Security Books

Here are some books that I have heard from colleagues are good. Some of them I have read myself also. I think that all app/web developers should know enough about security to know that they don’t know nearly enough and should consult an expert. As far as I know, the best way to do this is to read other people’s horror stories.

• Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman https://www.amazon.com/Penetration-Testing-Hands-Introduction-Hacking-ebook/dp/B00KME7GN8

• Metasploit: The Penetration Tester’s Guide by David Kennedy,‎ Jim O’gorman,‎ Devon Kearns,‎ Mati Aharoni https://www.amazon.com/Metasploit-Penetration-Testers-David-Kennedy/dp/159327288X

• Agile IT Security Implementation Methodology by Jeff Laskowski https://www.amazon.com/Agile-Security-Implementation-Methodology-Laskowski-ebook/dp/B006BZCW8Q

• Android Security Internals: An In-Depth Guide to Android’s Security Architecture by Nikolay Elenkov https://www.amazon.com/Android-Security-Internals–Depth-Architecture-ebook/dp/B00P8DRZWA

• iOS Application Security: The Definitive Guide for Hackers and Developers by David Thiel https://www.amazon.com/iOS-Application-Security-Definitive-Developers-ebook/dp/B01BLVZ3IK

• Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz https://www.amazon.com/Black-Hat-Python-Programming-Pentesters-ebook/dp/B00QL616DW

• Threat Modeling: Designing for Security by Adam Shostack https://smile.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998

• Cryptography Engineering: Design Principles and Practical Applications by Niels Ferguson,‎ Bruce Schneier, Tadayoshi Kohno https://smile.amazon.com/Cryptography-Engineering-Principles-Practical-Applications/dp/0470474246

• Security Warrior: Know Your Enemy by Cyrus Peikari,‎ Anton Chuvakin https://smile.amazon.com/dp/B0043EWV24

• Beautiful Security: Leading Security Experts Explain How They Think by Andy Oram, John Viega https://smile.amazon.com/Beautiful-Security-Leading-Experts-Explain-ebook/dp/B002NOGG54

• Holistic Infosec for Web Developers https://holisticinfosecforwebdevelopers.com/ https://smile.amazon.com/Holistic-InfoSec-Web-Developers-Physical-ebook/dp/B01LYKJ982

• The Tangled Web: A Guide to Securing Modern Web Applications https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886/

• OSCP Certification (I’m told it’s one of the few certifications that are really really worth doing) https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

• Secure Code Warrior https://new-www.securecodewarrior.com/

• Applied Cryptography by Bruce Schneier

• Foundations of Cryptography by Oded Goldreich

• CyberWarfare by Jeffrey Carr

• Security Warrior by Cyrus Peikari

• Security Engineering by Ros Anderson.

• Usable Security: History, Themes, and Challenges (Synthesis Lectures on Information Security, Privacy, and Trust) by Simson Garfinkel

• Beautiful Security: Leading Security Experts Explain How They Think by John Viega and Andy Oram

• Security and Usability: Designing Secure Systems that People Can Use by Lorrie Faith Cranor and Simson Garfinkel

• Lorrie Cranor is a leader in organizing the security usability field, and has co-authored a number of other books as well. (Plus she makes amazing digital quilts!)