8 Books Security Pros Should Read
Hunting for a good resource on the security industry? Check out these classics from the experts to learn more about hacking, defense, cryptography and more.
Calling all infosec pros: What are the best books in your security library?
On a second thought, let's take a step back. A better question may be: Do you have a security library at all? If not, why?
Security professionals have countless blogs, videos, and podcasts to stay updated on rapidly changing news and trends. Books, on the other hand, are valuable resources for diving into a specific area of security to build knowledge and broaden your expertise.
Because the security industry is so complex, it's impossible to cram everything there is to know in a single tome. Authors generally focus their works on single topics including cryptography, network security modeling, and security assessment.
Consider one of the reads on this list of recommendations, Threat Modeling: Designing for Security. This book is based on the idea that while all security pros model threats, few have developed expertise in the area.
Author Adam Shostack aims to educate readers on the subject through chapters like "Checklists for Diving In and Threat Modeling," "Structured Approaches to Threat Modeling," and "Properties of Attack Libraries." It's handy for both beginner and advanced security pros to gain a foothold on a specific topic.
Whether you're seeking a career change or simply want to learn something new, it's worth your time to curl up with one of these recommended security reads. Are there any suggestions you would add to this list?
By Bruce Schneier
Published: Wiley; 1st Edition, March 30, 2015
Applied Cryptography is an overview of cryptography's many use cases, which go beyond encoding and decoding information. Author Bruce Schneier covers general classes of cryptographic protocols and detailed techniques to explain the inner workings of cryptographic algorithms.
His book explains how programmers and electronic communications experts can use cryptography to maintain strong computer security. In addition to describing algorithms, it gives advice on how to integrate them into cryptographic software, and demonstrates how they can be used to solve security problems.
By Adam Shostack
Published: Wiley, 1st Edition; February 17, 2014
Threat Modeling: Designing for Security provides advice on how to integrate strong security measures into the design of systems, software, and services. Security pros can learn more about different approaches to threat modeling, how to test their designs against threats, and effective ways to address threats.
The book serves as a how-to guide for security and software developers who want to design and test more secure products. It provides a framework for thinking about what could go wrong then explores different approaches to threat modeling including asset-centric, software-centric, and attacker-centric.
Author Adam Shostack was formerly in charge of security development lifecycle threat modeling at Microsoft. He is currently founder of Confidenza Security.
By Richard Bejtlich
Published: No Starch Press, 1st Edition; August 5, 2013
This book is based on the premise that determined attackers will break through traditional security defenses. Effective security strategies do more than build walls. They also integrate network security monitoring (NSM), which involves gathering and analyzing data to better respond to attacks.
Author Richard Bejtlich, former CSO of Mandiant and current chief security strategist at FireEye, discusses how to build, deploy, and run an NSM operation using vendor-neutral tools and open-source software. Readers learn more about how to place and size NSM platforms, use command line and graphical packet analysis tools, interpret evidence, and integrate threat intelligence into NSM software to detect attackers.
By Richard Clarke, Robert Knake
Published: Ecco, Reprint Edition; August 5, 2011
Author Richard Clarke, a former presidential advisor and counter-terrorism expert, discusses the dangers of America's vulnerability during a time when cyber war poses a growing threat to the country.
Cyber War gives readers an insider's perspective of operations inside the White House 'Situation Room' and is intended to explain modern threats by depicting the frontlines of cyberdefense. Clarke provides an overview of past cyberattacks, the key players involved, and discussion of American policy for cyber defense.
By Gordon Corera
Published: Pegasus Books, 1st Edition; July 5, 2016
In Cyberspies, author Gordon Corera discusses the evolution of computers and espionage from the Second World War, through the Cold War, and the creation and rise of the Internet to modern-day hackers.
In addition to historical detail, it highlights acts of modern espionage conducted by the US, UK, and China. Corera leverages access to GCHQ, the National Security Agency, Chinese officials, and senior execs from major tech companies to tell stories from both hackers and heads of state.
By Ross J. Anderson
Published: Wiley, 2nd Edition; April 14, 2008
Security Engineering was updated from its original edition to address the many technological changes that occurred since 2001. The web of cybercrime grew to include spammers, spies, money launderers and other criminals engaging and improving with time.
In his guide, Ross Anderson talks about topics like types of attack, security psychology, policy, and specialized protection mechanisms to inform pros who are required to build dependable, secure systems.
By Dafydd Stuttard, Marcus Pinto
Published: Wiley, 2nd edition; September 27, 2011
A guide on hackers' secrets is valuable for professionals who are responsible for defending against cybercrime. The updated Web Application Hacker's Handbook specifically focuses on web apps, which can expose businesses to attacks that leak sensitive data or execute fraudulent transactions.
Authors Dafydd Stuttard and Marcus Pinto discuss step-by-step techniques for attacking and defending web apps. Their overview includes technologies included in the book's first edition, in addition to new ones that have been developed since. Added topics include new remoting frameworks, HTML5, UI redress, and hybrid file attacks.
The handbook focuses on areas of security that have undergone recent change, making it a handy resource for pros who want to learn more about finding and preventing security flaws in web apps.
By Mark Dowd, John McDonald, Justin Schuh
Published: Addison-Wesley Professional, 1st Edition; November 30, 2006
Authors Mark Dowd, John McDonald, and Justin Schuh are security consultants and researchers who have discovered vulnerabilities in common enterprise apps like Microsoft Exchange, sendmail, Internet Explorer, and Check Point VPN. In The Art of Software Security Assessment, the three leverage their experiences to explain a start-to-finish methodology for digging into applications to find subtle security flaws.
This book spans a range of software vulnerabilities in Windows and UNIX/LINUX environments. Readers learn more about auditing app security in all sizes and types of apps, and can learn from examples of real code taken from past mistakes in high-profile industry apps.
Its analysis of vulnerability discovery makes this a good resource for anyone who is responsible for ensuring secure software, from security specialists to developers to QA professionals.
By Mark Dowd, John McDonald, Justin Schuh
Published: Addison-Wesley Professional, 1st Edition; November 30, 2006
Authors Mark Dowd, John McDonald, and Justin Schuh are security consultants and researchers who have discovered vulnerabilities in common enterprise apps like Microsoft Exchange, sendmail, Internet Explorer, and Check Point VPN. In The Art of Software Security Assessment, the three leverage their experiences to explain a start-to-finish methodology for digging into applications to find subtle security flaws.
This book spans a range of software vulnerabilities in Windows and UNIX/LINUX environments. Readers learn more about auditing app security in all sizes and types of apps, and can learn from examples of real code taken from past mistakes in high-profile industry apps.
Its analysis of vulnerability discovery makes this a good resource for anyone who is responsible for ensuring secure software, from security specialists to developers to QA professionals.
Calling all infosec pros: What are the best books in your security library?
On a second thought, let's take a step back. A better question may be: Do you have a security library at all? If not, why?
Security professionals have countless blogs, videos, and podcasts to stay updated on rapidly changing news and trends. Books, on the other hand, are valuable resources for diving into a specific area of security to build knowledge and broaden your expertise.
Because the security industry is so complex, it's impossible to cram everything there is to know in a single tome. Authors generally focus their works on single topics including cryptography, network security modeling, and security assessment.
Consider one of the reads on this list of recommendations, Threat Modeling: Designing for Security. This book is based on the idea that while all security pros model threats, few have developed expertise in the area.
Author Adam Shostack aims to educate readers on the subject through chapters like "Checklists for Diving In and Threat Modeling," "Structured Approaches to Threat Modeling," and "Properties of Attack Libraries." It's handy for both beginner and advanced security pros to gain a foothold on a specific topic.
Whether you're seeking a career change or simply want to learn something new, it's worth your time to curl up with one of these recommended security reads. Are there any suggestions you would add to this list?
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024