我建议查看CWE/SANS前25个最危险的编程错误。它在2010年进行了更新，并承诺在未来定期更新。2009年的修订版也可以使用。

从http://cwe.mitre.org/top25/index.html

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.

我愿补充以下几点:

数字签名和数字证书是如何工作的 沙盒是什么

了解不同的攻击载体是如何工作的:

本机代码的缓冲区溢出/下溢/等 社会工程师 DNS欺骗 中间的人 CSRF/XSS等 SQL注入 加密攻击(例如:利用弱加密算法，如DES) 程序/框架错误(例如:github最新的安全漏洞)

你可以很容易地谷歌所有这些。这会给你一个很好的基础。 如果你想了解web应用程序的漏洞，有一个名为谷歌gruyere的项目可以向你展示如何利用一个正在运行的web应用程序。

为什么是重要的。 这都是关于权衡。 密码学在很大程度上分散了人们对安全性的注意力。

框架和api中安全默认值的重要性:

Lots of early web frameworks didn't escape html by default in templates and had XSS problems because of this Lots of early web frameworks made it easier to concatenate SQL than to create parameterized queries leading to lots of SQL injection bugs. Some versions of Erlang (R13B, maybe others) don't verify ssl peer certificates by default and there are probably lots of erlang code that is susceptible to SSL MITM attacks Java's XSLT transformer by default allows execution of arbitrary java code. There has been many serious security bugs created by this. Java's XML parsing APIs by default allow the parsed document to read arbitrary files on the filesystem. More fun :)

一个好的入门课程可能是麻省理工学院的计算机网络与安全课程。我建议的一件事是不要忘记隐私。从某种意义上说，隐私确实是安全的基础，在有关安全的技术课程中并不经常涉及。你可能会在这门与互联网相关的道德与法律课程中找到一些关于隐私的材料。

程序员的安全规则第一条:不要自己动手

除非您自己是安全专家和/或密码学家，否则请始终使用设计良好、经过良好测试且成熟的安全平台、框架或库来为您工作。专家和黑客等人花了数年时间思考、修补、更新和检查这些问题。你想要获得这些优势，而不是试图重新发明轮子而忽视它们。

现在，这并不是说您不需要学习任何关于安全性的知识。当然，您需要了解足够多的知识来理解您在做什么，并确保正确地使用这些工具。然而，如果你发现自己要开始编写自己的加密算法、认证系统、输入杀毒器等，停下来，后退一步，记住规则#1。