• The Open Web Application Security Project (OWASP Top 10) (https://owasp.org/www-project-top-ten/) is a not-for-profit, online community that publishes several secure application development resources, such as the Top 10 list of the most critical application security risks. OWASP has also developed resources, such as the Zed Attack Proxy and Webgoat (a deliberately unsecure web application), to help investigate and understand penetration testing and application security issues.

---

• NIST’s Computer Security Incident Handling Guide (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf)

---

• Security Technical Implementation Guides (STIGs) by the Department of Defense provide hardening guidelines for a variety of software and hardware solutions (https://iase.disa.mil/stigs/Pages/index.aspx).

---

• National Checklist Program (NCP) by NIST provides checklists and benchmarks for a variety of operating systems and applications (https://nvd.nist.gov/ncp/repository).

---

• SANS has developed and posted here a set of security policy templates for your use.

• The SANS Institute (https://sans.org) is a company specializing in cybersecurity and secure web application development training and sponsors the Global Information Assurance Certification (GIAC). The SANS website publishes a huge amount of research, white papers, and best practice guidance.

---

• The Center for Internet Security (https://cisecurity.org) is a not-for-profit organization (founded partly by SANS). It publishes the well-known “Top 20 Critical Security Controls” (or system design recommendations). CIS also produces benchmarks for different aspects of cybersecurity. For example, there are benchmarks for compliance with IT frameworks and compliance programs, such as PCI DSS, NIST 800-53, SOX, and ISO 27000. There are also product-focused benchmarks, such as for Windows® Desktop, Windows Server®, macOS®, Linux®, Cisco®, web browsers, web servers, database and email servers, and VMware ESX®.