As with anyone who’s serious about developing generalized security knowledge, I have my fingers in a lot of pies. Among other things, this means that I am a very busy guy. It is normal for me to be in the middle of reading no fewer than three books, at least one of which is about security and/or programming, at any given time.

I’ve been thinking about what books to read next. I have enough on my shelves to keep me busy for a while, but when I think about what books to read, I inevitably start thinking about what books I want to buy for the future. My current short list of security-related books to buy takes the form of an Amazon wish list I call my Security Queue. Whether my intention is to learn something new or to just explore additional approaches and alternative views on subjects with which I am already conversant, all the following books make me want to reach for my wallet.

Note: This article originally appeared as an entry in our IT Security blog. It’s also available as a PDF download.

1: Software Security Library Boxed Set

It seems appropriate to start a list of 10 security books I want to read by cheating a little. The first item in this list is actually a boxed set of three books. Author Gary McGraw had a hand in all three, with the help of co-authors John Viega and Greg Hoglund. The titles include:

  • Building Secure Software: How to Avoid Security Problems the Right Way — Sporting a picture of a white cowboy hat and colloquially referred to as The White Hat Book, this volume addresses the need to start security with the design of the software itself.
  • Exploiting Software: How to Break Code — Adorned with an image of a black cowboy hat and colloquially referred to as The Black Hat Book, this volume addresses the matter of software security from the attacker’s perspective. It purports to provide valuable insights into the needs and techniques of secure software development by giving developers an outsider’s view of their work.
  • Software Security: Building Security In– The last volume of the trilogy is marked by the Taoist symbol of opposing forces — yin and yang — in balance, each side decorated with either a white or black cowboy hat. According to its description on Amazon, this book “unifies the two sides of software security — attack and defense, exploiting and designing, breaking and building — into a coherent whole.”

Reviews suggest there is a little redundancy between the books, because they are intended to be able to stand alone as well as working together as a set. But accounts tend to agree that the Software Security Library Boxed Set is a worthwhile purchase.

2: Applied Cryptography

Bruce Schneier’s classic tome on the subject of “Protocols, Algorithms, and Source Code in C” for cryptographic tool development is pretty much universally regarded as a must-read foundational text for the would-be security software developer. It is old enough now that some of what it has to say must be taken with a grain of salt, but its value as a technical introduction to cryptography is by all accounts timeless. It is really surprising that I still have not found the time to read it.

3: Practical Cryptography

Co-authored by Niels Ferguson and Bruce Schneier, this book reputedly takes a more human-centric approach to the topic of developing cryptographic tools and systems. Schneier has lamented his more purely technical approach to addressing the topic of cryptographic systems in Applied Cryptography as ignoring the importance of the human factor in secure systems design, and this book serves at least in part as an answer to that problem. I intend to read it as a follow-up to Schneier’s earlier text.

4: PGP & GPG

I normally do not spend money on books and other resources that are essentially feature guides to specific pieces of software. Even when I buy books about particular operating systems (or families of them), I try to select those that take a generalized approach so that the information is applicable to other systems. This policy has served me well over the years.

This book appears to land somewhere between a text about specific tools and a more generalized approach to dealing with a software use topic. It specifically addresses both the PGP and GnuPG (also known as GPG) encryption tools, but it also discusses the ways public key cryptography can serve the reader well in providing cryptographic privacy protection using the OpenPGP protocol. Overall, it appears to be a good choice for continuing to flesh out my understanding of the practical individual uses of public key cryptography.

5: The Book of PF

Continuing the trend of making an exception to my “no specific application books” policy, this one is about the OpenBSD project’s firewall, PF (short for Packet Filter). It is also available on other OSes, including my current favorite, FreeBSD — and it is the firewall software I am using right now. A quick read about the uses and configuration of PF seems entirely beneficial, from my perspective.

6: Fuzzing: Brute Force Vulnerability Discovery

I need to examine the topic of fuzzing in more depth than I already have. My knowledge and experience in this area are woefully lacking, compared to other security subject areas that serve some interest or importance in my life. In addition to gaining greater insight into the security challenges facing software developers, I hope that reading this book will put me on the path to being more directly helpful to the developers of certain software projects and to being better able to ensure the security of the software I write myself.

7: Reversing: Secrets of Reverse Engineering

In the area of reverse engineering, I am long on theory and short on practice. While I hope this book will give me more depth and breadth in the theory area, my greatest desire is that it will point me toward improving my practical knowledge of the techniques of reverse engineering. Aside from security crackers, the security benefits of a strong knowledge of the techniques and uses of reverse engineering also apply to security researchers and developers of secure software.

8: The Tao of Network Security Monitoring

There is always room to improve in the realm of detecting, and addressing, security compromises. As the Amazon description of the book says:

Network security monitoring (NSM) equips security staff to deal with the inevitable consequences of too few resources and too many responsibilities. NSM collects the data needed to generate better assessment, detection, and response processes — resulting in decreased impact from unauthorized activities.

If that’s not a good reason to learn something about network security monitoring in the IT industry, I don’t know what is.

9: Security Warrior

The description on the Amazon site really covers this book for me:

Security Warrior is the most comprehensive and up-to-date book covering the art of computer war: attacks against computer systems and their defenses. It’s often scary, and never comforting. If you’re on the front lines, defending your site against attackers, you need this book. On your shelf — and in your hands.

10: Hacking: The Next Generation

An ambitious attempt to map out the near future of information systems security, Hacking is the sort of book that looks like it will be a fun and intriguing read — as long as I get around to it in the next year or so. Topics like the present and near future of information security come with a well hidden expiration date, because they attempt to address the concrete realities and developing trends of extremely fast-moving fields. They can also prove incredibly valuable, and having thumbed through this one in a local bookstore not long ago I have high hopes for it.

Other titles

Are there security texts I should add to my list? If you’ve read any of these books, would you recommend them?