Security has become the most pressing issue in the information technology community. There are countless sites dealing with the subject in one manner or another. Some are maintained by public organizations, some by private companies, and yet some others by community volunteer efforts. The quality of the information can vary greatly.

This page provides a selection of those resources that I have found to be particularly useful. The focus is on vendor-neutral information, with emphasis on open-source software. This list is by no means meant to be exhaustive, and there are other sites which have longer lists.

US Government Agencies

Several agencies of the US Government are involved in establishing guidelines and standards related to computer security. These documents are mostly freely available. Other efforts include the publication of known vulnerabilities and the development of tools for the hardening of computer systems. See the definitions below for an expansion of some of the abbreviations and acronyms of the various agencies.

• US Computer Emergency Readiness Team - A joint venture by the National Cyber Security Division of the Department of Homeland Security and private organizations.
• Computer Incident Advisory Capability (CIAC) - An activity sponsored by the DOE and NNSA which provides these and other government agencies solutions to computer security threats.
• Systems and Network Attack Center (SNAC) - Part of the NSA, this group has published a number of Security Configuration Guides for various operating systems and applications.
• Computer Security Resource Center (CSRC) - A project of the Computer Security Division of the NIST's Information Technology Laboratory (ITL). Its publications library offers many documents, including federal standards, ITL research reports, and some early papers on computer security.
• Common Criteria for Information Technology Security Evaluation (CCITSE) - Also known as just Common Criteria (CC), this is a jointly developed evaluation standard established by the governments of the United States, United Kingdom, Germany, France, Canada, and the Netherlands.
• Common Criteria Evaluation and Validation Scheme (CCEVS) Validation Body - This joint activity of the NIST and the NSA is establishing a national program to evaluate IT products with regard to the international CC.
• Rainbow Series - Published by the NSA in the '80s and '90s, these books describe the evaluation crtieria for trusted computer systems. Each book has a cover of a different color, hence the collective name "Rainbow Series." Some of these books have been superceded by the Common Criteria.

US Private Organizations

There are many private companies and non-profit organizations which provide computer security resources in the United States.

• Immunix is a hardened version of the Linux v2.4 kernel, with access controls, buffer overflow checking and format string protection.
• Internet Security Alliance (ISA) - This cooperative effort between Carnegie Mellon University and the Electronic Industries Alliance (EIA) aims to improve its member's management of computer security threats.
• LinuxSecurity.com - A site dedicated to serving the open source community with information related to security. It is owned and maintained by Guardian Digital, Inc., who also distribute EnGarde Secure Linux.
• Linux Security Modules - Sponsored by the DARPA, IBM, WireX, and others, this project establishes a framework for access control in the form of loadable kernel modules.
• The SANS Institute - Established in 1989 as a research and education organization, the Institute provides a large library of research documents pertaining to computer security. It also offers training and hosts conferences on this subject. SANS is an acronym for SysAdmin, Audit, Network, Security.
• TruSecure Corp. - This company provides security products and services. An interesting feature is the Hype or Hot section, which lists many threats and classifies them in different ways, including as hype or hoax.
• TrustedBSD - A project which targets the Common Criteria for FreeBSD.
• UC Davis Computer Security Laboratory - This lab is working on several security projects.

International

There are a number of international organizations which deal with the problem of computer security in a cooperative manner.

• Bastille Linux - An open-source effort to harden Unix systems including HP/UX and Mac OS X.
• Forum of Incident Response Security Teams (FIRST) - A coalition of international government and private organizations dedicated to share information and coordinate responses to computer security threats.
• FreeBSD Security - Provides information related to securing this operating system.
• International Information Systems Security Certification Consortium - Also known as (ISC)², this organization has developed international certifications for individuals working in the computer security field.
• InterSect Alliance - A team of Australian IT security specialists providing support in the form of software and services to a variety of customers. They also offer a few open source tools.
• Linux From Scratch - Another open source community. Although the primary focus is on providing instructions to assemble a working Linux system from source code, it has recently added a section on hardening such a system.
• The Linux Documentation Project - Among all types of documents related to Linux, this site has a number of HOWTOs dealing with security related to the Linux operating system.
• RFC 2196: Site Security Handbook - A memorandum by the Network Working Group of the IETF.
• OpenBSD Security - Provides information related to securing this operating system.
• ProPolice - An extension for the GNU C compiler to protect applications from stack-smashing or buffer overflow attacks. It was developed by IBM's labs in Japan.

Regional Government Agencies

Many governments throughout the world have established their own public agencies to address threats to computer security in their respective countries.

• AusCERT - The Australian Computer Emergency Response Team provides computer security-related information not just to its own country, but to others in the Asia/Pacific region as well.
• CERT-Bund - The "Computer Emergency Response Team für Bundesbehörden" is the CERT for government agencies of the Federal Republic of Germany.