Today, there are more IT security books in the shops than ever before.
But what IT Security books can make a real difference to an aspiring Security Wannabe?
These are my Seminal 7…
Photo Credit: tanakawho
The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage
The book that ignited my passion for IT security. Clifford Stoll stalks the wily hacker Markus Hess in a true edge of the seat thriller. Computer security books boring? Then you haven’t read this one. Be prepared to read in one sitting!
TCP/IP Illustrated, Volume 1: The Protocols (Addison-Wesley Professional Computing Series)
I remember the day I read that the author of this book - Richard Stevens - had passed away. I was shocked and saddened. This may sound strange as I’d never met him, nor had any correspondence with him. The reason is simple: through his writing, he had an uncanny ability to meet you where you were and take you on what feels like a personally guided tour of TCP/IP. Simply put, this is essential reading. I’ve read some great networking books since, but none that give you the feeling that the author wrote the book just for you. A revered classic.
Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition
The so-called bible of Crypto. With good reason too: Bruce Schneier provides a seriously comprehensive introduction to cryptography. Refreshingly, he starts at the ground floor - you don’t need a degree in maths to benefit from this tomb - its very accessible. Digest this and you will learn about the most important crypto protocols and algorithms in existence today. I still reference this book at least once a month - I’ve owned it for about 5 years now. How many books can you say that about?
Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Edition
Ross Anderson teaches us how to avoid repeating the mistakes of those that went before us. Another author with real passion for the subject, his intelligence and pragmatism shine through. This book will introduce you to IT security as an engineering discipline. Don’t let those last two words put you off - Anderson is a master at telling you what you need to know, when you need it. The book itself underlines why effective security design is all about “the human element”. Fascinating case studies that will make you thank your lucky stars you don’t have to design security for prepayment meters or ATMs. Want to read online? Click here. Aside from the book, I highly recommend his papers on the Economics of Information Security.
Hacking: The Art of Exploitation, 2nd Edition
The majority of the security books on my bookshelf are pretty thick. Thick books give an air of authority - “wow, this must be a very serious book by a very knowledgeable author, if I read this, I will breathe in the knowledge of the gods and impress anyone willing to listen to me for long enough”. The author of this book - Jon Erickson - somehow manages to pack an incredible amount of content into less tree than most (he even manages to get root on the cover!). You will learn techniques that shave hours off exploit development time. A great introduction to blowing (precise) holes in software.
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
The holy trinity of Software Vulnerability Researchers deliver a mammoth treatise on why my eyes would bleed if I had to do what they do all day. This book will change the way you see software security auditing. If it doesn’t, you probably need to read it more carefully. This should be mandatory reading for people that get paid to do software vulnerability research. For more, check the Taossa blog.
Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks
Michal Zalewski is refreshing because (a) he does his own thing (b) those ‘own things’ tend to be interesting and (c) he enjoys the subtle/obscure/funny. And he can write! For a non-native English speaker he writes with great charm and wit. Reading this book is like stepping into the Matrix - everything we take for granted can be unwoven, refactored and turned inside out. Buy this book and read it cover to cover then go check out his lair, where he shares his ongoing digital experiments.
###
What security books would you recommend to an aspiring Security Wannabe and why? Tell us in the comments…
10 comments ↓
Silence on the Wire is an amazing book. I got it as a birthday gift and couldn’t put it down. The man is simply amazing.
@Matt: thanks for being the first to comment :-). Thats a pretty cool choice for a birthday gift!
If you haven’t already, check out ‘Cracking safes with thermal imaging’ on his website http://lcamtuf.coredump.cx/tsafe/. Fascinating stuff!
Hey, the thermal imaging is actually old school now
It’s even part of a PC game, I believe it’s one of the Splinter Cell games.
@JirkaV: you’re right - it is old school :-). Zalewski originally posted about this back in 2005. At the time, a number of commentators made references to Splinter Cell - maybe he was a fan ;-).
I think Tao of Network Security Monitoring does a fantastic job of framing the issues. “Prevention fails.” So you need to monitor. It really works.
@jimmythegeek: thanks for the comment. I agree but for me, if I hadn’t read these other books before coming to NSM I wouldn’t truly ‘get’ the value in it. Part of my day job involves breaking into systems and any faith I did have in IDS alone as a solution dried up years ago.
Please do include Schneier’s Secrets and Lies. It distills issues and technologies in a very effective manner. How about a list of top weblogs.
@NFK: You are a mindreader ;-), I’m finishing up a ‘top weblogs’ article for posting next week…thanks for dropping by (and yes, Secrets and Lies does stitch things together nicely).
Craig, very nice list. I would add to it some other books.
1. Rootkits: Subverting the Windows Kernel by Greg Hoglund and Jamie Butler.
Those two guys go really deep into this rediscovered topic and explain it simply.
2. Reversing: Secrets of Reverse Engineering by Eldad Eilam.
This was my starting point of RE and I must admit that throughout the whole book you get into the subject not only by reading about it, but building your personal hands-on experience by real life examples. Try it out, it’s fantastic!
3. The Shellcoder’s Handbook: Discovering and Exploiting Security Holes:
Cross-subject, I would say, and not for beginners, but gives you a clue what IT security is all about.
Of course, if you want to be a Windows expert, the “Microsoft Windows Internals” by Mark Russinovich and David Salomon is the must-to-(have|read) book
Just my $0.01(9)…
Cheers.
BK - thanks for dropping by. Thats a pretty hardcore list you’ve got there
Leave a Comment