During the past months I received, throught my blog, requests on what to read during winter Holidays. I decided to publish a little list on some of the books (yes, I wrote "some" and not "all" ) that have been really useful for my carrer which I would totally suggest to everybody interested on such a field.
The following list is: incomplete (by meaning I had to choose some of my favorite books due to time limit in post writing),"time depending" (by meaning that in few years from now the current titles could be changed due to new editions and/or the book might be outdated), and totally subjective (by meaning that I did not read all the "Sec Readings" out there, so there could be amazing books that I am not aware of).
Fundamental:
- Modern Operation Systems (Andrew S. Tanenbaum). This book will give you an entire vision on the complexity behind Operative Systems. It will give you practical examples on how to program them and how to build structured systems from "Ring 0 to Ring 3". This is the basic reading to everybody interested on computer security.
- Computer Security: Art and Science (Matt Bishop). This book is considered as a milestone in Computer Security. Matt Bishop explains the basic security concepts and approaches (from definitions to criptography walking through security mechanisms) of computer security. This is the second step to everybody interested on such a field.
- Principles Of Concurrent And Distributed Programming (M. Ben-Ari). Understanding the cuncorrent and distribute programming could be quite hard, but M.Ben-Ari , in my opinion, make it easy and very accessible. Nowadays many vulnerabilities are caused by poor implementation of concurrent principles. Understanding them would make you a better "security man".
- Penetration Testing and Network Defense (Whiteker and Newman). It might sound a little outdated (2005). But it really is not. Well, actually it is, if you consider the penetration testing "technicalities" they suggest, but from this book you wont take "technicalities" (technical details) you want to take the "method" they use. The approach they introduce in this book is still very actual.
- OSSTMM by ISECOM. This is one of the most famous methodologies used to perform security testing (no, I have not written penetration testing). If you feel the need to learn more about methodologies (why you will need methodologies ? You will need them once you will eventually called to manage a "Security/Hacking Team" ) you might find on my book ( "A design methodology for computer security testing" ) a good guide.
Technicals:
- The Web Application Hackers Handbook (Stuttard Pinto). This book covers a vaste area of web applications pen-test. It provides a "bite" of almost everything you might find on the web. It's a great starting point giving you all the weapons you need to get out firing. You will need further studies to become a real web tester pro.
- The Tangled Web (Zalewski). This book is most focused on web programmers, it covers many good practices and explains lots of basic concepts behind the web. If you need to write a Web App you want probably to have a quick look to it. If interested, have a look to my full review.
- Programming From the Ground Up (J. Barlett). Super boring, but really important. I personally have tried to read it as a book, but I failed. Indeed I used it as a manual from time to time.
- IDA PRO (Chris Eagle). From 0 to whatever you need to know about Reversing Engineering. This would be a "cutting edge" book if you already have foundamentals on your "sholders".
- The Shellcoder's Handbook: Discovering and Exploiting Security Holes (C. Anley). Almost what you need to know to modern exploitation techniques. This book will give you all the sugar you need to be effective in the art of exploitation.
- A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security (T. Klain). A really good reading. It provides a lot of real examples of how Tobias discovered some pretty nasty vulnerabilities. If interested, have a look to my full review.
- Metasploit: The pentration Tester's Guide (D. Kennedy). When you need automatisms and you cannot afford a manual and specific testing this book provides a great detailed view on how to use one of the "de-facto standard" penetration tester tools.
- Practical Cryptography (Niels Ferguson and Bruce Schneier ). I did add to my list only one book on cryptography. I decided that one because it explains cryptography as Engineer discipline and not as Mathematical science. This is foundamental for us who need to work in the hard real world rather then in mathematical abstractions.
Managing a Security/Hacking group:
- The Mythical Man-Month: Essays on Software Engineering, Anniversary Edition (Frederick P. Brooks Jr). When you will need to manage a group of super skilled people (Security Team/Hacking team), this book will be a great starting point.
- The Pragmatic Programmer: From Journeyman to Master (Andrew Hunt, David Thomas).This is the so called "ever green" book. Everybody should read it if you are a manager or not.
- Agile Software Development, Principles, Patterns, and Practices (Robert C. Marting). Even if in your practical life you will be using Extreme Programming as your main "testing" and/or "development" methodology, you should know how to guide a group of people into the Agile Software Development methodology, this book shows you well how to follow this way.
- Getting Things Done: The Art of Stress-Free Productivity (David Allen). Another best seller. No description need for the great book of David Allen.
- Impro: Improvisation and the Theatre (keith johnstone). When you will start to focus on people managing rather then machines you will learn that humans are way more complex then "stack pointers" or "spray the heap", you will need to do one thing you wont do as a "pragmatic programmer", you will need to improvise !