- Social Engineering: The Art of Human Hacking
- The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd Edition
- Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation
- Threat Modeling: Designing for Security
- Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Edition
- The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, 2nd Edition
- Cryptography Engineering: Design Principles and Practical Applications
- The Art of Deception: Controlling the Human Element of Security
- The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
- Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
- Unauthorised Access: Physical Penetration Testing For IT Security Teams
- Secrets and Lies: DigitCEH v9: Certified Ethical Hacker Version 9 Study Guide
- CEH v9: Certified Ethical Hacker Version 9 Study Guide
- Applied Cryptography: Protocols, Algorithms and Source Code in C, 20th Anniversary Edition
Security Engineering (Anderson) and Applied Cryptography (Schneier) Could be worth it alone if they aren’t in one’s library already (or maybe to just have the ebook version.)
Got this is email, and saw it posted to every one of my news sites.
Here is a super useful review from the YC comments section:
dsacco 2 hours ago [-]
So, I’ve read most of these. Here’s a tour of what is definitely useful and what you should probably avoid.
- The Web Application Hacker’s Handbook - It’s beginning to show its age, but this is still absolutely the first book I’d point anyone to for learning practical application security.
- Practical Reverse Engineering - Yep, this is great. As the title implies, it’s a good practical guide and will teach many of the “heavy” skills instead of just a platform-specific book targeted to something like iOS. Maybe supplement with a tool-specific book like The IDA Pro Book.
- Security Engineering - You can probably read either this or The Art of Software Security Assessment. Both of these are old books, but the core principles are timeless. You absolutely should read one of these, because they are like The Art of Computer Programming for security. Everyone says they have read them, they definitely should read them, and it’s evident that almost no one has actually read them.
- Shellcoder’s Handbook - If exploit development if your thing, this will be useful. Use it as a follow-on from a good reverse engineering book.
- Cryptography Engineering - The first and only book you’ll really need to understand how cryptography works if you’re a developer. If you want to make cryptography a career, you’ll need more; this is still the first book basically anyone should pick up to understand a wide breadth of modern crypto.
You Can Skip:
- Social Engineering: The Art of Human Hacking - It was okay. I am biased against books that don’t have a great deal of technical depth. You can learn a lot of this book by reading online resources and by honestly having common sense. A lot of this book is infosec porn, i.e. “Wow I can’t believe that happened.” It’s not a bad book, per se, it’s just not particularly helpful for a lot of technical security. If it interests you, read it; if it doesn’t, skip it.
- The Art of Memory Forensics - Instead of reading this, consider reading The Art of Software Security Assessment (a more rigorous coverage) or Practical Malware Analysis.
- The Art of Deception - See above for Social Engineering.
- Applied Cryptography - Cryptography Engineering supersedes this and makes it obsolete, full stop.
What’s Not Listed That You Should Consider:
- Gray Hat Python - In which you are taught to write debuggers, a skill which is a rite of passage for reverse engineering and much of blackbox security analysis.
- The Art of Software Security Assessment - In which you are taught to find CVEs in rigorous depth. Supplement with resources from the 2010s era.
- The IDA Pro Book - If you do any significant amount of reverse engineering, you will most likely use IDA Pro (although tools like Hopper are maturing fast). This is the book you’ll want to pick up after getting your IDA Pro license.
- Practical Malware Analysis - Probably the best single book on malware analysis outside of dedicated reverse engineering manuals. This one will take you about as far as any book reasonably can; beyond that you’ll need to practice and read walkthroughs from e.g. The Project Zero team and HackerOne Internet Bug Bounty reports.
- The Tangled Web - Written by Michal Zalewski, Director of Security at Google and author of afl-fuzz. This is the book to read alongside The Web Application Hacker’s Handbook. Unlike many of the other books listed here it is a practical defensive book, and it’s very actionable. Web developers who want to protect their applications without learning enough to become security consultants should start here.
- The Mobile Application Hacker’s Handbook - The book you’ll read after The Web Application Hacker’s Handbook to learn about the application security nuances of iOS and Android as opposed to web applications.
Grabbed this just to have em in PDF as I have a number of these in book form already.
I like how Humble Bundle lets me choose the charity and the percentages. I could make sure that most of my money went to a charity for homeless vets and none went to the EFF.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.