An ever-evolving list of books "to be read" is a constant temptation. Chad Perrin hopes his top 10 list of security books he wants to acquire might tempt some of his readers, too.
As should anyone serious about developing generalized security knowledge, I have my fingers in a lot of pies, so to speak. Among other things, this means that I am really a very busy guy. It is normal for me to be in the middle of reading no fewer than three books, at least one of which is about security and/or programming, at any given time.
I have been thinking about what books to read next. I have enough on my shelves to keep me busy for a while, but when I think about what books to read I inevitably start thinking about what books I want to buy for the future. My current short list of security-related books to buy takes the form of an Amazon wish list I call my Security Queue. Whether my intention is to learn something new or to just explore additional approaches and alternative views on subjects with which I am already conversant, all the following books make me want to reach for my wallet.
1. Software Security Library Boxed Set
It seems appropriate to start a list of ten security books I want to read by cheating a little. The first item in this list is actually a boxed set of three books. Author Gary McGraw had a hand in all three of these books, with the help of co-authors John Viega and Greg Hoglund. The titles include:
- Building Secure Software: How to Avoid Security Problems the Right Way
Sporting a picture of a white cowboy hat, and colloquially referred to as The White Hat Book, this volume addresses the need to start security with the design of the software itself.
- Exploiting Software: How to Break Code
Adorned with an image of a black cowboy hat, and colloquially referred to as The Black Hat Book, this volume addresses the matter of software security from the attacker's perspective. It purports to provide valuable insights into the needs and techniques of secure software development by giving developers an outsider's view of their work.
- Software Security: Building Security In
The last volume of the trilogy is marked by the Taoist symbol of opposing forces — Yin and Yang — in balance, each side decorated with either a white or black cowboy hat. According to its description on Amazon, this book "unifies the two sides of software security—attack and defense, exploiting and designing, breaking and building—into a coherent whole."
Reviews suggest there is a little redundancy between the books, because they are intended to be able to stand alone as well as working together as a set, but accounts tend to agree that the Software Security Library Boxed Set is a worthwhile purchase.
2. Applied Cryptography
Bruce Schneier's classic tome on the subject of "Protocols, Algorithms, and Source Code in C" for cryptographic tool development is pretty much universally regarded as a must-read foundational text for the would-be security software developer. It is old enough now that some of what it has to say must be taken with a grain of salt, of course, but its value as a technical introduction to cryptography is by all accounts timeless. It is really surprising that I still have not found the time to read it.
3. Practical Cryptography
Co-authored by Niels Ferguson and Bruce Schneier, this book reputedly takes a more human-centric approach approach to the topic of developing cryptographic tools and systems. Schneier has lamented his more purely technical approach to addressing the topic of cryptographic systems in Applied Cryptography as ignoring the importance of the human factor in secure systems design, and this book serves at least in part as an answer to that problem. I intend to read it as a follow-up to Schneier's earlier text.
4. PGP & GPG
I normally do not spend money on books and other resources that are essentially feature guides to specific pieces of software. Even when I buy books about particular operating systems (or families of them), I tend to try to select those that take a generalized enough approach that the information presented is applicable to other systems, and this policy has served me well over the years.
This book appears to land somewhere between a text about specific tools and a more generalized approach to dealing with a software use topic. It specifically addresses both the PGP and GnuPG (also known as GPG) encryption tools, but it also discusses the ways public key cryptography can serve the reader well in providing cryptographic privacy protection using the OpenPGP protocol. Overall, it appears to be a good choice for continuing to flesh out my understanding of the practical individual uses of public key cryptography.
5. The Book of PF
Continuing my trend of making an exception to the "no specific application books" policy, this is about the OpenBSD project's firewall, PF (short for Packet Filter). It is also available on other OSes, including my current favorite, FreeBSD — and it is the firewall software I am using right now.
I make this exception to the usual policy of not spending money on books and other resources specific to a given piece of software mostly because I have not come up with a single reason to adhere to it in this case. A quick read about the uses and configuration of PF seems to be made up entirely of benefits from my perspective.
6. Fuzzing: Brute Force Vulnerability Discovery
The topic of fuzzing is one I simply need to examine in more depth than I already have. My knowledge and experience in this area is woefully lacking, compared to other security subject areas that serve some interest or importance in my life. In addition to gaining greater insight into the security challenges facing software developers, I also hope that reading this book might put me on the path to being more directly helpful to the developers of certain software projects, and to being better able to ensure the security of the software I write myself.
7. Reversing: Secrets of Reverse Engineering
In the area of reverse engineering, I am long on theory and short on practice. While I hope this book will give me more depth and breadth in the theory area, my greatest desire for this book is that it will point me toward improving my practical knowledge of the techniques of reverse engineering. Aside from security crackers, the security benefits of a strong knowledge of the techniques and uses of reverse engineering also apply to security researchers and developers of secure software.
8. The Tao of Network Security Monitoring
There is always room to improve in the realm of detecting, and addressing, security compromises. As the Amazon description of the book says:
Network security monitoring (NSM) equips security staff to deal with the inevitable consequences of too few resources and too many responsibilities. NSM collects the data needed to generate better assessment, detection, and response processes—resulting in decreased impact from unauthorized activities.
If that is not a good reason to learn something about network security monitoring in the IT industry, I do not know what is.
9. Security Warrior
The description on the Amazon site really covers this book for me.
Security Warrior is the most comprehensive and up-to-date book covering the art of computer war: attacks against computer systems and their defenses. It's often scary, and never comforting. If you're on the front lines, defending your site against attackers, you need this book. On your shelf—and in your hands.
10. Hacking: The Next Generation
An ambitious attempt to map out the near future of information systems security, Hacking is the sort of book that looks like it will be a fun and intriguing read — as long as I get around to it in the next year or so. Topics like the present and near future information security context of our world come with a well hidden expiration date, because they attempt to address the concrete realities and developing trends of extremely fast-moving fields. They can also prove incredibly valuable, and having thumbed through this one in a local bookstore not long ago I have high hopes for it.
Are there security texts I should add to my list? Do any of you have any experience with these books?
Obviously, this list may change in the future. With luck, anyone who feels a desire to keep up with those changes — including me — will find it worthwhile.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.