency marketing & implementations, environmental harms, devaluing of science in all forms and across all fields, disassembly and disposal of what they call *the administrative state*, enlarging and and obfuscating financial risks throughout business and non-business environments, recharacterizing of presidential power as absolute and embodying [immunity](https://en.wikipedia.org/wiki/Trump_v._United_States) (*absolute and presumptive*). Supporters of this "*movement*" seem to assume (*quoting Isaac Asimov*) "[the false notion that democracy means that '*my ignorance is just as good as your knowledge*](https://quotees.co.uk/philosophy/isaac-asimov-my-ignorance-is-just-as-good-as-your-knowledge-quote/).'" Aslo see: [false equivalence](https://en.wikipedia.org/wiki/False_equivalence), [whitewashing](https://en.wikipedia.org/wiki/Whitewashing_(censorship)) and [reputation laundering](https://en.wikipedia.org/wiki/Reputation_laundering).
### Back to the References
* Try the genuine ChatGPT here: [https://chat.openai.com/chat](https://chat.openai.com/chat). It is impressive technology as is that of an increasing number of AI competitors. When used with sensitivity and care many AI platforms can materially enhance productivity in many roles. If you are using free access to the platforms that provide, expect service limitations during peak hours.
* Flex your perceptions and imagination with the Astronomy Photo of the Day [https://apod.nasa.gov/apod/astropix.html](https://apod.nasa.gov/apod/astropix.html) (*if you have just a minute right now, I recommend **[this](https://apod.nasa.gov/apod/image/2311/Perseus_Euclid_4400.jpg)** [Euclid](https://www.esa.int/Science_Exploration/Space_Science/Euclid) photo of the [Perseus Galaxy Cluster](https://en.wikipedia.org/wiki/Perseus_Cluster) having a 1000+ galaxies in the foreground about 250 million light years away plus more than 100,000 galaxies in the background, and review an [explanation of what you are looking at](https://apod.nasa.gov/apod/ap231108.html)*) or see what is new from the James Webb Space Telescope [https://webbtelescope.org/news/news-releases](https://webbtelescope.org/news/news-releases) [*[or their Flicker collection](https://www.flickr.com/photos/nasawebbtelescope/albums)*] or read at length from NASA's ebook collection [https://www.nasa.gov/connect/ebooks/index.html](https://www.nasa.gov/connect/ebooks/index.html) or explore the Apollo Lunar Surface Journal [high-tech from a different age] [https://www.hq.nasa.gov/alsj/main.html](https://www.hq.nasa.gov/alsj/main.html)
* Flex your perceptions and imagination with a *real-time* visualization of global marine shipping [https://www.marinetraffic.com/en/ais/home/centerx:80.5/centery:8.7/zoom:3](https://www.marinetraffic.com/en/ais/home/centerx:80.5/centery:8.7/zoom:3)
* Here is the "NASA JPL Asteroid Watch --> The Next Five Asteroid Approaches"
[https://www.jpl.nasa.gov/asteroid-watch/next-five-approaches](https://www.jpl.nasa.gov/asteroid-watch/next-five-approaches) to help fuel your "it's always something..." catastrophe habit
* Begin [or continue] to work individually and collectively to slow climate change. Little of what we do is relevant in a world destablized by climate change.
* We need to act on many, many fronts, but there are some offenders that deserve special attention. For example, please *[Treat Big Oil and Big Ag Like Big Tobacco](https://github.com/mccright/rand-notes/blob/master/Climate-Resources.md#treat-big-oil-and-big-ag-like-big-tobacco)*
* I have begun to accumulate links to some of my climate reading (*and planned reading*) in another repository [https://github.com/mccright/rand-notes/blob/master/Climate-Resources.md](https://github.com/mccright/rand-notes/blob/master/Climate-Resources.md)
* As an easy-to-understand illustration of climate change see the [USDA Plant Hardiness Zone Map](https://planthardiness.ars.usda.gov/). Look at these maps from previous decades to see warmer winters creep north.
* Find something new/different to read with [Libby](https://www.overdrive.com/apps/libby), the library reading app, you can use to borrow ebooks, audiobooks, magazines, and more from your local library for free. Libby is the newer library reading app by OverDrive. See: https://www.overdrive.com/apps/libby or take a more commercial route through [https://books.google.com/](https://books.google.com/?hl=en&tab=pp)
* Explore these falsehoods (*too many*) programmers believe in (*which too often produce errors at runtime*) -- Awesome Falsehood [https://github.com/kdeldycke/awesome-falsehood](https://github.com/kdeldycke/awesome-falsehood)
* Or, if you are needing a break from your normal grind, join others doing people-powered research [https://www.zooniverse.org/projects?page=1&status=live](https://www.zooniverse.org/projects?page=1&status=live)
* Writing well is difficult. The Strunkifier may help [*think 'Strunk and White' from school written in PHP with a web front end*][http://vinoisnotouzo.com/strunkifier/](http://vinoisnotouzo.com/strunkifier/) and the source at [https://github.com/BSVino/Strunkifier/blob/master/strunkify.php](https://github.com/BSVino/Strunkifier/blob/master/strunkify.php)
* Remember the *Ten simple rules for making research software more robust* [https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1005412](https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1005412)
* If you work in a corporate environment, ensure it is supporting open source:
* "Why have an open source program office?." RedHat Brief, Last Updated: 4 February 2021 [https://www.redhat.com/en/resources/open-source-program-office-brief](https://www.redhat.com/en/resources/open-source-program-office-brief)
* "What does an open source program office do?" By Brian Proffitt, 19 December 2019 [https://www.redhat.com/en/blog/what-does-open-source-program-office-do](https://www.redhat.com/en/blog/what-does-open-source-program-office-do)
* "Creating an Open Source Program." By Chris Aniszczyk, COO, Cloud Native Computing Foundation; Jeff McAffer, Director, Open Source Programs Office, Microsoft; Will Norris, Open Source Office Manager, Google; and Andrew Spyker, Container Cloud Manager, Netflix. [https://www.linuxfoundation.org/tools/creating-an-open-source-program/](https://www.linuxfoundation.org/tools/creating-an-open-source-program/)
* "Open source best practices for the enterprise." (A collection of 12 best practices guides for running an open source program office or starting an open source project in your organization. Developed by The Linux Foundation in partnership with the TODO Group, these resources represent the experience of our [Linux Foundation] staff, projects, and members.) [https://www.linuxfoundation.org/resources/open-source-guides/](https://www.linuxfoundation.org/resources/open-source-guides/)
* "A guide to setting up your Open Source Program Office (OSPO) for success -- Learn how to best grow and maintain your open source communities and allies." By J. Manrique Lopez de la Fuente, 08 May 2020 [https://opensource.com/article/20/5/open-source-program-office](https://opensource.com/article/20/5/open-source-program-office)
* "Software Licenses in Plain English -- Lookup popular software licenses summarized at-a-glance." [https://tldrlegal.com/](https://tldrlegal.com/)
* Finally, pay attention to where you invest your attention. A [recent essay](https://www.nytimes.com/2022/08/07/opinion/media-message-twitter-instagram.html) by Ezra Klein exploring how technology choices influence how/what we learn and behave is worth a careful read: [https://www.nytimes.com/2022/08/07/opinion/media-message-twitter-instagram.html](https://www.nytimes.com/2022/08/07/opinion/media-message-twitter-instagram.html).
>A [recent study](https://www.sciencedirect.com/science/article/abs/pii/S0747563223002145?via%3Dihub) linked higher levels of [phubbing](https://en.wikipedia.org/wiki/Phubbing) to [*partner*] dissatisfaction, and a [2022 study](https://www.frontiersin.org/articles/10.3389/fpsyg.2022.883901/full) found it can lead to feelings of distrust and ostracism. [One study](https://www.sciencedirect.com/science/article/pii/S0747563216303454) found that those who phub a lot are more likely to be phubbed themselves, creating a kind of ripple effect. [https://www.nytimes.com/2023/07/27/well/family/phubbing-phone-snubbing-relationship.html](https://www.nytimes.com/2023/07/27/well/family/phubbing-phone-snubbing-relationship.html)
* The *time changed* again... See how [NIST explains daylight saving time](https://www.nist.gov/pml/time-and-frequency-division/local-time-faqs)
### Cheat Sheets
First and foremost: a couple **git cheat sheets**
* [https://training.github.com/downloads/github-git-cheat-sheet.pdf](https://training.github.com/downloads/github-git-cheat-sheet.pdf)
* and TimGreen's list of git & github features -- with a table of resources and books at the bottom:
[https://github.com/tiimgreen/github-cheat-sheet](https://github.com/tiimgreen/github-cheat-sheet)
maybe also
* Michael Gieson's git cheat cheet [https://www.gieson.com/Library/cheatsheets/md.html?git](https://www.gieson.com/Library/cheatsheets/md.html?git)
* "The simple guide" [http://rogerdudler.github.io/git-guide/](http://rogerdudler.github.io/git-guide/)
and
* [https://github.com/vineetpandey/github-cheat-sheet](https://github.com/vineetpandey/github-cheat-sheet)
and page 2 of
* [http://www.git-tower.com/blog/git-cheat-sheet/](http://www.git-tower.com/blog/git-cheat-sheet/)
and documenation at
[http://git-scm.com/docs](http://git-scm.com/docs)
* Git Pocket Guide. By Richard E. Silverman [https://www.oreilly.com/library/view/git-pocket-guide/9781449327507/](https://www.oreilly.com/library/view/git-pocket-guide/9781449327507/)
* [Monorepos](https://en.wikipedia.org/wiki/Monorepo) can hide a lot of different problems. [git-sizer](https://github.com/github/git-sizer) can help. git-sizer computes various size metrics for a local Git repository, flagging those that might cause you problems or inconvenience.
* Finally, git repos may contain sensitive files and the scale of their history can slow pipeline activities. In some use cases [git-filter-repo](https://github.com/newren/git-filter-repo) can help.
Just get started...
**git remote -v** (view the full addresses of your configured remotes)
cd into your new project directory
**git init** (builds a .git directory that contains all the metadata and repository history)
**git add .** (instructs Git to begin tracking all files within and beneath the current directory)
**git commit –m'This is the first commit'** (creates the permanent history of all files, with the -m option supplying a message alongside the history marker)
* or install Joel Parker Henderson's [GitAlias](https://www.gitalias.com/) and do the same more efficiently.
Rename your old github repo ['master' branch to 'main'](https://github.com/mccright/rand-notes/blob/master/OffensiveTechTerms.md)...
```shell
git branch -m master main
git fetch origin
git branch -u origin/main main
git remote set-head origin -a
```
### Tell Me About
* A github profile summary: [https://profile-summary-for-github.com/user/githubUserName/](https://profile-summary-for-github.com/user/githubUserName/) [Thank you tipsy](https://github.com/tipsy/profile-summary-for-github)
### Awesome-Awesome
* A curated list of awesome lists: [https://github.com/sindresorhus/awesome](https://github.com/sindresorhus/awesome)
* A collection of awesome lists for hackers, pentesters & security researchers [https://github.com/Hack-with-Github/Awesome-Hacking](https://github.com/Hack-with-Github/Awesome-Hacking)
* A curated list of Terminal frameworks, plugins & resources for CLI lovers [https://github.com/k4m4/terminals-are-sexy](https://github.com/k4m4/terminals-are-sexy)
* Awesome TUIs -- List of projects that provide terminal user interfaces [https://github.com/rothgar/awesome-tuis](https://github.com/rothgar/awesome-tuis)
### Browse
Sears catalog of Linux software -- Awesome Linux Software [https://github.com/luongvo209/Awesome-Linux-Software](https://github.com/luongvo209/Awesome-Linux-Software)
* and if you need a little Linux help using it [https://gto76.github.io/linux-cheatsheet/](https://gto76.github.io/linux-cheatsheet/) and [https://github.com/gto76/linux-cheatsheet](https://github.com/gto76/linux-cheatsheet)
### Manage Your Privacy
* Daniel Roesler's excellent Privacy Checklist: [https://github.com/diafygi/privacy-checklist](https://github.com/diafygi/privacy-checklist)
* W3C Data Privacy Vocabularies and Controls CG (DPVCG) [https://www.w3.org/community/dpvcg/](https://www.w3.org/community/dpvcg/)
* 11 tips for protecting your privacy... by Olivia Martin [https://freedom.press/training/blog/11-tips-protecting-your-privacy-and-digital-security-age-trump/](https://freedom.press/training/blog/11-tips-protecting-your-privacy-and-digital-security-age-trump/)
* Your IP address is sometimes your identity [https://myexternalip.com/](https://myexternalip.com/)
### Software Vulnerability Detection Resources
* Is the target already beyond its end of life / End-of-life (EOL/EoL)? [https://endoflife.date/](https://endoflife.date/) or [https://github.com/endoflife-date/endoflife.date](https://github.com/endoflife-date/endoflife.date)
* *DevSecOps* tool lists [https://github.com/hahwul/DevSecOps](https://github.com/hahwul/DevSecOps)
* U.S. National Checklist Program [http://checklists.nist.gov](http://checklists.nist.gov) and [https://web.nvd.nist.gov/view/ncp/repository](https://web.nvd.nist.gov/view/ncp/repository)
* Security Content Automation Protocol (SCAP)
* Nist Overview: [http://csrc.nist.gov/groups/SMA/forum/documents/august2015/forum-august2015-booth.pdf](http://csrc.nist.gov/groups/SMA/forum/documents/august2015/forum-august2015-booth.pdf)
* SCAP Home: [http://scap.nist.gov/](http://scap.nist.gov/)
* State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation [https://apps.dtic.mil/sti/pdfs/AD1106086.pdf](https://apps.dtic.mil/sti/pdfs/AD1106086.pdf)
* State-of-the-Art Resources (SOAR) for Software Assurance [http://people.cs.ksu.edu/~hatcliff/890-High-Assurance/Reading/IATAC-SOAR-Software-Security-Assurance.pdf](http://people.cs.ksu.edu/~hatcliff/890-High-Assurance/Reading/IATAC-SOAR-Software-Security-Assurance.pdf)
* Common Vulnerability Scoring System (CVSS) [http://cve.mitre.org/](http://cve.mitre.org/) and [https://nvd.nist.gov/cvss.cfm?calculator&adv&version=2](https://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
* Vulnerability and exploit lists:
o [https://www.cisa.gov/known-exploited-vulnerabilities-catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
o [http://cve.mitre.org/](http://cve.mitre.org/)
o [http://www.cvedetails.com/](http://www.cvedetails.com/)
o [http://w.0day.today/](http://w.0day.today/)
o [http://www.securityfocus.com/bid/](http://www.securityfocus.com/bid/)
o [https://www.exploit-db.com/](https://www.exploit-db.com/)
o [https://nvd.nist.gov/](https://nvd.nist.gov/)
o [https://github.com/vulsio](https://github.com/vulsio) (*json files*)
* Library for interacting with Synack API [https://github.com/abdilahrf/synackAPI](https://github.com/abdilahrf/synackAPI)
* CyberSecurityMalaysia, 3rd Party Information Security Assessment Guideline [https://www.cybersecurity.my/data/content_files/11/650.pdf](https://www.cybersecurity.my/data/content_files/11/650.pdf)
* Fortify Taxonomy of Secure Software Errors. [https://vulncat.fortify.com/en](https://vulncat.fortify.com/en)
* Or host your own list to keep your research more private:
o A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. [https://github.com/nexB/vulnerablecode](https://github.com/nexB/vulnerablecode)
o Vulnerabilities and Attacks [https://github.com/hannob/vulns](https://github.com/hannob/vulns)
o The CVE-Search Project [https://www.cve-search.org/software/](https://www.cve-search.org/software/), and cve-search - a tool to perform local searches for known vulnerabilities [https://github.com/cve-search/cve-search](https://github.com/cve-search/cve-search)
* Scripts to help run Fortify -- and other code assessment tools -- in your Amazon cloud [https://github.com/awslabs/one-line-scan/](https://github.com/awslabs/one-line-scan/)
* There are situations where you may be given a repository without any accompanying information... What is in the repo?? *[crazymax](https://crazymax.dev/)* assembled a Docker image -- [crazymax/docker-linguist](https://github.com/crazy-max/docker-linguist) -- that runs [GitHub Linguist](https://github.com/github/linguist), a library used on GitHub.com to detect blob languages. You can use is to easily, quickly and *reasonable accurately* identify what languages are used in a given local repository. Here are some examples of it in use: [https://github.com/mccright/FortifyStuff/blob/master/Developer-Access-to-Static-Analysis-Data.md#what-languages-are-in-a-given-target-repository](https://github.com/mccright/FortifyStuff/blob/master/Developer-Access-to-Static-Analysis-Data.md#what-languages-are-in-a-given-target-repository)
* Vulns: Vulnerability scanner for Linux/FreeBSD, agent-less, written in Go. [https://github.com/future-architect/vuls](https://github.com/future-architect/vuls)
* This is tool to build a local copy of the CPE (Common Platform Enumeration) https://github.com/vulsio/go-cpe-dictionary
* boofuzz: Network Protocol Fuzzing for Humans (*Boofuzz is a fork of and the successor to the venerable [Sulley](https://github.com/OpenRCE/sulley) fuzzing framework.*) https://github.com/jtpereyda/boofuzz
* mdinfo: Meta Data Info (mdinfo) is a command line tool for printing metadata information about files. [https://github.com/RhetTbull/mdinfo](https://github.com/RhetTbull/mdinfo)
### Architecture Risk Analysis
* BSIMM Definitions of Architecture Risk Analysis - Builds an ARA definition by describing a set of increasingly mature risk analysis practices: [https://www.bsimm.com/framework/software-security-development-lifecycle/architecture-analysis/ ](https://www.bsimm.com/framework/software-security-development-lifecycle/architecture-analysis/)
* U.S. CERT Definition & Best Practices Document on Architecture Risk Analysis: [https://www.us-cert.gov/bsi/articles/best-practices/architectural-risk-analysis/architectural-risk-analysis](https://www.us-cert.gov/bsi/articles/best-practices/architectural-risk-analysis/architectural-risk-analysis)
* Lecture 28: Threat Modeling, or Architectural Risk Analysis - Coursera-hosted lecture on this topic by Michael Hicks, University of Maryland, College Park: [https://www.coursera.org/learn/software-security/lecture/bQAoU/threat-modeling-or-architectural-risk-analysis](https://www.coursera.org/learn/software-security/lecture/bQAoU/threat-modeling-or-architectural-risk-analysis)
* "A Non-Trivial Task of Introducing Architecture Risk Analysis into Software Development Process." OWASP EU presentation by Denis Pilipchuk, Global Product Security, Oracle: [http://2014.appsec.eu/wp-content/uploads/2014/07/Denis.Pilipchuk-A-non-trivial-task-of-Introducing-Architecture-Risk-Analysis-into-the-Software-Development-Process.pdf](http://2014.appsec.eu/wp-content/uploads/2014/07/Denis.Pilipchuk-A-non-trivial-task-of-Introducing-Architecture-Risk-Analysis-into-the-Software-Development-Process.pdf)
* Mitre Att&ck Enterprise threat list [https://mitre.github.io/attack-navigator/enterprise/](https://mitre.github.io/attack-navigator/enterprise/)
"ATT&CK® is a catalog of techniques and tactics that describe post-compromise adversary behavior on typical enterprise IT environments. The core use cases involve using the catalog to analyze, triage, compare, describe, relate, and share post-compromise adversary behavior."
* Mitre D3FEND™ technical knowledge base of defensive countermeasures for common offensive techniques that is complementary to MITRE's ATT&CK, a knowledge base of cyber adversary behavior. D3FEND complements Mitre Att&ck by establishing a terminology of computer network defensive techniques and illuminating previously-unspecified relationships between defensive and offensive methods. [https://d3fend.mitre.org/](https://d3fend.mitre.org/)
* Related works:
* MITRE ATT&CK® Matrix for Enterprise -- with specialized versions for the following platforms: Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network, Containers [https://attack.mitre.org/matrices/enterprise/](https://attack.mitre.org/matrices/enterprise/)
* MITRE ATT&CK® Matrix for Mobile -- with specialized versions for the following platforms: Android and iOS [https://attack.mitre.org/matrices/mobile/](https://attack.mitre.org/matrices/mobile/)
* NIST 800-53 Controls to ATT&CK Mappings [https://ctid.mitre-engenuity.org/our-work/nist-800-53-control-mappings/](https://ctid.mitre-engenuity.org/our-work/nist-800-53-control-mappings/)
* Mitre ATT&CK® for Industrial Control Systems threat list [https://collaborate.mitre.org/attackics/index.php/Main_Page](https://collaborate.mitre.org/attackics/index.php/Main_Page) "ATT&CK for ICS is a knowledge base useful for describing the actions an adversary may take while operating within an ICS network. The knowledge base can be used to better characterize and describe post-compromise adversary behavior."
* [Stripe](https://stripe.dev/)'s FT3: Fraud Tools, Tactics, and Techniques Framework is Stripe's adaptation of ATT&CK-style security frameworks, specifically designed to enhance their understanding of the tactics, techniques, and procedures (TTPs) used by actors in fraudulent activities. Developed as a resource for combating financial crime and improving organizational fraud prevention, FT3 is targeted at serving a variety of stakeholders across the anti-fraud/fraud-detection ecosystem. [https://github.com/stripe/ft3/blob/master/](https://github.com/stripe/ft3/blob/master/)
* MITRE ATT&CK® and CAPEC™ datasets expressed in STIX 2.0 [https://github.com/mitre/cti](https://github.com/mitre/cti)
* Github organization for MITRE ATT&CK [https://github.com/mitre-attack](https://github.com/mitre-attack)
* Atomic Red Team™ is a library of tests mapped to the MITRE ATT&CK® framework. Its mission is to help security teams quickly, portably, and reproducibly test their environments [https://github.com/redcanaryco/atomic-red-team](https://github.com/redcanaryco/atomic-red-team)
* *infosecn1nja's* Awesome Mitre ATT&CK™ Framework [https://github.com/infosecn1nja/awesome-mitre-attack](https://github.com/infosecn1nja/awesome-mitre-attack)
* The Common Attack Pattern Enumeration and Classification dictionary and classification taxonomy (CAPEC):
Understanding how the adversary operates is essential to effective cyber security. CAPEC™ helps by providing a comprehensive dictionary of known patterns of attacks employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. It can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.
* Focuses on application security
* Enumerates exploits against vulnerable systems
* Includes social engineering / supply chain
* Associated with Common Weakness Enumeration (CWE)
[http://capec.mitre.org/data/](http://capec.mitre.org/data/)
* Example Attack Taxonomy from CAPEC [http://capec.mitre.org/data/definitions/2000.html](http://capec.mitre.org/data/definitions/2000.html)
* "The Universal Cloud Threat Model" [https://securosis.com/research/papers/the-universal-cloud-threat-model-for-cloud-native-security/?utm_source=tldrinfosec](https://securosis.com/research/papers/the-universal-cloud-threat-model-for-cloud-native-security/?utm_source=tldrinfosec)
* "The STRIDE Threat Model." [http://msdn.microsoft.com/en-US/library/ee823878(v=cs.20).aspx](http://msdn.microsoft.com/en-US/library/ee823878(v=cs.20).aspx)
* "Improving Web Application Security: Chapter 3, Threat Modeling -- Threats and Countermeasures." [http://msdn.microsoft.com/en-us/library/ff648644.aspx](http://msdn.microsoft.com/en-us/library/ff648644.aspx) (In depth review of STRIDE and DREAD.)
* NIST's SP 800-160 Vol. 1 Rev. 1 (2022) "Engineering Trustworthy Secure Systems." With special attention to the 30 security principles in "Appendix E. Principles for Trustworthy Secure Design." [https://csrc.nist.gov/publications/detail/sp/800-160/vol-1-rev-1/final](https://csrc.nist.gov/publications/detail/sp/800-160/vol-1-rev-1/final)
* "How To: Create a Threat Model for a Web Application at Design Time." [http://msdn.microsoft.com/en-us/library/ms978527.aspx](http://msdn.microsoft.com/en-us/library/ms978527.aspx)
* "Walkthrough: Creating a Threat Model for a Web Application." [http://msdn.microsoft.com/en-us/library/ms978538.aspx](http://msdn.microsoft.com/en-us/library/ms978538.aspx)
* "Application Threat Modeling (OWASP)" [https://www.owasp.org/index.php/Application_Threat_Modeling](https://www.owasp.org/index.php/Application_Threat_Modeling)
* "Threat Modeling Cheat Sheet (OWASP)" [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Threat_Modeling_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Threat_Modeling_Cheat_Sheet.md)
* "OWASP Risk Rating Methodology" [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology)
* "A Complete Guide to the Common Vulnerability Scoring System Version 3.1" [https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf](https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf)
* The System Design Primer [https://github.com/donnemartin/system-design-primer](https://github.com/donnemartin/system-design-primer)
* Use Cases and Requirements on HTTPS-enabled Local Network Servers [https://httpslocal.github.io/usecases/](https://httpslocal.github.io/usecases/), [https://www.w3.org/community/httpslocal/](https://www.w3.org/community/httpslocal/) and [https://github.com/httpslocal/proposals/tree/master](https://github.com/httpslocal/proposals/tree/master)
* How Complex Systems Fail (*Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety*) [https://how.complexsystems.fail/](https://how.complexsystems.fail/)
* I have no direct association with Tesla or Tesla engineering efforts, but based on my reading of general news and narrow analysis of descriptions of Tesla's auto-driving and its AI it seems like a material failure of their Architecture Risk Analysis practices. See: "Tesla Self-Driving Deaths." The [linked map](https://dawnproject.com/nhtsa-map-1/) indicates registered deaths associated with Tesla’s self-driving software since 2016 in the United States. The information contains fatalities recorded by NHTSA’s Standing General Order on Crash Reporting for Level 2 ADAS-equipped vehicles since its inception in June 2021, and confirmed self-driving deaths pre-dating NHTSA’s database of crash statistics: [https://dawnproject.com/nhtsa-map-1/](https://dawnproject.com/nhtsa-map-1/). If crash and death numbers are not convincing, you might look at some videos by [The Dawn Project](https://dawnproject.com/) of Tesla's Full Self-Driving AI: https://vimeo.com/988491613/fcfcdf7190 (Blow past stopped school buses), https://vimeo.com/942153183/9b3848b364 (Run down children crossing the road) or https://vimeo.com/843429267/bc871414fd (Blow through stop signs).
### Web Application Vulnerability Analysis and Pen Testing
* The Secure ur Ass By Learning Cybersecurity repository [SUASS](https://github.com/GTekSD/SUASS). It describes itself as "a comprehensive resource for cybersecurity professionals, students, beginners, and anyone interested in the field of cybersecurity. Here, you'll find a wide range of cybersecurity study materials to help you enhance your knowledge and skills." [https://github.com/GTekSD/SUASS](https://github.com/GTekSD/SUASS)
* List of awesome penetration testing resources, tools and other shiny things [https://github.com/enaqx/awesome-pentest](https://github.com/enaqx/awesome-pentest)
* Awesome collection of hacking tools [https://github.com/jekil/awesome-hacking](https://github.com/jekil/awesome-hacking)
* Tooling is great, but understanding how software systems fail is a critical capability as well. See "[Be Suspicious of Success, Successful software is buggy software](https://buttondown.com/hillelwayne/archive/be-suspicious-of-success/)" for some input about what to think about when "testing."
* ```Kitsec```, a toolkit CLI to help simplify and centralize your risk eval. workflow [https://github.com/kitsec-labs/kitsec-core](https://github.com/kitsec-labs/kitsec-core)
* Osmedeus - a Workflow Engine for Offensive Security. It was designed to build a foundation with the capability and flexibility that allows you to build your own reconnaissance system and run it on a large number of targets. [https://github.com/j3ssie/osmedeus](https://github.com/j3ssie/osmedeus)
* Mantis - command-line framework designed to automate the workflow of asset discovery, reconnaissance, and scanning [https://github.com/PhonePe/mantis](https://github.com/PhonePe/mantis)
* "All in One Hacking tool For Hackers" [https://github.com/Z4nzu/hackingtool](https://github.com/Z4nzu/hackingtool)
* Arsenal - an inventory, reminder and launcher to simplify the use of all the hard-to-remember pentest commands [https://github.com/Orange-Cyberdefense/arsenal](https://github.com/Orange-Cyberdefense/arsenal)
* Red Teaming Toolkit [https://github.com/infosecn1nja/Red-Teaming-Toolkit](https://github.com/infosecn1nja/Red-Teaming-Toolkit)
* Red Team Scripts [https://github.com/infosecn1nja/red-team-scripts](https://github.com/infosecn1nja/red-team-scripts)
* bugcrowd / methodology-taxonomy [https://github.com/bugcrowd/methodology-taxonomy](https://github.com/bugcrowd/methodology-taxonomy)
* Bugcrowd Vulnerability Rating Taxonomy (VRT) [https://bugcrowd.com/vulnerability-rating-taxonomy](https://bugcrowd.com/vulnerability-rating-taxonomy) and [https://github.com/bugcrowd/vulnerability-rating-taxonomy](https://github.com/bugcrowd/vulnerability-rating-taxonomy)
* "*A collection of tools used by Web hackers*" [https://github.com/hahwul/WebHackersWeapons](https://github.com/hahwul/WebHackersWeapons)
* six2dez pentest-book [https://pentestbook.six2dez.com/](https://pentestbook.six2dez.com/) and the source at [https://github.com/six2dez/pentest-book](https://github.com/six2dez/pentest-book)
* If you are creative and persistent, you will accumulate valuable passwords and tokens. Keep them safe from abuse. Assuming that need support for Linux, Windows, or Mac, you might consider using [KeePassXC](https://keepassxc.org/) on an encrypted+password protected USB drive. See the [recent code review report](https://molotnikov.de/keepassxc-review) by [Zaur Molotnikov](https://molotnikov.de/cv) to help evaluate the risks.
* Sometimes you will need to share secrets. [https://scrt.link/](https://scrt.link/) with a link that only works one time
and then self-destructs. It is imperfect, but likely good-enough for many use cases.
* Penetration Testing Checklist [https://github.com/infinite-omicron/pentesting-checklist](https://github.com/infinite-omicron/pentesting-checklist) and its companion Pentesting Guide [https://github.com/infinite-omicron/pentesting-guide/](https://github.com/infinite-omicron/pentesting-guide/)
* Automated NoSQL database enumeration and web application exploitation tool [https://github.com/codingo/NoSQLMap](https://github.com/codingo/NoSQLMap)
* An eccentric collection of links to pen testing resources [https://github.com/blaCCkHatHacEEkr/PENTESTING-BIBLE](https://github.com/blaCCkHatHacEEkr/PENTESTING-BIBLE)
* The Open Penetration Testing Bookmarks Collection [https://github.com/Oweoqi/pentest-bookmarks/blob/master/BookmarksList.md](https://github.com/Oweoqi/pentest-bookmarks/blob/master/BookmarksList.md)
* Collection of pentest resources [https://github.com/1N3/](https://github.com/1N3/)
* Active Directory Attack Cheat Sheet [https://medium.com/@dw3113r/active-directory-attack-cheat-sheet-ea9e9744028d](https://medium.com/@dw3113r/active-directory-attack-cheat-sheet-ea9e9744028d) or formatted better at [https://dw3113r.com/2022/07/20/active-directory-attack-cheat-sheet/](https://dw3113r.com/2022/07/20/active-directory-attack-cheat-sheet/)
* Active Directory Cheatsheet: [https://github.com/OriolOriolOriol/Active-Directory-Cheat-Sheet](https://github.com/OriolOriolOriol/Active-Directory-Cheat-Sheet)
* Active Directory Kill Chain Attack & Defense [https://github.com/infosecn1nja/AD-Attack-Defense](https://github.com/infosecn1nja/AD-Attack-Defense)
* OWASP Web Application Security Testing Cheatsheet [https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet](https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet)
* [ngrok](https://ngrok.com): ngrok is a globally distributed reverse proxy fronting your web services running on a given endpoint, or in any cloud or private network. *Paid [ngrok](https://ngrok.com/pricing)* has additional features that support its promotion as "the programmable network edge that adds connectivity, security, and observability to your apps with no code changes." Pay attention to the details of every request. The free version may not be suitable for your business, your local environment, or your regulators/investors/customers. [https://ngrok.com](https://ngrok.com)
* Weird Proxies: a cheat sheet about behaviour of various reverse proxies, cache proxies, load balancers, etc. [https://github.com/GrrrDog/weird_proxies](https://github.com/GrrrDog/weird_proxies)
* Fetch a list of currently-working proxies [https://github.com/stamparm/fetch-some-proxies](https://github.com/stamparm/fetch-some-proxies)
* Collection of security tool cheat sheets [https://github.com/gnebbia/cheatsheets/tree/master/sectool](https://github.com/gnebbia/cheatsheets/tree/master/sectool)
* OWASP based Web Application Security Testing Checklist as an Excel Workbook [https://github.com/tanprathan/OWASP-Testing-Checklist](https://github.com/tanprathan/OWASP-Testing-Checklist)
* Web Application Security Guide/Checklist. [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Checklist](https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Checklist)
* Awesome WAF [https://github.com/0xInfection/Awesome-WAF](https://github.com/0xInfection/Awesome-WAF)
* identYwaf is a WAF protection type identification tool using *loud* techniques [https://github.com/stamparm/identYwaf](https://github.com/stamparm/identYwaf)
* Open Source Security Testing Methodology Manual (OSSTMM) [http://www.isecom.org/research/osstmm.html](http://www.isecom.org/research/osstmm.html)
* Session Hijacking Cheat Sheet [http://resources.infosecinstitute.com/session-hijacking-cheat-sheet/](http://resources.infosecinstitute.com/session-hijacking-cheat-sheet/)
* SecLists is the security tester's companion. It is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more. [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists)
* Pen testing payloads with supporting resources (*this could/should be named 'awsome-payloads'!*) [https://github.com/swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) and, easier to navigate [https://swisskyrepo.github.io/PayloadsAllTheThings/](https://swisskyrepo.github.io/PayloadsAllTheThings/)
* Penetration Testers Framework (PTF) [https://github.com/trustedsec/ptf](https://github.com/trustedsec/ptf)
* Social-Engineer Toolkit (SET) [https://github.com/trustedsec/social-engineer-toolkit](https://github.com/trustedsec/social-engineer-toolkit)
* A Python based web application scanner - BlackWidow - with Docker help [https://github.com/1N3/BlackWidow](https://github.com/1N3/BlackWidow)
* Sn1per - Automated pentest framework for offensive security experts [https://github.com/1N3/Sn1per](https://github.com/1N3/Sn1per)
* Arachni Web Application Security Scanner Framework {Ruby centric} [http://www.arachni-scanner.com/](http://www.arachni-scanner.com/)
* Sn1per is an automated scanner {php} to enumerate and scan for vulnerabilities [https://github.com/1N3/Sn1per](https://github.com/1N3/Sn1per)
* WhatWeb - Next generation web scanner [https://github.com/urbanadventurer/WhatWeb](https://github.com/urbanadventurer/WhatWeb)
* Cloudflare's in-house lightweight network vulnerability scanner [https://blog.cloudflare.com/introducing-flan-scan/](https://blog.cloudflare.com/introducing-flan-scan/) and [https://github.com/cloudflare/flan](https://github.com/cloudflare/flan)
* OWASP-Nettacker - Automated Penetration Testing Framework [https://github.com/zdresearch/OWASP-Nettacker](https://github.com/zdresearch/OWASP-Nettacker)
* Jaeles - An extensible framework written in Go for building your own Web Application Scanner. [https://github.com/jaeles-project/jaeles](https://github.com/jaeles-project/jaeles)
* Some starter scripts to (*help*) set up a clean Windows 10 endpoint: [https://github.com/Hecsall/clean-windows](https://github.com/Hecsall/clean-windows)
* windows-privesc-check - Security Auditing Tool For Windows [https://code.google.com/archive/p/windows-privesc-check/source/default/source](https://code.google.com/archive/p/windows-privesc-check/source/default/source) and [https://github.com/1N3/PrivEsc/blob/master/windows/windows-privesc-check/windows-privesc-check.py](https://github.com/1N3/PrivEsc/blob/master/windows/windows-privesc-check/windows-privesc-check.py)
* [http://securitywing.com/63-web-application-security-checklist-auditors-developers/](http://securitywing.com/63-web-application-security-checklist-auditors-developers/) (very high level)
* Website fingerprint script [https://github.com/bgiarrizzo/website-fingerprint](https://github.com/bgiarrizzo/website-fingerprint)
* Awesome Mainframe Hacking/Pentesting Resources.[https://github.com/samanL33T/Awesome-Mainframe-Hacking/](https://github.com/samanL33T/Awesome-Mainframe-Hacking/)
* Excellent list of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc. [https://github.com/toniblyx/my-arsenal-of-aws-security-tools](https://github.com/toniblyx/my-arsenal-of-aws-security-tools)
* Audit and secure your AWS environment(s): [YATAS](https://github.com/padok-team/yatas) "is a simple and easy to use tool to audit your infrastructure for misconfiguration or potential security issues." ..."The goal of YATAS is to help you create a secure AWS environment without too much hassle." [https://github.com/padok-team/yatas](https://github.com/padok-team/yatas) and [https://www.primates.dev/aws-security-misconfiguration-audit-in-30-seconds/](https://www.primates.dev/aws-security-misconfiguration-audit-in-30-seconds/)
* AWS is a gigantic ecosystem. There may be opportunities that you are not yet aware of: [https://github.com/donnemartin/awesome-aws](https://github.com/donnemartin/awesome-aws)
* CloudGoat, Rhino Security Labs' "Vulnerable by Design" AWS deployment tool. [https://github.com/RhinoSecurityLabs/cloudgoat](https://github.com/RhinoSecurityLabs/cloudgoat)
* Offensive security testing of your AWS environment [https://github.com/RhinoSecurityLabs/pacu](https://github.com/RhinoSecurityLabs/pacu)
* Offensive security testing of your CMS - CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 170 other CMSs [https://github.com/Tuhinshubhra/CMSeeK](https://github.com/Tuhinshubhra/CMSeeK)
* Tool-X - a kali linux tool installer for Android Termux [https://github.com/rajkumardusad/Tool-X](https://github.com/rajkumardusad/Tool-X)
* An interesting study script intended to automate your reconnaissance work [https://github.com/0blio/lazyrecon](https://github.com/0blio/lazyrecon)
* Abbreviated vulnerability assessment/recon [https://github.com/jivoi/pentest](https://github.com/jivoi/pentest)
* 'domain-scan' A lightweight scan pipeline for orchestrating third party tools, at scale and (optionally) using serverless infrastructure [https://github.com/18F/domain-scan](https://github.com/18F/domain-scan)
* Offensive Web Testing Framework (OWTF), is a framework [https://github.com/owtf/owtf](https://github.com/owtf/owtf)
* Offensive Web Application Penetration Testing Framework [https://github.com/0xInfection/TIDoS-Framework](https://github.com/0xInfection/TIDoS-Framework)
* Metabigor - An Intelligence tool to do OSINT tasks and more but without any API keys. [https://github.com/j3ssie/metabigor](https://github.com/j3ssie/metabigor)
* ReconFTW automates some reconnaisance activities. [https://github.com/six2dez/reconftw](https://github.com/six2dez/reconftw)
* Reconnoitre: A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst creating a directory structure to store results, findings and exploits used for each host, recommended commands to execute and directory structures for storing loot and flags. [https://github.com/codingo/Reconnoitre](https://github.com/codingo/Reconnoitre)
* Jenkins Pentesting [https://github.com/gquere/pwn_jenkins](https://github.com/gquere/pwn_jenkins)
* Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit [https://github.com/0xInfection/XSRFProbe](https://github.com/0xInfection/XSRFProbe)
* Cross Site Scripting detection suite [https://github.com/s0md3v/XSStrike](https://github.com/s0md3v/XSStrike)
* Web Application Firewall Fingerprinting Tool [https://github.com/EnableSecurity/wafw00f](https://github.com/EnableSecurity/wafw00f)
* Know your network -- The Ultimate PCAP [https://weberblog.net/the-ultimate-pcap/](https://weberblog.net/the-ultimate-pcap/)
* BurpSuite []()
* OWASP Zap []()
* HUNT Suite is a collection of Burp Suite Pro/Free and OWASP ZAP extensions [https://github.com/bugcrowd/HUNT](https://github.com/bugcrowd/HUNT)
* Deploy a private Burp Collaborator Server in Azure. By Javier Olmedo, Jun 17, 2019 [https://medium.com/bugbountywriteup/deploy-a-private-burp-collaborator-server-in-azure-f0d932ae1d70](https://medium.com/bugbountywriteup/deploy-a-private-burp-collaborator-server-in-azure-f0d932ae1d70)
* and Chrome's internal URLs for problem solving [chrome://chrome-urls/](chrome://chrome-urls/)
* DNS research [https://github.com/ogham/dog](https://github.com/ogham/dog)
* Some domains might be outside your intended target list? See the official, full list of registered domains in the .gov zone. The US Government's executive, legislative, and judicial branches are represented, as are US-based state, territory, tribal, city, and county governments: [https://github.com/cisagov/dotgov-data](https://github.com/cisagov/dotgov-data)
* There may be some *additional useful information* you might extract from the target's DNS records -- see "[You’re Closer Than You Think: The Only 6 DNS Concepts You Really Need](https://jonahdevs.com/youre-closer-than-you-think-the-only-6-dns-concepts-you-really-need/?utm_source=tldrnewsletter)." that includes a "complete list of DNS Functionality and Descriptions" that might help you think it through.
* HTTPie, a user-friendly command-line HTTP client for the API era [https://httpie.io/](https://httpie.io/)
* nmap tutorial [https://github.com/gnebbia/nmap_tutorial](https://github.com/gnebbia/nmap_tutorial)
* Using custom nmap port sets [https://bsago.me/tech-notes/custom-nmap-port-sets](https://bsago.me/tech-notes/custom-nmap-port-sets)
* Scanners Box [also known as scanbox] is a sizable, categorized collection of *scanners* from across GitHub.com [https://github.com/We5ter/Scanners-Box](https://github.com/We5ter/Scanners-Box)
* Very simple Python-based recon [https://github.com/naltun/eyes.py](https://github.com/naltun/eyes.py)
* Damn Small JS Scanner (DSJS) is a JavaScript library vulnerability scanner [https://github.com/stamparm/DSJS](https://github.com/stamparm/DSJS)
* What might those PDF files be hiding? Here are some tools that can help you automate the answer(s):
* [PyPDF](https://github.com/py-pdf/pypdf)
* [PyPDF2](https://github.com/py-pdf/pypdf)
* [PyMuPDF](https://github.com/pymupdf/PyMuPDF)
* [pdfminer.six](https://github.com/pdfminer/pdfminer.six)
* [pdfminer](https://github.com/euske/pdfminer)
* [pdfplumber](https://github.com/jsvine/pdfplumber)
* [camelot-py](https://github.com/camelot-dev/camelot)
* [tabula-py](https://github.com/chezou/tabula-py)
* Awk/gawk manual [https://www.gnu.org/software/gawk/manual/gawk.pdf](https://www.gnu.org/software/gawk/manual/gawk.pdf)
* Airbus security lab publications [https://airbus-seclab.github.io/](https://airbus-seclab.github.io/) and their tools at [https://github.com/airbus-seclab/](https://github.com/airbus-seclab/)
* Run your own VPN(s) [https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)
* "8 Best VPNs in 2021: Tested All Apps, Speed, Security & More." by Chase Williams September 01, 2021 [https://www.wizcase.com/vpn-reviews/](https://www.wizcase.com/vpn-reviews/)
* Email address parser from website list [https://github.com/skeitel/Python-Programs-and-Exercises-by-Javier-Marti/blob/master/email_parser_from_website_list.py](https://github.com/skeitel/Python-Programs-and-Exercises-by-Javier-Marti/blob/master/email_parser_from_website_list.py)
* Detect secrets within a code base [https://github.com/Yelp/detect-secrets](https://github.com/Yelp/detect-secrets)
* git-secrets -- Prevents you from committing passwords and other sensitive information to a git repository [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets)
* Python script to check HTTP security headers [https://github.com/juerkkil/securityheaders](https://github.com/juerkkil/securityheaders)
* sslyze [https://github.com/iSECPartners/sslyze](https://github.com/iSECPartners/sslyze)
* Sometimes it is important to carefully explore the content of given resources. Here is an excellent, comprehensive Unicode reference [https://jrgraphix.net/research/unicode_blocks.php](https://jrgraphix.net/research/unicode_blocks.php)
* OK. You found your way to a remote shell or access to arbitrary remote code execution -- what next?
* In order to better understand your options, consider what kernel vulnerabilities are present on that target. An option for that is the shell script `LES` (*Linux privilege escalation auditing tool*), it is "designed to assist in detecting security deficiencies for a given Linux kernel/Linux-based machine." [https://github.com/The-Z-Labs/linux-exploit-suggester](https://github.com/The-Z-Labs/linux-exploit-suggester) ... Before you get too busy with that, you might use it on your own Linux platforms to see if you are vulnerable.
* If you land on a Windows platform: "WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 11, including their Windows Server counterparts, is supported." [https://github.com/bitsadmin/wesng](https://github.com/bitsadmin/wesng)
* Velociraptor - Endpoint visibility and collection tool [https://github.com/Velocidex/velociraptor](https://github.com/Velocidex/velociraptor). This is a feature rich toolset that contains tooling that may have value in your vulnerability assessments. Caution: Like any endpoint monitoring tool, there is a risk that it can be used in *unintended* ways. In [Sept. 2025 threat actors are using](https://thehackernews.com/2025/08/attackers-abuse-velociraptor-forensic.html?utm_source=mccright_references) Velociraptor endpoint monitoring feature set to deploy Visual Studio Code for command and control tunneling, likely to establish persistent backdoor access.
* You will regularly need to know if something you started is finished, or get notified of an event you are waiting for. [ntfy](https://ntfy.sh/) is a fantastic service that lets you send push notifications to your phone or desktop via scripts from any computer, using simple HTTP PUT or POST requests. I use it to notify myself when scripts fail, or long-running commands complete. [https://ntfy.sh/](https://ntfy.sh/)
* OWASP BLT 🐜🪳 bug 🦗🪰 logging tool [https://github.com/OWASP-BLT/BLT](https://github.com/OWASP-BLT/BLT)
### Pen testing Linux distros
* ArchStrike (idle since 2021) [https://archstrike.org](https://archstrike.org)
* BackBox [https://backbox.org/](https://backbox.org/)
* Blackarch [https://blackarch.org/](https://blackarch.org/) and [https://github.com/BlackArch/blackarch](https://github.com/BlackArch/blackarch)
* Caine Security [https://www.caine-live.net](https://www.caine-live.net)
* DemonLinux [https://demonlinux.com/about.php](hhttps://demonlinux.com/about.php)
* Fedora Security Lab [https://labs.fedoraproject.org/en/security/](https://labs.fedoraproject.org/en/security/)
* Kali [https://www.kali.org/](https://www.kali.org/)
* Network Security Toolkit, NST [http://www.networksecuritytoolkit.org/nst/index.html](http://www.networksecuritytoolkit.org/nst/index.html)
* Parrot Security OS [https://www.parrotsec.org/](https://www.parrotsec.org/)
* Shell Script to Convert Your Debian Into Parrot OS Pentesting Mach1ne [https://github.com/blackhatethicalhacking/parrotfromdebian](https://github.com/blackhatethicalhacking/parrotfromdebian)
* Pentoo [http://www.pentoo.ch/](http://www.pentoo.ch/)
* mx-live-usb-maker [https://github.com/MX-Linux/mx-live-usb-maker](https://github.com/MX-Linux/mx-live-usb-maker) and [https://github.com/MX-Linux/lum-qt-appimage/releases](https://github.com/MX-Linux/lum-qt-appimage/releases)
* and some Security-oriented Docker containers [https://github.com/khast3x/Offensive-Dockerfiles](https://github.com/khast3x/Offensive-Dockerfiles)
* and a cloud-enabled approach to the same idea, RedCloud [https://github.com/khast3x/Redcloud](https://github.com/khast3x/Redcloud)
* and if you need a little Linux help [https://gto76.github.io/linux-cheatsheet/](https://gto76.github.io/linux-cheatsheet/) and [https://github.com/gto76/linux-cheatsheet](https://github.com/gto76/linux-cheatsheet)
### BPF Tools
Explore your Live Linux Kernel Image - Berkeley Packet Filters & eBPF
* BPF Compiler Collection (BCC) - Tools for BPF-based Linux IO analysis, networking, monitoring, and more [https://github.com/iovisor/bcc](https://github.com/iovisor/bcc)
### Online Scanners
* yougetsignal [http://www.yougetsignal.com/tools/open-ports/](http://www.yougetsignal.com/tools/open-ports/)
* Reverse IP Domain Check [https://www.yougetsignal.com/tools/web-sites-on-web-server/](https://www.yougetsignal.com/tools/web-sites-on-web-server/)
* Network Location Check [https://www.yougetsignal.com/tools/network-location/](https://www.yougetsignal.com/tools/network-location/)
* viewdns [a range of dns tools] [https://viewdns.info/](https://viewdns.info/)
* hackertarget [https://hackertarget.com/nmap-online-port-scanner/](https://hackertarget.com/nmap-online-port-scanner/)
* Dump links from a page [https://hackertarget.com/extract-links/](https://hackertarget.com/extract-links/)
* And a range of related tools [https://hackertarget.com/ip-tools/](https://hackertarget.com/ip-tools/)
* ipfingerprints [http://www.ipfingerprints.com/portscan.php](http://www.ipfingerprints.com/portscan.php)
* pingeu [http://ping.eu/port-chk/](http://ping.eu/port-chk/)
* spiderip [https://spiderip.com/online-port-scan.php](https://spiderip.com/online-port-scan.php)
* t1shopper [http://www.t1shopper.com/tools/port-scan/](http://www.t1shopper.com/tools/port-scan/)
* Whois Ping Port Scanner NSlookup & Traceroute @ t1shopper [http://www.t1shopper.com/tools/](http://www.t1shopper.com/tools/)
* standingtech [https://portscanner.standingtech.com/](https://portscanner.standingtech.com/)
* Convert IP Address to Binary, Hexadecimal, Octal, and Long Integer [https://ipaddress.standingtech.com/online-ip-address-converter](https://ipaddress.standingtech.com/online-ip-address-converter)
* Or use a Python-based command-line utility for using websites that can perform port scans on your behalf [https://github.com/vesche/scanless](https://github.com/vesche/scanless)
### General Secure Programming
* Fortify Taxonomy of Secure Software Errors. [https://vulncat.fortify.com/en](https://vulncat.fortify.com/en)
* Awesome App-Sec. A curated list of resources for learning about application security. [https://github.com/paragonie/awesome-appsec](https://github.com/paragonie/awesome-appsec)
* Static analysis tools for *all* programming languages [https://github.com/analysis-tools-dev/static-analysis](https://github.com/analysis-tools-dev/static-analysis)
* Awesome Static Analysis - a collection of static analysis tools and code quality checkers. [https://github.com/mre/awesome-static-analysis](https://github.com/mre/awesome-static-analysis)
* Python Taint -- pyt -- A Static Analysis Tool for Detecting common Security Vulnerabilities in Python Web Applications [https://github.com/python-security/pyt](https://github.com/python-security/pyt)
* Bandit -- A security linter for detecting common security vulnerabilities in Python applications [https://github.com/PyCQA/bandit](https://github.com/PyCQA/bandit)
* Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including OCI and docker) [https://github.com/quay/clair](https://github.com/quay/clair)
* Awesome CI {Continuation Integration}, Incl. tools for git, file and static source code security analysis - [https://github.com/cytopia/awesome-ci](https://github.com/cytopia/awesome-ci)
* "Avoiding the Top 10 Security Flaws." Design guidance by the IEEE Center for Secure Design (CSD), [http://cybersecurity.ieee.org/center-for-secure-design/avoiding-the-top-10-security-flaws.html](http://cybersecurity.ieee.org/center-for-secure-design/avoiding-the-top-10-security-flaws.html)
* The IEEE Computer Society Center for Secure Design. [http://cybersecurity.ieee.org/center-for-secure-design.html](http://cybersecurity.ieee.org/center-for-secure-design.html)
* The OWASP Application Security Verification Standard (ASVS) Project attempts to provide a basis for testing web application technical security controls. [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project](https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project)
* OWASP Cheat Sheet Series -- a collection of high value information on specific web application security topics [https://www.owasp.org/index.php/Cheat_Sheets](https://www.owasp.org/index.php/Cheat_Sheets) and [https://cheatsheetseries.owasp.org/](https://cheatsheetseries.owasp.org/)
* Or if just getting the code to work first is your issue: [https://github.com/Neklaustares-tPtwP/Resources/tree/main/Cheat%20Sheets](https://github.com/Neklaustares-tPtwP/Resources/tree/main/Cheat%20Sheets)
* Collection of OWASP Web Application Security Testing Cheat Sheets [https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet](https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet)
* Web Application Security Guide/Checklist [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Checklist](https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Checklist)
* CSRN Security Checklist for Software Developers [https://security.web.cern.ch/security/recommendations/en/checklist_for_coders.shtml](https://security.web.cern.ch/security/recommendations/en/checklist_for_coders.shtml)
* Web Application Security Guide [https://en.wikibooks.org/wiki/Web_Application_Security_Guide](https://en.wikibooks.org/wiki/Web_Application_Security_Guide)
* DISA Information Assurance Support Environment [https://public.cyber.mil/](https://public.cyber.mil/)
* Security Technical Implementation Guides (STIGs) [https://public.cyber.mil/stigs/](https://public.cyber.mil/stigs/)
* Application Security STIGs [hhttps://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security](https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security)
* Application Security and Development Security Technical Implementation Guide, Version 5, Release 1 - 26 October 2020 [https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_ASD_V5R1_STIG.zip](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_ASD_V5R1_STIG.zip)
* DoD Cloud Computing Security [https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=cloud-security-stigs](https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=cloud-security-stigs)
* IASE Application Security [https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_ASD_V5R1_STIG.zip](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_ASD_V5R1_STIG.zip)
* Excellent STIG viewer [https://www.stigviewer.com/stigs](https://www.stigviewer.com/stigs)
* Equally excellent Common Controls viewer [https://www.unifiedcompliance.com/products/search-controls/](https://www.unifiedcompliance.com/products/search-controls/)
* DOD Instruction 8500.2 Full Control List [https://www.stigviewer.com/controls/8500](https://www.stigviewer.com/controls/8500)
* NIST 800-53 Controls Veiwer [https://www.stigviewer.com/controls/800-53](https://www.stigviewer.com/controls/800-53)
* Unified Compliance Hub for navigating the ever-evolving rats nest of public and private mandates [https://www.unifiedcompliance.com/products/](https://www.unifiedcompliance.com/products/)
* [http://www.cheatography.com/tag/programming/](http://www.cheatography.com/tag/programming/)
* PortSwigger's Cross-site scripting (XSS) cheat sheet [https://portswigger.net/web-security/cross-site-scripting/cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
* A small collection of XSS-Payloads [https://github.com/terjanq/Tiny-XSS-Payloads](https://github.com/terjanq/Tiny-XSS-Payloads)
* XSS-Payloads [https://github.com/RenwaX23/XSS-Payloads](https://github.com/RenwaX23/XSS-Payloads)
* Awesome XSS [https://github.com/s0md3v/AwesomeXSS](https://github.com/s0md3v/AwesomeXSS)
* XSS Prevention Cheat Sheet from OWASP: [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet)
* Fortify Taxonomy of Secure Software Errors. [https://vulncat.fortify.com/en](https://vulncat.fortify.com/en)
* Java Deserialization Cheat Sheet [https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet)
* The Offensive 360 Knowledge base [https://knowledge-base.offensive360.com/](https://knowledge-base.offensive360.com/)
* HTTP Status Codes on-line [https://httpstatuses.com/](https://httpstatuses.com/)
* HTTP Status Codes local [https://github.com/mychris/scripts/blob/master/httpstatus](https://github.com/mychris/scripts/blob/master/httpstatus)
* IANA Hypertext Transfer Protocol (HTTP) Status Code Registry [http://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml](http://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml)
* Sometimes it is just important to get started: "Hello world in every computer language." [https://github.com/leachim6/hello-world](https://github.com/leachim6/hello-world)
* And a 'free' temporary platform may also be important: "A list of SaaS, PaaS and IaaS offerings that have free tiers of interest to devops and infradev." [https://github.com/haneefmubarak/free-for-dev](https://github.com/haneefmubarak/free-for-dev)
* Collection of the most common vulnerabilities found in iOS applications [https://github.com/felixgr/secure-ios-app-dev](https://github.com/felixgr/secure-ios-app-dev)
* Application logging guidance [https://github.com/mccright/references/blob/master/AppSec-Logging.md](https://github.com/mccright/references/blob/master/AppSec-Logging.md)
* AWS logging guidance [https://betterdev.blog/aws-lambda-logging-best-practices/](https://betterdev.blog/aws-lambda-logging-best-practices/)
* One approach to logging in your shell scripts [https://www.cubicrace.com/2016/03/efficient-logging-mechnism-in-shell.html](https://www.cubicrace.com/2016/03/efficient-logging-mechnism-in-shell.html)
* The TIOBE Index of programming language popularity [https://www.tiobe.com/tiobe-index/](https://www.tiobe.com/tiobe-index/)
* A collection of ready-to-deploy-in-AWS Serverless Framework services [https://github.com/serverless/examples](https://github.com/serverless/examples)
* An evolving "command-line tool allowing developers to find security vulnerabilities within a Java project." It incorporates some static analysis (SAST) and some software composition analysis (SCA). [https://github.com/xJonah/REPELSEC](https://github.com/xJonah/REPELSEC)
* A useful script to help manage Java installation and removal on your Linux host [https://github.com/chrishantha/install-java](https://github.com/chrishantha/install-java)
* An edge case: *Protecting* your scripts - PowerShell, Visual Basic (VB), and C# code obfuscation -- "A Beginner's Guide to Obfuscation" [https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation](https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation)
* Attack-resistant programming requires a threshold understanding of your current language. ```esolang-box``` is an "easy and standardized docker images for 200+ esoteric (and non-esoteric) languages." https://github.com/hakatashi/esolang-box
* A Python implementation of [RFC 7519](https://tools.ietf.org/html/rfc7519). [https://github.com/jpadilla/pyjwt](https://github.com/jpadilla/pyjwt)
### PHP
* Awesome PHP. A curated list of PHP libraries, resources and shiny things. [https://github.com/ziadoz/awesome-php](https://github.com/ziadoz/awesome-php)
* [http://www.cheatography.com/tag/php/](http://www.cheatography.com/tag/php/)
* PHP Security Guide, 2005. [http://phpsec.org/projects/guide/](http://phpsec.org/projects/guide/)
* Survive The Deep End: PHP Security, 2015. [https://phpsecurity.readthedocs.org/en/latest/](https://phpsecurity.readthedocs.org/en/latest/)
* Hacking with PHP -> Securty Concerns. [http://www.hackingwithphp.com/17/0/0/security-concerns](http://www.hackingwithphp.com/17/0/0/security-concerns)
* PHP The Right Way -> Security. [http://www.phptherightway.com/#security](http://www.phptherightway.com/#security)
* PHP Best Practices -- A short, practical guide for common and confusing PHP tasks: [https://phpbestpractices.org/](https://phpbestpractices.org/)
### Python
* Describe the environment (sometimes for Python troubleshooting): https://github.com/rapidsai/cudf/blob/branch-25.10/print_env.sh
* Fun. Image2Text utilities: https://github.com/vietnh1009/ASCII-generator
* "The Complete Python Development Guide." [https://testdriven.io/guides/complete-python/](https://testdriven.io/guides/complete-python/)
* Hitchhiker's Guide to Python [https://github.com/realpython/python-guide](https://github.com/realpython/python-guide)
* and its 'Web Applications & Frameworks' section [https://github.com/realpython/python-guide/blob/master/docs/scenarios/web.rst](https://github.com/realpython/python-guide/blob/master/docs/scenarios/web.rst)
* Python Cheatsheet, comprehensive [https://gto76.github.io/python-cheatsheet/](https://gto76.github.io/python-cheatsheet/) and [https://github.com/gto76/python-cheatsheet](https://github.com/gto76/python-cheatsheet)
* Python Cheatsheet [https://cheatsheets.quantecon.org/python-cheatsheet.html](https://cheatsheets.quantecon.org/python-cheatsheet.html)
* another Python CheatSheet - my current favorite [https://perso.limsi.fr/pointal/_media/python:cours:mementopython3-english.pdf](https://perso.limsi.fr/pointal/_media/python:cours:mementopython3-english.pdf)
* A small collection of Python cheatsheets [https://github.com/Neklaustares-tPtwP/Resources/tree/main/Cheat%20Sheets/Python%20%26%20All%20Libraries%20Cheat%20Sheets](https://github.com/Neklaustares-tPtwP/Resources/tree/main/Cheat%20Sheets/Python%20%26%20All%20Libraries%20Cheat%20Sheets)
* Python Cheatsheet from kickstartcoding [https://github.com/kickstartcoding/cheatsheets/blob/master/build/topical/python.pdf](https://github.com/kickstartcoding/cheatsheets/blob/master/build/topical/python.pdf)
* A neat set of PDF topical Python cheatsheets by the author of ["Python Crash Course" by Eric Matthes](https://www.amazon.com/Python-Crash-Course-2nd-Edition/dp/1593279280/ref=sr_1_2?crid=EWAWN9O4URJY&dchild=1&keywords=python+crash+course+2nd+edition+by+eric+matthes&qid=1608398592&sprefix=%22python+crash+course%22%2Caps%2C200&sr=8-2) [http://ehmatthes.github.io/pcc/cheatsheets/README.html](http://ehmatthes.github.io/pcc/cheatsheets/README.html) and another version for the 2nd edition of PCC at [https://ehmatthes.github.io/pcc_2e/cheat_sheets/cheat_sheets/](https://ehmatthes.github.io/pcc_2e/cheat_sheets/cheat_sheets/)
* The standard Python resources:
* Main website: https://www.python.org/
* Documentation: https://docs.python.org/
* Developer resources: https://devguide.python.org/
* Downloads: https://www.python.org/downloads/
* Module repository: https://pypi.org/
* 73 Examples to Help You Master Python's f-strings [https://miguendes.me/73-examples-to-help-you-master-pythons-f-strings](https://miguendes.me/73-examples-to-help-you-master-pythons-f-strings)
* Docker Official Python Images [https://hub.docker.com/_/python](https://hub.docker.com/_/python)
* A deep dive into the official Docker image for Python [https://pythonspeed.com/articles/official-python-docker-image/](https://pythonspeed.com/articles/official-python-docker-image/)
* The best Docker base image for your Python application (April 2020) *tl;dr; Ubuntu LTS or Docker Official Python Debian* [https://pythonspeed.com/articles/base-image-python-docker-images/](https://pythonspeed.com/articles/base-image-python-docker-images/)
* "Docker Best Practices for Python Developers" By Amal Shaji 2021-10-05 [https://testdriven.io/blog/docker-best-practices/](https://testdriven.io/blog/docker-best-practices/)
* "Don't leak your Docker image's build secrets." By Itamar Turner-Trauring, 2021-10-01 [https://pythonspeed.com/articles/docker-build-secrets/](https://pythonspeed.com/articles/docker-build-secrets/)
* **unblob** parses unknown binary blobs for more than 30 different archive, compression, and file-system formats, extracts their content recursively, and carves out unknown chunks that have not been accounted for -- just what is needed to explore docker images: [https://github.com/onekey-sec/unblob](https://github.com/onekey-sec/unblob)
* PyFormat Using % and .format() [https://pyformat.info/](https://pyformat.info/)
* Python's strftime directives [https://strftime.org/](https://strftime.org/)
* Python's Pathlib explained [https://rednafi.github.io/digressions/python/2020/04/13/python-pathlib.html](https://rednafi.github.io/digressions/python/2020/04/13/python-pathlib.html)
* Type hints cheat sheet (Python 3) [https://mypy.readthedocs.io/en/stable/cheat_sheet_py3.html](https://mypy.readthedocs.io/en/stable/cheat_sheet_py3.html)
* Write Pythonic Code Like a Seasoned Developer Course [https://training.talkpython.fm/courses/explore_pythonic_code/write-pythonic-code-like-a-seasoned-developer](https://training.talkpython.fm/courses/explore_pythonic_code/write-pythonic-code-like-a-seasoned-developer) and [https://github.com/mikeckennedy/write-pythonic-code-demos](https://github.com/mikeckennedy/write-pythonic-code-demos)
* 71 Python Code Snippets for Everyday Problems [https://therenegadecoder.com/code/python-code-snippets-for-everyday-problems/#checking-if-a-file-exists](https://therenegadecoder.com/code/python-code-snippets-for-everyday-problems/#checking-if-a-file-exists)
* 30-seconds-of-python - Curated collection of useful Python snippets that you can understand in 30 seconds or less [https://github.com/30-seconds/30-seconds-of-python](https://github.com/30-seconds/30-seconds-of-python)
* Packaging Projects with Python [https://github.com/russomi/packaging_tutorial](https://github.com/russomi/packaging_tutorial) and [https://packaging.python.org/tutorials/packaging-projects/](https://packaging.python.org/tutorials/packaging-projects/)
* MATLAB–Python–Julia cheatsheet [https://cheatsheets.quantecon.org/](https://cheatsheets.quantecon.org/)
* Awesome Python -- A curated list of awesome Python frameworks, libraries and software. Inspired by awesome-php. [https://github.com/vinta/awesome-python](https://github.com/vinta/awesome-python)
* Best-of Web Development with Python, curated & ranked list [https://github.com/ml-tooling/best-of-web-python](https://github.com/ml-tooling/best-of-web-python)
* Awesome Python Security [https://github.com/guardrailsio/awesome-python-security](https://github.com/guardrailsio/awesome-python-security)
* Awesome Flask [https://github.com/mjhea0/awesome-flask](https://github.com/mjhea0/awesome-flask)
* Python Docker image with poetry as dependency manager. [https://github.com/etienne-napoleone/docker-python-poetry](https://github.com/etienne-napoleone/docker-python-poetry)
* Pythonic Data Structures and Algorithms [https://github.com/keon/algorithms](https://github.com/keon/algorithms)
* '*All*' Algorithms implemented in Python ("*may be less efficient than the implementations in the Python standard library. Use them at your discretion.*") [https://github.com/TheAlgorithms/Python](https://github.com/TheAlgorithms/Python)
* Like the safety of with statements, just not in your code? Let 'just' take care of it [https://github.com/kootenpv/just](https://github.com/kootenpv/just)
* Error-handling examples: [https://github.com/ianozsvald/python_exception_examples/blob/master/examples.py](https://github.com/ianozsvald/python_exception_examples/blob/master/examples.py)
* [pymg](https://github.com/mimseyedi/pymg) is a CLI tool that can interpret Python files by the Python interpreter and display the error message in a more readable way if an exception occurs [https://github.com/mimseyedi/pymg](https://github.com/mimseyedi/pymg)
* Datetime examples: [https://github.com/ianozsvald/datetime-examples/blob/master/examples.py](https://github.com/ianozsvald/datetime-examples/blob/master/examples.py)
* Scientific Python Cheatsheet [https://ipgp.github.io/scientific_python_cheat_sheet/](https://ipgp.github.io/scientific_python_cheat_sheet/)
* "10 Useful Python Data Visualization Libraries for Any Discipline" by Melissa Bierly [https://blog.modeanalytics.com/python-data-visualization-libraries/](https://blog.modeanalytics.com/python-data-visualization-libraries/)
* Counting things in Python [http://treyhunner.com/2015/11/counting-things-in-python/](http://treyhunner.com/2015/11/counting-things-in-python/)
* Crypto101: an introductory course on cryptography. [https://www.crypto101.io/](https://www.crypto101.io/)
* The Data Scientist's Toolbox [https://www.coursera.org/learn/data-scientists-tools](https://www.coursera.org/learn/data-scientists-tools)
* Compiler-free Python crypto library [https://github.com/wbond/oscrypto](https://github.com/wbond/oscrypto)
* Python library to convert Microsoft Outlook .msg files to .eml/MIME message files [https://github.com/JoshData/convert-outlook-msg-file](https://github.com/JoshData/convert-outlook-msg-file)
* Understanding iteration in Python [https://github.com/wyounas/python_training_hq/tree/master/blog_iterator_code_samples](https://github.com/wyounas/python_training_hq/tree/master/blog_iterator_code_samples)
* Virtualenv [https://virtualenv.pypa.io/en/latest/installation.html](https://virtualenv.pypa.io/en/latest/installation.html) and a how-to [https://www.youtube.com/watch?v=N5vscPTWKOk](https://www.youtube.com/watch?v=N5vscPTWKOk)
Along with related/supporting projects:
* virtualenvwrapper - a useful set of scripts for creating and deleting virtual environments [https://pypi.org/project/virtualenvwrapper](https://pypi.org/project/virtualenvwrapper)
* pew: provides a set of commands to manage multiple virtual environments [https://pypi.org/project/pew](https://pypi.org/project/pew)
* tox: a generic virtualenv management and test automation command line tool, driven by a tox.ini configuration file [https://pypi.org/project/tox](https://pypi.org/project/tox)
* nox: a tool that automates testing in multiple Python environments, similar to tox, driven by a noxfile.py configuration file [https://pypi.org/project/nox](https://pypi.org/project/nox)
* And a how-to [https://www.youtube.com/watch?v=N5vscPTWKOk](https://www.youtube.com/watch?v=N5vscPTWKOk)
* How to write good quality Python code with GitHub Actions. By Wojciech Krzywiec [https://medium.com/@wkrzywiec/how-to-write-good-quality-python-code-with-github-actions-2f635a2ab09a](https://medium.com/@wkrzywiec/how-to-write-good-quality-python-code-with-github-actions-2f635a2ab09a)
* Automating Every Aspect of Your Python Project [https://martinheinz.dev/blog/17](https://martinheinz.dev/blog/17)
* An open-source chart and map framework for realtime data [https://github.com/pubnub/eon](https://github.com/pubnub/eon)
* Datagen - create sample delimited data using a simple schema format so you can get to work [https://github.com/toddwilson/datagen](https://github.com/toddwilson/datagen)
* An asynchronous tasks library using asyncio [https://github.com/joegasewicz/pytask-io](https://github.com/joegasewicz/pytask-io)
* Render local readme files before sending off to GitHub [https://github.com/joeyespo/grip](https://github.com/joeyespo/grip) and a sample Python script to generate bulk documentation [https://gist.github.com/mrexmelle/659abc02ae1295d60647](https://gist.github.com/mrexmelle/659abc02ae1295d60647)
* A general purpose Python automatization library with real-time web UI [https://github.com/tuomas2/automate](https://github.com/tuomas2/automate)
* tmux session manager [https://github.com/tmux-python/tmuxp](https://github.com/tmux-python/tmuxp)
* web.py is a web framework for Python that is as simple as it is powerful. [https://github.com/webpy/webpy](https://github.com/webpy/webpy)
* Need to upgrade ad-hoc calls to Requests with a client-side API for your apps? [https://github.com/prkumar/uplink](https://github.com/prkumar/uplink)
* A basic spreadsheet to api engine [https://github.com/18F/autoapi](https://github.com/18F/autoapi)
* Blog with git [https://github.com/joeyespo/gitpress](https://github.com/joeyespo/gitpress)
* deadlinks - link checker [https://github.com/butuzov/deadlinks](https://github.com/butuzov/deadlinks)
* A rough RSS/Atom feed parser [https://github.com/dcramer/feedreader](https://github.com/dcramer/feedreader)
pyautogit [https://github.com/jwlodek/pyautogit](https://github.com/jwlodek/pyautogit)
* Library of 60+ commonly-used validator functions [https://github.com/insightindustry/validator-collection](https://github.com/insightindustry/validator-collection)
* A python library for parsing multiple types of config files, envvars & command line arguments [https://github.com/naorlivne/parse_it](https://github.com/naorlivne/parse_it)
* Some examples of how to use the Python module ‘configparser‘ [https://github.com/revfran/pythonConfigParsing](https://github.com/revfran/pythonConfigParsing), [https://github.com/VakinduPhilliam/Python_Configuration_Parser](https://github.com/VakinduPhilliam/Python_Configuration_Parser)
* Search for strings in source code - at scale [https://github.com/s0md3v/hardcodes](https://github.com/s0md3v/hardcodes)
* Present data in tables on your terminal [https://github.com/Robpol86/terminaltables](https://github.com/Robpol86/terminaltables)
* Another tool for presenting data in tables [https://github.com/jazzband/prettytable](https://github.com/jazzband/prettytable)
* Progress bar [https://github.com/verigak/progress](https://github.com/verigak/progress)
* present: A terminal-based presentation tool with colors and effects. [https://github.com/vinayak-mehta/present](https://github.com/vinayak-mehta/present)
* Color your script output with [https://github.com/gvalkov/python-ansimarkup](https://github.com/gvalkov/python-ansimarkup) or on Windows with [https://pypi.python.org/pypi/colorama](https://pypi.python.org/pypi/colorama)
* Colorpedia - a command-line tool for looking up colors, shades and palettes [https://github.com/joowani/colorpedia](https://github.com/joowani/colorpedia)
* "Python requests is slow and takes very long to complete HTTP or HTTPS request" -- This is fantastic troubleshooting guidance and advice! [https://stackoverflow.com/questions/62599036/python-requests-is-slow-and-takes-very-long-to-complete-http-or-https-request](https://stackoverflow.com/questions/62599036/python-requests-is-slow-and-takes-very-long-to-complete-http-or-https-request)
* nmappy may not be the right scanner for you, but you might find its Python source code might be interesting as it attempts to solve a range of network-centric challenges: [https://github.com/bitsadmin/nmappy/blob/master/nmappy.py](https://github.com/bitsadmin/nmappy/blob/master/nmappy.py)
* "Building a Full Stack Application with Flask and HTMx" [https://codecapsules.io/docs/tutorials/build-flask-htmx-app/](https://codecapsules.io/docs/tutorials/build-flask-htmx-app/) and [https://github.com/codecapsules-io/demo-flask-htmx](https://github.com/codecapsules-io/demo-flask-htmx)
* Generate *random* user agent strings
* [https://pypi.org/project/random-user-agent/](https://pypi.org/project/random-user-agent/)
* [https://pypi.org/project/requests-random-user-agent/](https://pypi.org/project/requests-random-user-agent/)
* [https://pypi.org/project/fake_user_agent/](https://pypi.org/project/fake_user_agent/)
* [https://pypi.org/project/uas/](https://pypi.org/project/uas/)
* Now that you have a pile of Python code, here is a utility to build presentations out of Python code: pysentation, a CLI for displaying Python presentations [https://github.com/mimseyedi/pysentation](https://github.com/mimseyedi/pysentation)
### Markdown
* [https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet)
* [https://docs.github.com/en/get-started/writing-on-github](https://docs.github.com/en/get-started/writing-on-github)
* [https://bitbucket.org/tutorials/markdowndemo](https://bitbucket.org/tutorials/markdowndemo)
* Markdown Cheatsheet [http://commonmark.org/help/](http://commonmark.org/help/)
* [https://guides.github.com/pdfs/markdown-cheatsheet-online.pdf](https://guides.github.com/pdfs/markdown-cheatsheet-online.pdf)
* GitHub Flavored Markdown Spec [https://github.github.com/gfm/](https://github.github.com/gfm/)
* Another GitHub Flavored Markdown cheatsheet [https://github.com/tchapi/markdown-cheatsheet](https://github.com/tchapi/markdown-cheatsheet)
* Collection of static site generators [https://jamstack.org/generators/](https://jamstack.org/generators/) and [https://staticsitegenerators.net/](https://staticsitegenerators.net/)
* Static site generator written in Python [https://github.com/getpelican/pelican](https://github.com/getpelican/pelican)
### JavaScript
* Very basic [http://marijnhaverbeke.nl/js-cheatsheet.html](http://marijnhaverbeke.nl/js-cheatsheet.html)
* [http://www.cheatography.com/acwinter/cheat-sheets/javascript-basic-advanced-and-more/](http://www.cheatography.com/acwinter/cheat-sheets/javascript-basic-advanced-and-more/)
and
* [http://www.cheatography.com/tag/javascript/](http://www.cheatography.com/tag/javascript/)
and
* [http://www.sitepoint.com/10-javascript-cheat-sheets/](http://www.sitepoint.com/10-javascript-cheat-sheets/)
* Learning JavaScript Design Patterns. Volume 1.6.2, By Addy Osmani [https://addyosmani.com/resources/essentialjsdesignpatterns/book/](https://addyosmani.com/resources/essentialjsdesignpatterns/book/)
* Programming JavaScript Applications. By Eric Elliott [http://chimera.labs.oreilly.com/books/1234000000262/index.html](http://chimera.labs.oreilly.com/books/1234000000262/index.html)
* Cheatsheets for experienced React developers getting started with TypeScript [https://github.com/typescript-cheatsheets/react-typescript-cheatsheet](https://github.com/typescript-cheatsheets/react-typescript-cheatsheet)
* Node: Up and Running. By Tom Hughes-Croucher and Mike Wilson [http://chimera.labs.oreilly.com/books/1234000001808/index.html](http://chimera.labs.oreilly.com/books/1234000001808/index.html)
* Narrative workbook -- This is a companion workbook that will assist you in working through the codeX Narrative that is to be provided. Resources and references provided that will assist you in your journey will be published in the repository. [https://github.com/codex-academy/codeX_ReleaseOneNarrativeWorkbook](https://github.com/codex-academy/codeX_ReleaseOneNarrativeWorkbook)
* "Don't make fun of JavaScript" [https://github.com/pixari/dmfojs](https://github.com/pixari/dmfojs)
### Crypto
* Matthew Green's List of Crypto Resources: [http://blog.cryptographyengineering.com/](http://blog.cryptographyengineering.com/)
* Crypto101: an introductory course on cryptography. [https://www.crypto101.io/](https://www.crypto101.io/)
* A good place to get an overview of the correct tools to use for modern cryptography is "(Updated) Cryptographic Right Answers" by [Thomas Ptacek](https://github.com/tqbf) (*Thank you [William Bond](https://github.com/wbond/oscrypto/blob/master/docs/readme.md#modern-cryptography)*): [https://gist.github.com/tqbf/be58d2d39690c3b366ad](https://gist.github.com/tqbf/be58d2d39690c3b366ad)
* [Peter Gutmann](https://www.cs.auckland.ac.nz/~pgut001/) (*a researcher at the University of Auckland*) assembled his "godzilla crypto tutorial," including 973 slides in 12 parts at: https://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html Although this material is not new, it still seems like a resource that will be of value to many.
* pyca/cryptography - A package providing cryptographic recipes and primitives to Python developers, with the goal of being your "cryptographic standard library". [https://github.com/pyca/cryptography](https://github.com/pyca/cryptography)
* A fast, pure Python library for parsing and serializing ASN.1 structures. [https://github.com/wbond/asn1crypto](https://github.com/wbond/asn1crypto)
* Compiler-free Python crypto library [https://github.com/wbond/oscrypto](https://github.com/wbond/oscrypto)
* PyNaCl: Python binding to the libsodium library [https://github.com/pyca/pynacl](https://github.com/pyca/pynacl)
* The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis [https://gchq.github.io/CyberChef](https://gchq.github.io/CyberChef) and [https://github.com/gchq/CyberChef](https://github.com/gchq/CyberChef)
* Here is an example of using CyberChef to to deobfuscate malware: ["Advanced Cyberchef Techniques - Defeating Nanocore Obfuscation With Math and Flow Control"](https://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/)
* Or search for other projects (*there are lots of them*) with: [https://github.com/search?q=cryptography&type=repositories](https://github.com/search?q=cryptography&type=repositories)
* Or local search with monkeSearch [https://github.com/monkesearch/monkeSearch](https://github.com/monkesearch/monkeSearch)
* **[RFC 9180 Hybrid public-key encryption (HPKE)](https://datatracker.ietf.org/doc/html/rfc9180)** See a useful overview from CloudFlare: [https://blog.cloudflare.com/hybrid-public-key-encryption/](https://blog.cloudflare.com/hybrid-public-key-encryption/).
* "[TL;DR - Hybrid Public Key Encryption.](https://www.franziskuskiefer.de/p/tldr-hybrid-public-key-encryption/)"
* "[Hybrid Public Key Encryption: My Involvement in Development and Analysis of a Cryptographic Standard](https://www.benjaminlipp.de/p/hpke-cryptographic-standard/)."
* And a Python implementation of *[draft version 1](https://datatracker.ietf.org/doc/html/draft-barnes-cfrg-hpke-01)* at: [https://github.com/dwd/crypto-examples/blob/master/hpke.py](https://github.com/dwd/crypto-examples/blob/master/hpke.py).
### Regex
* Test your regex on line: [https://regex101.com/](https://regex101.com/) or
* test your regex with: [https://pythex.org/](https://pythex.org/)
* test and visualize your regex with: [https://extendsclass.com/regex-tester.html](https://extendsclass.com/regex-tester.html)
* Test your JavaScript style regex: [https://regexper.com/](https://regexper.com/)
* Test your Python style regex: [https://pythonium.net/regex](https://pythonium.net/regex)
* OWASP Validation Regex Repository [https://www.owasp.org/index.php/OWASP_Validation_Regex_Repository](https://www.owasp.org/index.php/OWASP_Validation_Regex_Repository)
* A really big collection of regex resources [http://regexlib.com/](http://regexlib.com/)
* [http://www.cheatography.com/davechild/cheat-sheets/regular-expressions/](http://www.cheatography.com/davechild/cheat-sheets/regular-expressions/)
and
* [http://www.cheatography.com/tag/regex/](http://www.cheatography.com/tag/regex/)
* Another collection of examples: [http://www.regular-expressions.info/examples.html](http://www.regular-expressions.info/examples.html)
* Includes a collection of regexes for apikeys/tokens [https://github.com/m4ll0k/SecretFinder/blob/master/BurpSuite-SecretFinder/SecretFinder.py](https://github.com/m4ll0k/SecretFinder/blob/master/BurpSuite-SecretFinder/SecretFinder.py)
* "Regular Expressions: Regexes in Python" by John Sturtz [https://realpython.com/regex-python/](https://realpython.com/regex-python/) and part 2 [https://realpython.com/regex-python-part-2/](https://realpython.com/regex-python-part-2/)
* *Related...* Personally Identifiable Information (PII) Redactor shell script [https://github.com/infinite-omicron/pii-redactor/blob/master/pii_redactor.sh](https://github.com/infinite-omicron/pii-redactor/blob/master/pii_redactor.sh)
### DOS/Windows Shell
* Guide to Batch Scripting [http://steve-jansen.github.io/guides/windows-batch-scripting/](http://steve-jansen.github.io/guides/windows-batch-scripting/)
### Information Sources for your Security Investigations
A starter list of information sources for your security investigations & integrations:
(Thank you https://github.com/cloudtracer/ThreatPinchLookup)
* What defines a “material” cybersecurity incident? Lacework released a Securities and Exchange Commission (SEC) materiality framework paper [https://www.lacework.com/resource/sec-materiality-framework.html](https://www.lacework.com/resource/sec-materiality-framework.html)
* Awesome OSINT [https://github.com/jivoi/awesome-osint](https://github.com/jivoi/awesome-osint)
* Ammar Amer's OSINT resources [https://github.com/blaCCkHatHacEEkr/OSINT_TIPS](https://github.com/blaCCkHatHacEEkr/OSINT_TIPS)
* Discover Your Attack Surface [https://github.com/intrigueio/intrigue-core](https://github.com/intrigueio/intrigue-core)
* Alienvault OTX for IPv4, CVE, MD5, SHA1 and SHA2 lookups [https://otx.alienvault.com/](https://otx.alienvault.com/)
* Bitcoin Whos Who for Bitcoin lookups [http://bitcoinwhoswho.com/](http://bitcoinwhoswho.com/)
* BlockChain.info for Bitcoin lookups [https://blockchain.info/](https://blockchain.info/)
* BTC for Bitcoin lookups [https://btc.com/](https://btc.com/)
* Censys.io for IPv4 lookups [https://censys.io/](https://censys.io/)
* CIRCL (Computer Incident Response Center Luxembourg) for CVE lookups [https://www.circl.lu/](https://www.circl.lu/)
* Google Safe Browsing for URL lookups [https://safebrowsing.google.com/](https://safebrowsing.google.com/)
* Have I Been Pwned for Email lookups [https://haveibeenpwned.com](https://haveibeenpwned.com)
* IBM XForce Exchange for IPv4, EFQDN lookups [https://exchange.xforce.ibmcloud.com](https://exchange.xforce.ibmcloud.com/)
* IP Geo Tool {free} for your script integration: [https://tools.keycdn.com/geo.json?host={IP or hostname}](https://tools.keycdn.com/geo.json?host={IP or hostname}) Important: See [https://tools.keycdn.com/geo](https://tools.keycdn.com/geo) for configuring your request header User-Agent string correctly.
* MISP for MD5 and SHA2 [http://www.misp-project.org/](http://www.misp-project.org/)
* Also consider MISP Taxonomies for your integration work [https://github.com/MISP/misp-taxonomies/](https://github.com/MISP/misp-taxonomies/)
* PassiveTotal for FQDN Whois lookups [https://www.passivetotal.org/](https://www.passivetotal.org/)
* PulseDive for IPv4, FQDN and URL lookups [https://pulsedive.com/](https://pulsedive.com/)
* Recorded Future for IPv4, FQDN, MD5, SHA1 and SHA2 lookups [http://recordedfuture.com/](http://recordedfuture.com/)
* For IP lookups and much more:
* Shodan [https://www.shodan.io/](https://www.shodan.io/)
* Search Query Fundamentals: [https://help.shodan.io/the-basics/search-query-fundamentals](https://help.shodan.io/the-basics/search-query-fundamentals)
* REST and Streaming API Queries: [https://developer.shodan.io/api/banner-specification](https://developer.shodan.io/api/banner-specification)
* Docker image to run [Shodan CLI](https://github.com/achillean/shodan-python): [https://github.com/crazy-max/docker-shodan](https://github.com/crazy-max/docker-shodan)
* Greynoise [https://viz.greynoise.io/trends](https://viz.greynoise.io/trends)
* ZoomEye for IPv4 lookups [https://www.zoomeye.org/](https://www.zoomeye.org/)
* Cloud IP Ranges [https://github.com/nccgroup/cloud_ip_ranges](https://github.com/nccgroup/cloud_ip_ranges)
* CDN IP Ranges [https://github.com/six2dez/ipcdn](https://github.com/six2dez/ipcdn)
* ThreatCrowd for IPv4, FQDN and MD5 lookups [https://www.threatcrowd.org/](https://www.threatcrowd.org/)
* ThreatMiner: IPv4, Email, FQDN, MD5, SHA1 and SHA2 lookups [https://www.threatminer.org/](https://www.threatminer.org/)
* Wigle for WiFi [https://wigle.net/](https://wigle.net/)
* Sourcecode Search [https://publicwww.com/](https://publicwww.com/)
* Utility to identify active committers participating in targeted repositories or github.com organizations. [https://github.com/kaakaww/contributors_tool](https://github.com/kaakaww/contributors_tool)
* Find *professional* email addresses [https://hunter.io/](https://hunter.io/)
* VirusTotal for MD5, SHA1, SHA2, URL and FQDN lookups [https://www.virustotal.com/](https://www.virustotal.com/)
* Buster, An advanced tool for email reconnaissance [https://github.com/sham00n/buster](https://github.com/sham00n/buster)
* WayBulk, Search a list of domains on the wayback machine [https://github.com/sham00n/waybulk](https://github.com/sham00n/waybulk)
* General outline of information about a specific host or domain [https://webrate.org/site/website-hostname/](https://webrate.org/site/website-hostname/) (**replace "*website-hostname*" with your target.**)
* Bluetooth "Wall of Sheep." "A little app that discovers bluetooth devices near by and displays them on a board." https://github.com/skittleson/bluetooth-wos
### Math and Statistics
* Statistics in Pandas Cheatsheet [https://cheatsheets.quantecon.org/stats-cheatsheet.html](https://cheatsheets.quantecon.org/stats-cheatsheet.html)
* Manish Saraswat's list of Free books on statistics mathematics data science [http://www.analyticsvidhya.com/blog/2016/02/free-read-books-statistics-mathematics-data-science/](http://www.analyticsvidhya.com/blog/2016/02/free-read-books-statistics-mathematics-data-science/)
* Chen's Free Data Science Books [http://www.wzchen.com/data-science-books/](http://www.wzchen.com/data-science-books/)
* balban's Free Statistics Books [https://github.com/balban/Books/tree/master/Statistics](https://github.com/balban/Books/tree/master/Statistics)
* "Unsupervised Cross-lingual Representation Learning at Scale" by Alexis Conneau and Kartikay Khandelwal, et.al. [https://arxiv.org/pdf/1911.02116.pdf](https://arxiv.org/pdf/1911.02116.pdf)
* "What Is a Time-Series Plot, and How Can You Create One?" [https://www.timescale.com/blog/what-is-a-time-series-plot-and-how-can-you-create-one/](https://www.timescale.com/blog/what-is-a-time-series-plot-and-how-can-you-create-one/)
* "How to Work With Time Series in Python?" [https://www.timescale.com/blog/how-to-work-with-tim/](https://www.timescale.com/blog/how-to-work-with-tim/)
* "Tools for Working With Time-Series Analysis in Python" [https://www.timescale.com/blog/tools-for-working-with-time-series-analysis-in-python/](https://www.timescale.com/blog/tools-for-working-with-time-series-analysis-in-python/)
*
* Complete guide to create a Time Series Forecast (Python) [http://www.analyticsvidhya.com/blog/2016/02/time-series-forecasting-codes-python/](http://www.analyticsvidhya.com/blog/2016/02/time-series-forecasting-codes-python/) and in R [http://www.analyticsvidhya.com/blog/2015/12/complete-tutorial-time-series-modeling/](http://www.analyticsvidhya.com/blog/2015/12/complete-tutorial-time-series-modeling/)
* functime is a Python library for production-ready global forecasting and time-series feature engineering (*comes with time-series preprocessing (box-cox, differencing etc), cross-validation splitters (expanding and sliding window), and forecast metrics (MASE, SMAPE etc)*) [https://github.com/descendant-ai/functime](https://github.com/descendant-ai/functime)
* [Mathics](https://mathics.org/) is a general-purpose computer algebra system (CAS). The mathics-core repository contains just the Python modules for WL Built-in functions, variables, core primitives, e.g. Symbol, a parser to create Expressions, and an evaluator to execute them. [https://github.com/Mathics3/mathics-core](https://github.com/Mathics3/mathics-core)
### Text to Speech / Speech to Text
* VibeVoice: A Frontier Long Conversational Text-to-Speech Model [https://github.com/microsoft/VibeVoice](https://github.com/microsoft/VibeVoice)
* eSpeak NG [https://github.com/espeak-ng/espeak-ng](https://github.com/espeak-ng/espeak-ng)
* Using eSpeak and eSpeakNG [https://vitux.com/convert-text-to-voice-with-espeak-on-ubuntu/](https://vitux.com/convert-text-to-voice-with-espeak-on-ubuntu/)
* eSpeak NG TTS Bindings for Python3 [https://github.com/sayak-brm/espeakng-python](https://github.com/sayak-brm/espeakng-python)
* Larynx -- This engine provides a complete text-to-speech solution for 9 languages in as many as 50 voices and can be used without any proprietary cloud services (*each voice is roughly 250MB*). This project includes an *easy path* using a Docker image. [https://github.com/rhasspy/larynx](https://github.com/rhasspy/larynx)
* RealtimeTTS is a state-of-the-art text-to-speech (TTS) library designed for real-time applications. It stands out in its ability to convert text streams fast into high-quality auditory output with minimal latency. [https://github.com/KoljaB/RealtimeTTS](https://github.com/KoljaB/RealtimeTTS)
* Also see its cousin, RealtimeSTT "Easy-to-use, low-latency speech-to-text library for realtime applications." [https://github.com/KoljaB/RealtimeSTT](https://github.com/KoljaB/RealtimeSTT)
* Speech-to-text app "Linguflex" includes local TTS. [https://github.com/KoljaB/Linguflex](https://github.com/KoljaB/Linguflex)
* NanoTTS: Speech synthesizer commandline utility (*Thank you Gregory Naughton*) [https://github.com/gmn/nanotts](https://github.com/gmn/nanotts)
### Random Cheat Sheets
* Cheat Sheets from a terminal via curl: [http://cheat.sh/](http://cheat.sh/)
* OWASP Cheat Sheet Series index: [https://github.com/OWASP/CheatSheetSeries/blob/master/Index.md](https://github.com/OWASP/CheatSheetSeries/blob/master/Index.md) and [https://cheatsheetseries.owasp.org/](https://cheatsheetseries.owasp.org/)
* Massive list of links to lists associated with programming and languages [https://neverendingsecurity.wordpress.com/category/documents-manuals/mind-maps/](https://neverendingsecurity.wordpress.com/category/documents-manuals/mind-maps/)
* SQL Injection Cheat Sheet [https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
* Collection of SQL Injection Cheat Sheets [https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet](https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
* Random reminder of how SQL Joins work. [http://blog.codinghorror.com/a-visual-explanation-of-sql-joins/](http://blog.codinghorror.com/a-visual-explanation-of-sql-joins/) Browse the comments as well. And if that doesn't do it, try [http://gplivna.blogspot.com/2008/01/sql-join-types-im-studying-bit-sql.html](http://gplivna.blogspot.com/2008/01/sql-join-types-im-studying-bit-sql.html)
* "awesome-incident-response" a curated list of tools and resources for security incident response [https://github.com/meirwah/awesome-incident-response](https://github.com/meirwah/awesome-incident-response)
* Incident "Debriefing Facilitation Guide -- Leading Groups at Etsy to Learn From Accidents." by: John Allspaw, Morgan Evans, Daniel Schauenberg; 2016 [http://extfiles.etsy.com/DebriefingFacilitationGuide.pdf](http://extfiles.etsy.com/DebriefingFacilitationGuide.pdf) and in MarkDown format: [https://github.com/etsy/DebriefingFacilitationGuide](https://github.com/etsy/DebriefingFacilitationGuide)
* "Digital Services Playbook." [https://playbook.cio.gov/](https://playbook.cio.gov/) and the source in MarkDown at: [https://github.com/usds/playbook](https://github.com/usds/playbook)
* 101 Machine Learning Algorithms for Data Science with Cheat Sheets [https://blog.datasciencedojo.com/machine-learning-algorithms/](https://blog.datasciencedojo.com/machine-learning-algorithms/)
* An extensive list of filetypes and the application(s) associated with them [https://github.com/vscode-icons/vscode-icons/wiki/ListOfFiles](https://github.com/vscode-icons/vscode-icons/wiki/ListOfFiles)
### Several Tech Company Research & Security Blogs
* AppScan Standard and AppScan Enterprise Forum [http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1320&start=0](http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1320&start=0)
* Fortify AppSecurity Blog [https://community.microfocus.com/cyberres/tags/Fortify](https://community.microfocus.com/cyberres/tags/Fortify)
* Fortify Security Research Blog [https://community.microfocus.com/cyberres/b/off-by-on-software-security-blog](https://community.microfocus.com/cyberres/b/off-by-on-software-security-blog)
* HP AppSecurity Feed [https://twitter.com/HPappsecurity](https://twitter.com/HPappsecurity)
* IBM Security-Intelligence Feed [http://securityintelligence.com/](http://securityintelligence.com/)
* IBM Research News [http://ibmresearchnews.blogspot.com/](http://ibmresearchnews.blogspot.com/)
* IBM Research Home [http://www.research.ibm.com/](http://www.research.ibm.com/)
* IBM Community Blogs [https://www-304.ibm.com/connections/communities/service/html/allcommunities](https://www-304.ibm.com/connections/communities/service/html/allcommunities)
* IBM DeveloperWorks Blogs -- Recent Updates [https://www.ibm.com/developerworks/](https://www.ibm.com/developerworks/community/groups/service/html/community/updates?communityUuid=81c130c7-4408-4e01-adf5-658ae0ef5f0c&filter=all)
* Microsoft Research Blogs [https://www.microsoft.com/en-us/research/blog/](https://www.microsoft.com/en-us/research/blog/)
* Microsoft Cybersecurity Blog [https://www.microsoft.com/security/blog/](https://www.microsoft.com/security/blog/)
* Microsoft Office365 Developer Blog [https://developer.microsoft.com/en-us/office](https://developer.microsoft.com/en-us/office) supported by [https://github.com/OfficeDev](https://github.com/OfficeDev)
* Google Online Security Blog [http://googleonlinesecurity.blogspot.com/](http://googleonlinesecurity.blogspot.com/)
* Google AppSecurity Research [https://www.google.com/about/appsecurity/research/](https://www.google.com/about/appsecurity/research/) and supporting details at [https://code.google.com/p/google-security-research/issues/list?can=1](https://code.google.com/p/google-security-research/issues/list?can=1)
* PortSwigger (Burp) Blog [http://blog.portswigger.net/](http://blog.portswigger.net/)
* Apple Research News/Blog/Home [oops, I guess there aren't any security blogs here](oops, I guess there aren't any)
But Apple hubris is in the press -- Here is a page with links to journalism on the Pegasus Project: [https://www.msnbc.com/rachel-maddow-show/pegasus-project-media-index-n1274437](https://www.msnbc.com/rachel-maddow-show/pegasus-project-media-index-n1274437)
### Respect software author's license decisions
* Software licensing explained [https://en.wikipedia.org/wiki/Software_license](https://en.wikipedia.org/wiki/Software_license)
* Comparison of free and open-source software licenses [http://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licenses](http://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licenses)
* Open Source Initiative list of links to license information [http://opensource.org/licenses](http://opensource.org/licenses)
* "Various Licenses and Comments about Them" from GNU [http://www.gnu.org/philosophy/license-list.html](http://www.gnu.org/philosophy/license-list.html)
* "Software Licenses in Plain English -- Lookup popular software licenses summarized at-a-glance." [https://tldrlegal.com/](https://tldrlegal.com/)
### Various public documents, whitepapers and articles about APT campaigns
* APTnotes is a repository of publicly-available papers and blogs (sorted by year) related to malicious campaigns/activity/software that have been associated with vendor-defined APT (Advanced Persistent Threat) groups and/or tool-sets. [https://github.com/aptnotes/data](https://github.com/aptnotes/data) or go directly to the resource links at [https://github.com/aptnotes/data/blob/master/APTnotes.csv](https://github.com/aptnotes/data/blob/master/APTnotes.csv)
### Verify those shortened URLs
* [https://tinyurl.com/preview.php](https://tinyurl.com/preview.php)
* [http://checkshorturl.com/](http://checkshorturl.com/)
* URL-Expander / URL-Unshortener [http://urlex.org/](http://urlex.org/)
### Find the code you need
* In a hurry? Try asking OpenAI's ChatGPT to write what you need: [https://chat.openai.com/chat](https://chat.openai.com/chat)
* Awesome Algorithms -- A curated list of awesome places to learn and/or practice algorithms [https://github.com/tayllan/awesome-algorithms](https://github.com/tayllan/awesome-algorithms)
* Open Source resource for learning Data Structures & Algorithms and their implementation in any Programming Language [https://github.com/TheAlgorithms](https://github.com/TheAlgorithms)
* [http://c2.com/cgi/wiki?FindPage](http://c2.com/cgi/wiki?FindPage)
* A large collection of sorting algorithms in many languages [https://github.com/search?q=sorting+algorithms&ref=reposearch&utf8=%E2%9C%93](https://github.com/search?q=sorting+algorithms&ref=reposearch&utf8=%E2%9C%93)
* Competitive Programming, algorithms and data structures [https://algocoding.wordpress.com/](https://algocoding.wordpress.com/)
### Then copy & morph
* virtualenv is a tool to create isolated Python environments [https://virtualenv.pypa.io/en/latest/](https://virtualenv.pypa.io/en/latest/)
* A relatively quick Python Numpy Tutorial by Justin Johnson. [http://cs231n.github.io/python-numpy-tutorial/](http://cs231n.github.io/python-numpy-tutorial/)
### Risk Management Frameworks
* Financial Services Sector "Cybersecurity Profile" - 280 'diagnostic statements' [https://www.fsscc.org/Financial-Sector-Cybersecurity-Profile ](https://www.fsscc.org/Financial-Sector-Cybersecurity-Profile )
* NIST SP-800-53 v4 []()
### Stay Informed
(in no particular order - and thank you Joe Fleischman for the starter set)
* Krebs On Security [http://krebsonsecurity.com/](http://krebsonsecurity.com/)
* Schneier on Security [https://www.schneier.com/](https://www.schneier.com/)
* IBM X-Force Home [http://securityintelligence.com/topics/x-force/](http://securityintelligence.com/topics/x-force/)
* Security Bloggers Network [https://securityboulevard.com/sbn/](https://securityboulevard.com/sbn/)
* News from NetCraft [https://news.netcraft.com/](https://news.netcraft.com/) and their security category at [https://news.netcraft.com/archives/category/security/](https://news.netcraft.com/archives/category/security/)
* Help Net Security [http://www.net-security.org/secworld_main.php](http://www.net-security.org/secworld_main.php)
* Malwarebytes Blog [https://blog.malwarebytes.org/](https://blog.malwarebytes.org/)
* Sophos NakedSecurity Blog [https://nakedsecurity.sophos.com/](https://nakedsecurity.sophos.com/)
* FreedomHacker [http://freedomhacker.net/](http://freedomhacker.net/)
* Wired Threat Level [http://www.wired.com/category/threatlevel](http://www.wired.com/category/threatlevel)
* Homeland Security News Wire [http://www.homelandsecuritynewswire.com/topics/cybersecurity](http://www.homelandsecuritynewswire.com/topics/cybersecurity)
* CNET [http://www.cnet.com/topics/security/](http://www.cnet.com/topics/security/)
* Threat Post [https://threatpost.com/](https://threatpost.com/)
* SC Magazine [http://www.scmagazine.com/news/section/100/](http://www.scmagazine.com/news/section/100/)
* Reddit (cybersecurity) [http://www.reddit.com/r/cybersecurity/](http://www.reddit.com/r/cybersecurity/)
* Mashable (cybersecurity) [http://mashable.com/category/cybersecurity/](http://mashable.com/category/cybersecurity/)
* Fierce IT Security [http://www.fierceitsecurity.com/](http://www.fierceitsecurity.com/)
(and for more details)
* 1 Raindrop [http://1raindrop.typepad.com/1_raindrop/](http://1raindrop.typepad.com/1_raindrop/)
* Information Week Dark Reading [http://www.darkreading.com/](http://www.darkreading.com/)
* Dark Reading aggregation of news about attacks and breaches [https://www.darkreading.com/attacks-breaches.asp](https://www.darkreading.com/attacks-breaches.asp)
* White Hat Security Blog [https://www.whitehatsec.com/blog/](https://www.whitehatsec.com/blog/)
* Sucuri Blog [https://blog.sucuri.net/](https://blog.sucuri.net/)
* FireEye Blog [https://www.fireeye.com/blog/threat-research.html](https://www.fireeye.com/blog/threat-research.html)
* SANS Security Awareness Blog [http://www.securingthehuman.org/blog](http://www.securingthehuman.org/blog)
* SANS Digital Forensics Blog [http://digital-forensics.sans.org/blog](http://digital-forensics.sans.org/blog)
* SEI Blog [https://insights.sei.cmu.edu/blog/](https://insights.sei.cmu.edu/blog/)
* System Forensics [http://www.sysforensics.org/](http://www.sysforensics.org/)
* System Admin, Powershell (*inactive*) [http://sysadminconcombre.blogspot.ca/](http://sysadminconcombre.blogspot.ca/)
* BOT24 [http://www.bot24.com/](http://www.bot24.com/)
* DDoS Illustrations at [http://www.digitalattackmap.com/](http://www.digitalattackmap.com/) Thank you Diego Navarro.
* Kite Blog: [https://kite.com/blog](https://kite.com/blog)
* AWS Week in Review: [https://aws.amazon.com/blogs/aws/tag/week-in-review/](https://aws.amazon.com/blogs/aws/tag/week-in-review/)
* Center for the Study of Intelligence (CSI) Books and Monographs. https://www.cia.gov/resources/csi/books-and-monographs/
### Software Defined Radio (SDR)
* Overview: [http://microhams.blob.core.windows.net/content/2017/03/RTL-SDR-dongle.pdf](http://microhams.blob.core.windows.net/content/2017/03/RTL-SDR-dongle.pdf)
* FISSURE -- Frequency Independent SDR-based Signal Understanding and Reverse Engineering -- an open-source RF and reverse engineering framework for signal detection and classification, protocol discovery, vulnerability analysis and more [https://github.com/ainfosec/FISSURE](https://github.com/ainfosec/FISSURE)
* Big List of SDR Applications: [https://wiki.radioreference.com/index.php/SDR_Software_Applications](https://wiki.radioreference.com/index.php/SDR_Software_Applications)
* PDW (Paging decoder for monitoring POCSAG, FLEX, ACARS, MOBITEX & ERMES pager traffic): [http://www.discriminator.nl/pdw/index-en.html](http://www.discriminator.nl/pdw/index-en.html) and [https://github.com/Discriminator/PDW](https://github.com/Discriminator/PDW)
* Unitrunker: [http://www.unitrunker.com/](http://www.unitrunker.com/) (pager RF-to-text?). Manuals at: [http://utahradio.org/mediawiki/index.php/UniTrunker_Guide](http://utahradio.org/mediawiki/index.php/UniTrunker_Guide) and [http://www.unitrunker.com/windows.html](http://www.unitrunker.com/windows.html) and [http://www.unitrunker.com/realtek.html](http://www.unitrunker.com/realtek.html)
Supported protocols (definitions at: http://wiki.radioreference.com/):
o APCO P25
o EDACS 4800
o EDACS 9600
o Motorola
o MPT1327
* SDRTrunk
* DMRDecode
* ?? Digital Speech Decoder (software package)
* R820T (integrated multi‐band RF tuner IC implemented in CMOS) data sheet: [https://www.rtl-sdr.com/wp-content/uploads/2013/04/R820T_datasheet-Non_R-20111130_unlocked1.pdf](https://www.rtl-sdr.com/wp-content/uploads/2013/04/R820T_datasheet-Non_R-20111130_unlocked1.pdf)
* Rafael Micro R820T2 Data Sheet (24-1766 MHz, newer lower noise version of the R820T): Some info in [https://www.rtl-sdr.com/wp-content/uploads/2018/02/RTL-SDR-Blog-V3-Datasheet.pdf](https://www.rtl-sdr.com/wp-content/uploads/2018/02/RTL-SDR-Blog-V3-Datasheet.pdf) and register descriptions here: [https://www.rtl-sdr.com/r820t2-register-description-data-sheet-now-available/](https://www.rtl-sdr.com/r820t2-register-description-data-sheet-now-available/) and [https://www.rtl-sdr.com/wp-content/uploads/2016/12/R820T2_Register_Description.pdf](https://www.rtl-sdr.com/wp-content/uploads/2016/12/R820T2_Register_Description.pdf)
* Source Code examples for interacting with the R820TU: [https://github.com/emeb/r820t2/tree/master/f030_r820t2](https://github.com/emeb/r820t2/tree/master/f030_r820t2)
* "Hello, world!" for GNSS-SDR: [http://gnss-sdr.org/my-first-fix/](http://gnss-sdr.org/my-first-fix/)
* Dump 1090 is a Mode S decoder specifically designed for RTLSDR devices [https://github.com/antirez/dump1090](https://github.com/antirez/dump1090)
* An improved webinterface for use with ADS-B decoders readsb / dump1090-fa [https://github.com/wiedehopf/tar1090](https://github.com/wiedehopf/tar1090)
### Temporary list for new work tools
* U.S. and World Population Clock: https://www.census.gov/popclock/
* readNum: This python project turns a number into a readable spelled-out form [https://github.com/theRealProHacker/readNum/](https://github.com/theRealProHacker/readNum/)
* Review this Awesome Docker list/resource from time to time: https://github.com/veggiemonk/awesome-docker
* Review this Awesome Remote Job list/resource to see if there is anything useful to me: https://github.com/lukasz-madon/awesome-remote-job
* Top-like interface for container metrics - ctop provides a concise and condensed overview of real-time metrics for multiple containers [https://github.com/bcicen/ctop](https://github.com/bcicen/ctop) or one of the others at [https://github.com/veggiemonk/awesome-docker/blob/master/README.md#terminal](https://github.com/veggiemonk/awesome-docker/blob/master/README.md#terminal)
* A collection of minimal Docker images: [https://github.com/vektorcloud](https://github.com/vektorcloud)
* Another collection of specialized Docker images: [https://github.com/jessfraz/dockerfiles](https://github.com/jessfraz/dockerfiles)
* A collection of Docker files from CenturyLink Labs: [https://github.com/CenturyLinkLabs?q=&type=&language=dockerfile](https://github.com/CenturyLinkLabs?q=&type=&language=dockerfile)
* Awesome-Security: [https://github.com/sbilly/awesome-security](https://github.com/sbilly/awesome-security)
* Awesome console services [https://github.com/gnebbia/awesome-console-services](https://github.com/gnebbia/awesome-console-services)
* 'The Book of Secret Knowledge' - A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more: [https://github.com/trimstray/the-book-of-secret-knowledge](https://github.com/trimstray/the-book-of-secret-knowledge)
* A pair of tools for running phishing campaigns to raise security awareness: Swordphish Phishing Awareness Tool [https://github.com/certsocietegenerale/swordphish-awareness/](https://github.com/certsocietegenerale/swordphish-awareness/) and the Outlook add-in companion to report suspicious mail easily [https://github.com/certsocietegenerale/NotifySecurity](https://github.com/certsocietegenerale/NotifySecurity)
* W3C HTML Tidy - Usage: ```'curl someURL | Tidy -iq'``` [http://www.html-tidy.org/](http://www.html-tidy.org/) and [https://github.com/htacg/tidy-html5](https://github.com/htacg/tidy-html5)
* CanaryTokens [https://canarytokens.org/generate](https://canarytokens.org/generate)
* Canary (a 'honeypot' appliance) [https://canary.tools/](https://canary.tools/)
* WebSphere Password Decoders: [http://strelitzia.net/wasXORdecoder/wasXORdecoder.html](http://strelitzia.net/wasXORdecoder/wasXORdecoder.html)
* Conference Session Search Service - Con Collector (broken) but they still list conferences [https://www.thinkst.com/ts.html](https://www.thinkst.com/ts.html)
* Some Open Source Network Monitoring Tools:
* Snort: [https://www.snort.org/downloads](https://www.snort.org/downloads)
* Suricata: [https://suricata-ids.org/](https://suricata-ids.org/)
* Bro: [https://www.bro.org/](https://www.bro.org/)
* OSSEC - Open Source HIDS SECurity [https://ossec.github.io/](https://ossec.github.io/)
* Lists of IP addresses by Country - use to block or to assess your log data, etc. [http://www.ipdeny.com/ipblocks/](http://www.ipdeny.com/ipblocks/)
* Words are important, choose them well [https://wordnik.com/](https://wordnik.com/)
* Check a site or service [https://www.hurl.it/](https://www.hurl.it/)
* G Suite Toolbox Browserinfo -- very handy [https://toolbox.googleapps.com/apps/browserinfo/](https://toolbox.googleapps.com/apps/browserinfo/)
* A useful set of app-friendly utilities [https://httpbin.org/](https://httpbin.org/), for example, what is your current IP address [https://httpbin.org/ip](https://httpbin.org/ip)
* A fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests [https://github.com/m57/dnsteal](https://github.com/m57/dnsteal)
* A collection of default Oracle usernames and passwords [https://github.com/Oweoqi/oracle_creds](https://github.com/Oweoqi/oracle_creds)
* Sometimes you need a little local web server [https://github.com/kzahel/web-server-chrome](https://github.com/kzahel/web-server-chrome)
* Sometimes only ASCII is needed/allowed -- Convert a HTML table into ASCII table using Python: Colspan and Rowspan allowed [https://github.com/gustavklopp/DashTable](https://github.com/gustavklopp/DashTable)
* Reference (probably dated, but better than nothing) List of all generic top level domains [https://github.com/kyleconroy/gtlds](https://github.com/kyleconroy/gtlds)
* FuzzDB Project [https://github.com/fuzzdb-project/fuzzdb](https://github.com/fuzzdb-project/fuzzdb)
* Free IP geolocation API: 'curl http://api.db-ip.com/v2/free/IP-Address' or curl http://api.db-ip.com/v2/free/IP-Address/countryName [up to 1000/day]
* GetGeoIPContext web service to easily look up countries by Context [http://www.webservicex.net/geoipservice.asmx/GetGeoIPContext?](http://www.webservicex.net/geoipservice.asmx/GetGeoIPContext?) (Caution: as of October 2021, they are using a self-signed certificate)
* GetGeoIP web service to easily look up countries by IP address [http://www.webservicex.net/geoipservice.asmx/GetGeoIP?IPAddress=string](http://www.webservicex.net/geoipservice.asmx/GetGeoIP?IPAddress=string)
* Get domain name registration record by Host Name / Domain Name (WhoIS) [http://www.webservicex.net/whois.asmx/GetWhoIS?HostName=string](http://www.webservicex.net/whois.asmx/GetWhoIS?HostName=string)
* Get weather report for any major cities around the world [http://www.webservicex.net/globalweather.asmx/GetWeather?CityName=string&CountryName=string](http://www.webservicex.net/globalweather.asmx/GetWeather?CityName=string&CountryName=string)
* A much better way to get weather! ...in your terminal [https://github.com/chubin/wttr.in](https://github.com/chubin/wttr.in) and then try some one-liners, for example:
* ~$ curl https://wttr.in/yourCity?format="%l:+%t+%w+%h+%f"
* in your .bashrc: alias weather='curl https://wttr.in/yourCity'
* A high-functioning command line tool that displays the current weather (from OpenWeather) in the terminal written in Rust [https://github.com/gourlaysama/girouette](https://github.com/gourlaysama/girouette)
* Website style analyzer for designers [http://stylifyme.com/](http://stylifyme.com/) and source at: [https://github.com/micmro/Stylify-Me](https://github.com/micmro/Stylify-Me)
* A python script that generates different sizes favicons from one image [https://github.com/Hecsall/favicon-generator](https://github.com/Hecsall/favicon-generator)
### Bash Shell and Terminals More Broadly
* [https://github.com/alebcay/awesome-shell](https://github.com/alebcay/awesome-shell)
* Bash scripting CheatSheet [https://devhints.io/bash](https://devhints.io/bash)
* Bash for the shell novice:
* [http://swcarpentry.github.io/shell-novice/](http://swcarpentry.github.io/shell-novice/)
* [https://help.ubuntu.com/community/Beginners/BashScripting](https://help.ubuntu.com/community/Beginners/BashScripting)
* Shell script static analysis tool -- a lint for bash/sh/zsh [shellcheck](https://github.com/koalaman/shellcheck)
* Pure Bash Bible [https://github.com/dylanaraps/pure-bash-bible](https://github.com/dylanaraps/pure-bash-bible)
* Bash Strict Mode by Aaron Maxwell [http://redsymbol.net/articles/unofficial-bash-strict-mode/](http://redsymbol.net/articles/unofficial-bash-strict-mode/)
* Slack CLI via pure bash [https://github.com/rockymadden/slack-cli](https://github.com/rockymadden/slack-cli)
* [https://github.com/herrbischoff/awesome-osx-command-line](https://github.com/herrbischoff/awesome-osx-command-line)
* A beginner's guide to setting up a development environment on macOS [https://github.com/nicolashery/mac-dev-setup](https://github.com/nicolashery/mac-dev-setup)
* A collection of one-liners [https://github.com/jlevy/the-art-of-command-line#one-liners](https://github.com/jlevy/the-art-of-command-line#one-liners)
* Terminal Browsers: It happens that needing *freeform* access to explore some Internet resources while constrained to a terminal interface is not that uncommon. Here are a some options (*thanks to Mats Tage Axelsson, [LXF280](https://linuxformat.com/linux-format-280.html)*)
* [Elinks](https://github.com/rkd77/elinks)
* [w3m](https://w3m.sourceforge.net) and for Debian, updated [w3m](https://github.com/tats/w3m)
* [browsh](https://brow.sh)
* [Lynx](https://lynx.browser.org/)
### Misinformation / Disinformation are Rampant -- Check Those 'Facts'
* AP Fact Check: https://www.ap.org/
* Check Your Fact: https://checkyourfact.com/
* El Detector / Univision Noticias: https://www.univision.com/especiales/noticias/detector/
* FactCheck.org, Annenberg Public Policy Center: https://www.factcheck.org/
* MediaWise: https://www.poynter.org/mediawise/
* Politifact: http://www.politifact.com/
* Snopes: https://www.snopes.com/
* T Verifica (Noticias Telemundo): https://www.telemundo.com/noticias/t-verifica
* The Dispatch Fact Check: https://thedispatch.com/
* Washington Post Fact Checker: https://www.washingtonpost.com/news/fact-checker/
This is a subset of the longer list at: https://ifcncodeofprinciples.poynter.org/signatories
### Development Environment on a Mac
* A beginner's guide to setting up a development environment on macOS [https://github.com/nicolashery/mac-dev-setup](https://github.com/nicolashery/mac-dev-setup)
* "A shell script which turns your Mac into an awesome web development machine." [https://github.com/18F/laptop](https://github.com/18F/laptop)
### There is probably some free training for that...
* Find a class at https://www.classcentral.com/search or https://www.classcentral.com/subjects
* Find out about assistance at: https://www.classcentral.com/help/moocs
* By universities (1301 on 16 Jan 2023): https://www.classcentral.com/universities
* By sub-groups of universities: https://www.classcentral.com/collection/ivy-league-moocs
* By commercial Institutions (1721 on 16 Jan 2023): https://www.classcentral.com/institutions
* Free Online Learning Due to Coronavirus - ClassCentral maintains a list of temporarily free courses at: https://www.classcentral.com/report/free-online-learning-coronavirus/
* M.I.T. offers free content on OpenCourseWare: https://ocw.mit.edu/index.htm
* Open Culture lists more than 1,500 courses: http://www.openculture.com/freeonlinecourses
* Coursera https://www.coursera.org/ and https://www.classcentral.com/report/coursera-free-certificate-covid-19/
* edX https://www.edx.org/
* FutureLearn https://www.futurelearn.com/ and https://www.classcentral.com/report/futurelearn-free-certificates/
* Udacity https://www.udacity.com/
* Udemy https://www.udemy.com/courses/free/
* Upgrad https://www.upgrad.com/free-courses/
* Full reference of LinkedIn answers 2021 for skill assessments, LinkedIn test, questions and answers [https://github.com/Ebazhanov/linkedin-skill-assessments-quizzes](https://github.com/Ebazhanov/linkedin-skill-assessments-quizzes)
### Quantum Computing Resources
Here are some resources to learn more about this topic:
* Open-Source Quantum Development. Qiskit [quiss-kit] is an open-source SDK for working with quantum computers at the level of pulses, circuits, and application modules. (*Python 3.7+ in a virtual environment with Anaconda*) [quiskit](https://www.qiskit.org/)
* IBM Quantum Lab [https://quantum-computing.ibm.com/lab](https://quantum-computing.ibm.com/lab)
* I have some old, unmaintained resources at [https://github.com/mccright/rand-notes/blob/master/quantum-computing.md](https://github.com/mccright/rand-notes/blob/master/quantum-computing.md)
### Temporary list for work tools or other resources requiring more follow-up
* SVAR - Simple Voice Activated Recorder. https://github.com/Arkq/svar
* Alien invasion shoot-em-up that runs in a terminal with bash (*everyone needs a break once in a while*): https://github.com/vaniacer/piu-piu-SH/
* Center for the Study of Intelligence (CSI) Books and Monographs. https://www.cia.gov/resources/csi/books-and-monographs/
* The Rust-lang Book [https://github.com/rust-lang/book](https://github.com/rust-lang/book)
* An architecture decision record (ADR) is a document that captures an important architecture decision made along with its context and consequences. [Joel Parker Henderson](https://github.com/joelparkerhenderson) has a lot of resources to get you started at: [https://github.com/joelparkerhenderson/architecture-decision-record/tree/main](https://github.com/joelparkerhenderson/architecture-decision-record/tree/main)
* How have I known about ripgrep (rg) - an excellent '*grep*' for searching through files in a directory tree? [https://github.com/BurntSushi/ripgrep](https://github.com/BurntSushi/ripgrep)
* Get Windows Token Information [https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-OSTokenInformation.ps1](https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-OSTokenInformation.ps1)
* flaskql-playground [https://github.com/cmpilato/flaskql-playground](https://github.com/cmpilato/flaskql-playground)
* also look into [https://github.com/yangyuexiong/Flask_BestPractices](https://github.com/yangyuexiong/Flask_BestPractices)
* and this little model Flask app: https://github.com/gmn/PythonWeb/
* fedy: Fedora post-install tool to install multimedia codecs and additional software that Fedora doesn't want to ship, like H264 support, Adobe Flash (*don't do Flash unless it is absolutely necessary for some materially-important purpose*), Oracle Java etc., and much more with just a few clicks [https://github.com/rpmfusion-infra/fedy](https://github.com/rpmfusion-infra/fedy)
* Sometimes you are given data with no description of its layout/nature. Here are two data exploration utilities:
* Flenser [https://github.com/JohnMcCambridge/flenser](https://github.com/JohnMcCambridge/flenser)
* Lux [https://github.com/lux-org/lux](https://github.com/lux-org/lux)
* Begone Ads [Python] [https://github.com/anned20/begoneads/tree/master/begoneads](https://github.com/anned20/begoneads/tree/master/begoneads)
* Raspberry Pi: Tutorials, Models, How to Get Started by Avram Piltch, Tom's Hardware [https://www.tomshardware.com/news/raspberry-pi](https://www.tomshardware.com/news/raspberry-pi)
* READ: "A Building Code for Building Code -- Putting What We Know Works to Work." By Carl E. Landwehr. [http://www.landwehr.org/2013-12-cl-acsac-essay-bc.pdf](http://www.landwehr.org/2013-12-cl-acsac-essay-bc.pdf)
* Tufin [http://www.tufin.com/](http://www.tufin.com/)
* Viewfinity [http://www.viewfinity.com/](http://www.viewfinity.com/)
* Check Various tools for testing RFC 5077 [https://github.com/vincentbernat/rfc5077](https://github.com/vincentbernat/rfc5077)
* Check interactive SNMP tool with Python [https://github.com/vincentbernat/snimpy](https://github.com/vincentbernat/snimpy)
* layer 2 network discovery application [https://github.com/vincentbernat/wiremaps](https://github.com/vincentbernat/wiremaps)
* What Port Is? [https://github.com/ncrocfer/whatportis](https://github.com/ncrocfer/whatportis)
* Java 8 Cheat Sheet: [http://zeroturnaround.com/wp-content/uploads/2015/12/RebelLabs-Java-8-cheat-sheet.png](http://zeroturnaround.com/wp-content/uploads/2015/12/RebelLabs-Java-8-cheat-sheet.png)
* Crypto101: an introductory course on cryptography. [https://www.crypto101.io/](https://www.crypto101.io/)
* Handy list of browser user-agent strings (long) in PHP code: [https://github.com/smxi/php-browser-detection/blob/master/browser_detection.inc](https://github.com/smxi/php-browser-detection/blob/master/browser_detection.inc)
* 7500 user-agent strings from Jerry Gamblin [https://github.com/jgamblin/curluseragent/blob/master/ua.txt](https://github.com/jgamblin/curluseragent/blob/master/ua.txt)
* Another list (short) of UA strings, categorized by device types [https://github.com/miketaylr/useragent-switcher-xml/blob/master/useragentswitcher.xml](https://github.com/miketaylr/useragent-switcher-xml/blob/master/useragentswitcher.xml)
* Google Fiber Wifi Data Presentation [http://apenwarr.ca/diary/wifi-data-apenwarr-201602.pdf](http://apenwarr.ca/diary/wifi-data-apenwarr-201602.pdf) and related utilities: [https://gfiber.googlesource.com/vendor/google/platform/+/master/spectralanalyzer/](https://gfiber.googlesource.com/vendor/google/platform/+/master/spectralanalyzer/) & [https://github.com/apenwarr/wavedroplet/](https://github.com/apenwarr/wavedroplet/) & blip [https://github.com/apenwarr/blip/](https://github.com/apenwarr/blip/)
* blip latency trending utility [https://github.com/apenwarr/blip](https://github.com/apenwarr/blip) hosted at [http://gfblip.appspot.com/](http://gfblip.appspot.com/) and the DNS-aware version [don't have this](don't have this) hosted at [http://6-dot-gfblip.appspot.com)](http://6-dot-gfblip.appspot.com))
* Performance-Bookmarklet helps to analyze the current page through the Resource Timing API, Navigation Timing API and User-Timing - requests by type, domain, load times, marks and more. [https://github.com/micmro/performance-bookmarklet](https://github.com/micmro/performance-bookmarklet)
* *mitmproxy* is an interactive, SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets. A free and open source swiss-army knife for debugging, testing, privacy measurements, and penetration testing. [https://github.com/mitmproxy/mitmproxy](https://github.com/mitmproxy/mitmproxy)
* Transparent proxy server [https://github.com/apenwarr/sshuttle](https://github.com/apenwarr/sshuttle)
* Packet decoding for the Go language [https://github.com/apenwarr/gopacket](https://github.com/apenwarr/gopacket) and [https://github.com/google/gopacket](https://github.com/google/gopacket)
* Here is a useful starter Flask-and-SQLite tutorial [https://flask.palletsprojects.com/en/3.0.x/patterns/sqlite3/](https://flask.palletsprojects.com/en/3.0.x/patterns/sqlite3/)
* Very fast C++ importer from csv files to sqlite3 databases [https://github.com/apenwarr/csv2sqlite](https://github.com/apenwarr/csv2sqlite)
* A feature-packed Python package and for utilizing SQLite in Python by Plasticity [https://github.com/plasticityai/supersqlite](https://github.com/plasticityai/supersqlite)
* An idea for csv-to-json {csv2json.py} [https://github.com/apenwarr/afterquery/blob/master/csv2json.py](https://github.com/apenwarr/afterquery/blob/master/csv2json.py)
* "Structured text tools" -- A useful list of text-based file formats and command line tools for manipulating each [https://github.com/dbohdan/structured-text-tools](https://github.com/dbohdan/structured-text-tools)
* Text Tools [https://github.com/fmhy/FMHY/wiki/%F0%9F%94%A7-Tools#-text-tools](https://github.com/fmhy/FMHY/wiki/%F0%9F%94%A7-Tools#-text-tools) and more generally "[tools](https://github.com/fmhy/FMHY/wiki/%F0%9F%94%A7-Tools](https://github.com/fmhy/FMHY/wiki/%F0%9F%94%A7-Tools)
* Simple static page development grunt setup [https://github.com/micmro/grunt-simple-boilerplate](https://github.com/micmro/grunt-simple-boilerplate)
* WiGPSFi – ESP8266 + GPS [http://euerdesign.de/2016/04/16/wigpsfi-esp8266-gps/](http://euerdesign.de/2016/04/16/wigpsfi-esp8266-gps/)
* Creepy Wireless Stalking Made Easy [https://hackaday.com/2016/12/04/creepy-wireless-stalking-made-easy/](https://hackaday.com/2016/12/04/creepy-wireless-stalking-made-easy/)
* WarWalking With The ESP8266 [https://hackaday.com/2016/10/23/warwalking-with-the-esp8266/](https://hackaday.com/2016/10/23/warwalking-with-the-esp8266/)
* Windows 10 Wi-Fi Analyzer [https://www.microsoft.com/en-us/store/p/wifi-analyzer/9nblggh33n0n](https://www.microsoft.com/en-us/store/p/wifi-analyzer/9nblggh33n0n)
* Code Review Questions:
* Eric Farkas: [http://ericfarkas.com/posts/questions-i-ask-during-code-review](http://ericfarkas.com/posts/questions-i-ask-during-code-review)
* thoughbot's Code Review guide [https://github.com/thoughtbot/guides/blob/main/code-review/README.md](https://github.com/thoughtbot/guides/blob/main/code-review/README.md)
* Examples from StackExchange [https://security.stackexchange.com/questions/tagged/code-review](https://security.stackexchange.com/questions/tagged/code-review)
* Another [https://productcoalition.com/code-review-questions-what-should-you-be-looking-for-e3f9c147baff](https://productcoalition.com/code-review-questions-what-should-you-be-looking-for-e3f9c147baff)
* How to give a code review [https://medium.com/better-programming/how-to-give-a-great-code-review-7e32e5ba0771](https://medium.com/better-programming/how-to-give-a-great-code-review-7e32e5ba0771)
* How to do code review (.NET) [https://sites.google.com/site/wcfpandu/how-to-review-code](https://sites.google.com/site/wcfpandu/how-to-review-code)
* And wildly off-topic -- but important -- [Patient Rights Advocate released](https://www.patientrightsadvocate.org/) its "[Hospital Price Files Finder](https://hospitalpricingfiles.org/)," which it describes as "The first-ever free and publicly available search tool that allows consumers to view the available hospital pricing files from nearly all of the 6,000 hospitals throughout the U.S." This collection of medical cost-of-service data is not easy to use. It seems like a data source for some innovative (*and possible profitable*) software development efforts. [https://hospitalpricingfiles.org/](https://hospitalpricingfiles.org/)
### Other
* Learn more about what your github repos can do for you: [https://github.com/joelparkerhenderson/github-special-files-and-paths](https://github.com/joelparkerhenderson/github-special-files-and-paths)
* Where are the power outages? [https://poweroutage.com/](https://poweroutage.com/) and [https://poweroutage.us/](https://poweroutage.us/)
* Fear & Greed Index [https://money.cnn.com/data/fear-and-greed/](https://money.cnn.com/data/fear-and-greed/)
* The **best** command line stock price grabber for a quick sanity check! Thank you Patrick Stadler. [https://github.com/pstadler/ticker.sh](https://github.com/pstadler/ticker.sh)
* And another great-looking command line stock price grabber: ```curl https://terminal-stocks.herokuapp.com/SYMBOL```. Thank you Shashi Prakash Gautam for your excellent server. [https://github.com/shweshi/terminal-stocks](https://github.com/shweshi/terminal-stocks)
* If you want to just grab a long history for any given security (*through 2018-03-27*), try [https://www.quandl.com/api/v3/datasets/WIKI/symbol](https://www.quandl.com/api/v3/datasets/WIKI/symbol)
* Database of False or Misleading Claims By DJ Trump During his 4-Year Presidency (*more than 30,000 of them*) [https://www.washingtonpost.com/graphics/politics/trump-claims-database/](https://www.washingtonpost.com/graphics/politics/trump-claims-database/)
* Look into this simple mass Search & Replace tool (Rust): [https://github.com/nvie/sr](https://github.com/nvie/sr)
* Who pays for writing? Here is an annotated list of organizations that pay writers: [https://github.com/malgamves/CommunityWriterPrograms](https://github.com/malgamves/CommunityWriterPrograms)
* China Brief [https://jamestown.org/programs/cb/](https://jamestown.org/programs/cb/)
* For some background on the expanding criminal industry of ransomware where criminal syndicates have evolved a "conveyor-belt-like process of hacking, encrypting and then negotiating for ransom in cryptocurrencies:" [https://www.nytimes.com/2021/12/06/world/europe/ransomware-russia-bitcoin.html](https://www.nytimes.com/2021/12/06/world/europe/ransomware-russia-bitcoin.html)
* For a primer on the sprawling People’s Liberation Army (PLA) Strategic Support Force that "centralizes information warfare capabilities in the cyber and space domains" from the U.S. [Congressional Research Service](https://crsreports.congress.gov) see: [China Primer: The People’s Liberation Army (PLA) (Updated December 21, 2022)](https://crsreports.congress.gov/product/pdf/IF/IF11719)
* Online SVG Editor, SVGBob [https://ivanceras.github.io/svgbob-editor/](https://ivanceras.github.io/svgbob-editor/)
* SVG Python module [https://github.com/orsinium-labs/svg.py](https://github.com/orsinium-labs/svg.py)
* svgcleaner (*Rust*) is used to losslessly reduce the size of an SVG image -- generally created in a vector editing application -- before publishing [https://github.com/RazrFalcon/svgcleaner](https://github.com/RazrFalcon/svgcleaner). See also:
* SVGO (*Python*) [https://github.com/svg/svgo](https://github.com/svg/svgo)
* Scour (*JavaScript/TypeScript*) [https://github.com/scour-project/scour](https://github.com/scour-project/scour)
* MuseScore [https://github.com/musescore/MuseScore](https://github.com/musescore/MuseScore) and [https://musescore.org/en/guitar](https://musescore.org/en/guitar)
* Chordious [https://github.com/jonthysell/Chordious](https://github.com/jonthysell/Chordious) with related [https://github.com/svg-net/SVG](https://github.com/svg-net/SVG)
* DoD Cyber Workforce Framework - interesting way to describe roles [https://public.cyber.mil/cw/dcwf/](https://public.cyber.mil/cw/dcwf/)
* Before donating to non-profits, do your research [https://www.open990.org/org/](https://www.open990.org/org/)
* Satellite view of my weather [http://re.ssec.wisc.edu/](http://re.ssec.wisc.edu/)
* High-resolution imagery via Earth Engine [https://explorer.earthengine.google.com/#workspace](https://explorer.earthengine.google.com/#workspace)
* Remittances sent from United States to other countries in USD [https://remittancesbycountry.site/country/united_states](https://remittancesbycountry.site/country/united_states)
* Getting communications right is hard. Language is a foundational component. WordNet sometimes helps. [https://en-word.net/](https://en-word.net/) and [https://github.com/globalwordnet/english-wordnet](https://github.com/globalwordnet/english-wordnet)
* Sometimes historical context matters when choosing a given term. Merriam-Webster hosts a neat tool that identifies when given words were first used. Look up any year to find out. From Merriam-Webster, [https://www.merriam-webster.com/dictionary/ad%20hominem](https://www.merriam-webster.com/dictionary/ad%20hominem). Accessed 24 Oct. 2022
* Webster's 1913 Unabridged Dictionary at Project Gutenberg [https://www.gutenberg.org/ebooks/29765](https://www.gutenberg.org/ebooks/29765)
* International Building Code, 2012, Second Printing. [https://codes.iccsafe.org/content/IBC2012P12/chapter-1-scope-and-administration](https://codes.iccsafe.org/content/IBC2012P12/chapter-1-scope-and-administration)
* ISO Country List [https://www.iso.org/obp/ui/#search](https://www.iso.org/obp/ui/#search)
* Script that extracts character names from a text file and performs analysis of text sentences containing the names. [https://github.com/emdaniels/character-extraction](https://github.com/emdaniels/character-extraction)
* The definitive list of lists (of lists) curated on GitHub [https://github.com/jnv/lists](https://github.com/jnv/lists)
* Mobile App Pentesting Cheetsheet [https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet/blob/master/README.md](https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet/blob/master/README.md)
* Free Programming Books [https://github.com/vhf/free-programming-books/blob/master/free-programming-books.md](https://github.com/vhf/free-programming-books/blob/master/free-programming-books.md)
* More Free Programming Books [https://github.com/EbookFoundation/free-programming-books/blob/master/free-programming-books.md](https://github.com/EbookFoundation/free-programming-books/blob/master/free-programming-books.md)
* Tool by Tool, Skill by Skill. By Simon St.Laurent [http://chimera.labs.oreilly.com/books/1234000000882/index.html](http://chimera.labs.oreilly.com/books/1234000000882/index.html)
Especially Appendix B. Sharpening and Maintenance Basics. [http://chimera.labs.oreilly.com/books/1234000000882/apb.html](http://chimera.labs.oreilly.com/books/1234000000882/apb.html)
* Awesome Selfhosted. This is a list of Free Software network services and web applications which can be hosted locally. [https://github.com/awesome-selfhosted/awesome-selfhosted](https://github.com/awesome-selfhosted/awesome-selfhosted)
* Awesome SysAdmin. A list of open source sysadmin resources. [https://github.com/kahun/awesome-sysadmin](https://github.com/kahun/awesome-sysadmin)
* Awesome Data Science. A repository of resources to learn and apply for real world problems. [https://github.com/okulbilisim/awesome-datascience](https://github.com/okulbilisim/awesome-datascience)
* And data from OurWorldInData for your experiments: [https://github.com/owid/owid-datasets/tree/master/datasets](https://github.com/owid/owid-datasets/tree/master/datasets)
* Registry of Open Data on AWS [https://registry.opendata.aws/](https://registry.opendata.aws/)
* 487+ Free Open Datasets from AWS: [https://aws.amazon.com/marketplace...](https://aws.amazon.com/marketplace/search/results?trk=8384929b-0eb1-4af3-8996-07aa409646bc&sc_channel=el&FULFILLMENT_OPTION_TYPE=DATA_EXCHANGE&CONTRACT_TYPE=OPEN_DATA_LICENSES&PRICING_MODEL=FREE&filters=FULFILLMENT_OPTION_TYPE%2CCONTRACT_TYPE%2CPRICING_MODEL)
* Awesome R [https://github.com/qinwf/awesome-R](https://github.com/qinwf/awesome-R) and [https://awesome-r.com/](https://awesome-r.com/)
* Managing risk in the context of a long time-horizon.
* See the "Global Risks 2014 - Ninth Edition" Insight Report from the World Economic Forum. [http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2014.pdf](http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2014.pdf) Especially part 2, pages 38-49. It is a short read on risks associated with -- among other topics -- the way the Internet is evolving, risks associated with "trust," and "managing risk" in the context of a long time-horizon.
* Also: "Global Risks 2015 - Tenth Edition" [http://www3.weforum.org/docs/WEF_Global_Risks_2015_Report15.pdf](http://www3.weforum.org/docs/WEF_Global_Risks_2015_Report15.pdf)
* And more recently: "Global Risks 2016 - Eleventh Edition" [http://www3.weforum.org/docs/GRR/WEF_GRR16.pdf](http://www3.weforum.org/docs/GRR/WEF_GRR16.pdf)
* And 2017: "Global Risks 2017 -- 12th Edition" [http://www3.weforum.org/docs/GRR17_Report_web.pdf](http://www3.weforum.org/docs/GRR17_Report_web.pdf)
* And 2018: "The Global Risks Report 2018 - 13th Edition" [http://www3.weforum.org/docs/WEF_GRR18_Report.pdf](http://www3.weforum.org/docs/WEF_GRR18_Report.pdf)
* And 2019: "The Global Risks Report 2019 - 14th Edition" [http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf](http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf)
* And 2020: "The Global Risks Report 2020 - 20th Edition" [http://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf](http://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf) or [https://reports.weforum.org/global-risks-report-2020/](https://reports.weforum.org/global-risks-report-2020/)
* And 2021: "The Global Risks Report 2021 - 21st Edition"[http://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2021.pdf](http://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2021.pdf) or [https://www.weforum.org/publications/the-global-risks-report-2021/](https://www.weforum.org/publications/the-global-risks-report-2021/)
* And 2022: "The Global Risks Report 2022 - 22nd Edition" [http://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2022.pdf](http://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2022.pdf) or [https://www.weforum.org/publications/the-global-risks-report-2022/](https://www.weforum.org/publications/the-global-risks-report-2022/)
* And 2023: "The Global Risks Report 2023 - 23rd Edition" [http://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2023.pdf](http://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2023.pdf) or [https://www.weforum.org/publications/the-global-risks-report-2023/](https://www.weforum.org/publications/the-global-risks-report-2023/)
* And most recently: "The Global Risks Report 2024 - 24th Edition" [https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2024.pdf](https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2024.pdf) or [https://www.weforum.org/publications/global-risks-report-2024/](https://www.weforum.org/publications/global-risks-report-2024/)
* A definitive list of tools for generating static websites [https://github.com/pinceladasdaweb/Static-Site-Generators](https://github.com/pinceladasdaweb/Static-Site-Generators)
* The definitive list of newsletters to keep up to date on various web development technologies [https://github.com/pinceladasdaweb/Upgrade-your-brain](https://github.com/pinceladasdaweb/Upgrade-your-brain)
* hack-font for your development environment [https://www.npmjs.com/package/hack-font](https://www.npmjs.com/package/hack-font)
* Big list of HTTP media types [https://www.iana.org/assignments/media-types/media-types.xhtml ](https://www.iana.org/assignments/media-types/media-types.xhtml )
* Open source, free textbooks: [https://ocw.mit.edu/courses/online-textbooks/](https://ocw.mit.edu/courses/online-textbooks/) and [https://openstax.org/](https://openstax.org/)
* WhitePages: [https://www.therealyellowpages.com/Des-Moines-Regional-IA-2021/1/](https://www.therealyellowpages.com/Des-Moines-Regional-IA-2021/1/)
* and something completely different [https://ir.uiowa.edu/annals-of-iowa/](https://ir.uiowa.edu/annals-of-iowa/)
* The *real* cost of a car [https://www.carboncounter.com/#!/explore](https://www.carboncounter.com/#!/explore)
* My favorite essay on bitcoin [https://www.nytimes.com/2021/06/14/opinion/bitcoin-cryptocurrency-flaws.html](https://www.nytimes.com/2021/06/14/opinion/bitcoin-cryptocurrency-flaws.html)
* Architecture Patterns with Python, Enabling Test-Driven Development, Domain-Driven Design, and Event-Driven Microservices. (A Book about Pythonic Application Architecture Patterns for Managing Complexity.) By Harry Percival, Bob Gregory [https://github.com/cosmicpython/book](https://github.com/cosmicpython/book) and [http://shop.oreilly.com/product/0636920254638.do](http://shop.oreilly.com/product/0636920254638.do)
* An excellent first lesson on "Dockerizing FastAPI with Postgres, Uvicorn, and Traefik (and LetsEncript)" By Amal Shaji, 2021-05-04. [https://testdriven.io/blog/fastapi-docker-traefik/](https://testdriven.io/blog/fastapi-docker-traefik/)
### Projects associated with Novel Corona Virus - COVID-19
See: [https://github.com/mccright/rand-notes/blob/master/Novel-Corona-Virus-COVID-19.md](https://github.com/mccright/rand-notes/blob/master/Novel-Corona-Virus-COVID-19.md)
### WIKI-like platforms for easy sharing (*On your private, safe network*)
* cowyo is a self-contained wiki server that makes jotting notes - simple, easy and fast, but crude and it feels a little unfinished [https://github.com/schollz/cowyo](https://github.com/schollz/cowyo)
* Linx is a more full featured *pastbin-like* platform [https://github.com/ZizzyDizzyMC/linx-server/](https://github.com/ZizzyDizzyMC/linx-server/)
### Broadly Reusable Advice
* The world is brimming with uncertainties. If you don't have a [will](https://www.freewill.com/glossary#will), create one (*do it now -- you can always morph it later as needed*). Under many circumstances you can start here for free: [https://www.freewill.com/](https://www.freewill.com/) (*there are other systems that will help you prepare a basic will for free*)
* "One reason people insist that you use the proper channels to change things is because they have control of the proper channels and they're confident it won't work." [https://twitter.com/joncstone/status/1269961630940631041](https://twitter.com/joncstone/status/1269961630940631041)
* On Being Fired [https://third-bit.com/rules/#being-fired](https://third-bit.com/rules/#being-fired)
* Ten quick tips for delivering programming lessons [https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1007433](https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1007433)
* Ten quick tips for teaching programming [https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1006023](https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1006023)
* Jesse Duffield's "*Stuff I would tell my younger self*" [https://github.com/jesseduffield/wisdom/wiki](https://github.com/jesseduffield/wisdom/wiki)
* A [Thesaurus of Job Titles](http://www.enlightenjobs.com/) to help "Improve the information flowing between recruiters and job seekers. Improve how recruiters and job seekers create job postings and resumes/online profiles. Improve how recruiters and job seekers search for candidates and jobs" [https://github.com/johnpcarty/Thesaurus-of-Job-Titles](https://github.com/johnpcarty/Thesaurus-of-Job-Titles)
* Ten simple rules for making research software more robust [https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1005412](https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1005412)
* You have the right to film police. Here's how to do it effectively — and safely [https://www.washingtonpost.com/technology/2021/04/22/how-to-film-police-smartphone/](https://www.washingtonpost.com/technology/2021/04/22/how-to-film-police-smartphone/) and why it is important to do so [https://www.washingtonpost.com/business/technology/a-cop-fires-a-teen-dies-yet-six-police-body-cameras-somehow-miss-what-happens](https://www.washingtonpost.com/business/technology/a-cop-fires-a-teen-dies-yet-six-police-body-cameras-somehow-miss-what-happens/2017/03/20/c7d801a8-0824-11e7-b77c-0047d15a24e0_story.html)
* "Companies are hoarding personal data about you. Here's how to get them to delete it." [https://www.washingtonpost.com/technology/2021/09/26/ask-company-delete-personal-data/](https://www.washingtonpost.com/technology/2021/09/26/ask-company-delete-personal-data/)
* "The three fundamental Rules of Robotics"
>**One**, a robot may not injure a human being, or, through inaction, allow a human being to come to harm.
**Two**, a robot must obey the orders given it by human beings except where such orders would conflict with the First Law.
**Three**, a robot must protect its own existence as long as such protection does not conflict with the First or Second Laws. [Isaac Asimov introduced these in his 1942 short story "Runaround" (*included in the 1950 collection I, Robot*) [https://en.wikipedia.org/wiki/Three_Laws_of_Robotics](https://en.wikipedia.org/wiki/Three_Laws_of_Robotics)]