So, I've read most of these. Here's a tour of what is definitely useful and what you should probably avoid.
_________________
Do Read:
1. The Web Application Hacker's Handbook - It's beginning to show its age, but this is still absolutely the first book I'd point anyone to for learning practical application security.
2. Practical Reverse Engineering - Yep, this is great. As the title implies, it's a good practical guide and will teach many of the "heavy" skills instead of just a platform-specific book targeted to something like iOS. Maybe supplement with a tool-specific book like The IDA Pro Book.
3. Security Engineering - You can probably read either this orThe Art of Software Security Assessment. Both of these are old books, but the core principles are timeless. You absolutely should read one of these, because they are like The Art of Computer Programming for security. Everyone says they have read them, they definitely should read them, and it's evident that almost no one has actually read them.
4. Shellcoder's Handbook - If exploit development if your thing, this will be useful. Use it as a follow-on from a good reverse engineering book.
5. Cryptography Engineering - The first and only book you'll really need to understand how cryptography works if you're a developer. If you want to make cryptography a career, you'll need more; this is still the first book basically anyone should pick up to understand a wide breadth of modern crypto.
_________________
You Can Skip:
1. Social Engineering: The Art of Human Hacking - It was okay. I am biased against books that don't have a great deal of technical depth. You can learn a lot of this book by reading online resources and by honestly having common sense. A lot of this book is infosec porn, i.e. "Wow I can't believe that happened." It's not a bad book, per se, it's just not particularly helpful for a lot of technical security. If it interests you, read it; if it doesn't, skip it.
2. The Art of Memory Forensics - Instead of reading this, consider reading The Art of Software Security Assessment (a more rigorous coverage) or Practical Malware Analysis.
3. The Art of Deception - See above for Social Engineering.
4. Applied Cryptography - Cryptography Engineering supersedes this and makes it obsolete, full stop.
_________________
What's Not Listed That You Should Consider:
1. Gray Hat Python - In which you are taught to write debuggers, a skill which is a rite of passage for reverse engineering and much of blackbox security analysis.
2. The Art of Software Security Assessment - In which you are taught to find CVEs in rigorous depth. Supplement with resources from the 2010s era.
3. The IDA Pro Book - If you do any significant amount of reverse engineering, you will most likely use IDA Pro (although tools like Hopper are maturing fast). This is the book you'll want to pick up after getting your IDA Pro license.
4. Practical Malware Analysis - Probably the best single book on malware analysis outside of dedicated reverse engineering manuals. This one will take you about as far as any book reasonably can; beyond that you'll need to practice and read walkthroughs from e.g. The Project Zero team and HackerOne Internet Bug Bounty reports.
5. The Tangled Web - Written by Michal Zalewski, Director of Security at Google and author of afl-fuzz. This is the book to read alongside The Web Application Hacker's Handbook. Unlike many of the other books listed here it is a practical defensive book, and it's very actionable. Web developers who want to protect their applications without learning enough to become security consultants should start here.
6. The Mobile Application Hacker's Handbook - The book you'll read after The Web Application Hacker's Handbook to learn about the application security nuances of iOS and Android as opposed to web applications.
Actually a great comment. This is what I wish all those "awesome lists" were: lists written by people actually in the field who've actually read all the books they're recommending. Unlike the current state, which is lists compiled by people completely new to the field looking for easy github stars putting up every book they can find with a Google search.
Funny you mention that, because I'm currently working on a GitHub repo as a research aid for myself. It's a compendium of all major cryptographic primitives and constructions (protocols) and the current state of the art in cryptanalysis against them, sorted by type (i.e. symmetric:block cipher:AES).
On the one hand it's rather straightforward because much of the state of the art in crypto research is in eprint or open access. On the other hand there isn't really a sane "landscape document" that elucidates all of this information in one place because it's so scattered and hard to organize.
Specifically: imagine a straightforward document with a handy table of contents that e.g. explains what a given cryptographic primitive is at a high level and what the current state of the art in attacking it is, like so: https://en.wikipedia.org/wiki/SHA-2#Cryptanalysis_and_valida...
I don't know how useful this would be to someone not working on cryptography research because it's heavily descriptive and academic (unlike, say, Cryptographic Right Answers, which is a good prescriptive document for developers).
Cool, yeah that's a good resource. But it's a bit opinionated and focuses on general purpose hashing functions without coverage of symmetric and asymmetric encryption, digital signatures or password hashing functions. It also doesn't include some obvious contenders, like BLAKE2 (presumably because Keccak won the SHA-3 contest, but that's not a great reason). Other than that, a git repository format also has the handy benefit of pull requests in case one maintainer misses some new avant-garde attack.
While we're at it, a similar resource for benchmarking instead of cryptanalysis exists here: https://bench.cr.yp.to/. This is maintained by Daniel Bernstein, who is probably the single most qualified person to lead that sort of work.
It's really nice to have access to these kinds of summaries to understand these landscapes. So, thanks for that reference and thanks for working on another one.
How would you suggest approaching these books in order to translate the "reading" into practical/demonstrable skills?
For instance, I'm currently working through The Web Application Hacker's Handbook and also trying things out with OWASP's Broken Web App VM's. I feel like the book is covering a lot more than the broken web apps do, and the broken webapps don't really give a ton of practice, although so far I've only gotten into the "Training" webapps (Mutillidae, Webgoat, DVWA etc), so maybe just digging into the "realistic" apps more will expose me to more of what's in the book. Just looking for some guidance on how to approach the reading-vs-doing divide.
I'll echo what the sibling comment said about CTFs. Those are a great way of drilling the theory in the same way you need to drill problems to really cement mathematical maturity.
Practically speaking, read through each chapter and then try to find an example of this vulnerability in an existing web application. Try bug bounties as well to get a feel for where real world developers make mistakes. A lot of information security is learning to challenge assumptions.
Seconding Practical Malware Analysis and adding a write-in for The Rootkit Arsenal, which is a very practical guide and walkthrough for building functional rootkits.
I picked up the IDA Pro book on a sweet deal before getting an IDA Pro license and it just makes me sad, since I don't exactly want to shell out for the license yet.
>5. The Tangled Web - Written by Michal Zalewski, Director of Security at Google and author of afl-fuzz. This is the book to read alongside The Web Application Hacker's Handbook. Unlike many of the other books listed here it is a practical defensive book, and it's very actionable. Web developers who want to protect their applications without learning enough to become security consultants should start here.
I just finished this book last night, this is an invaluable resource.
While I agree with most of your comment, I think The Art of Memory Forensics is an absolute must read for the people that want to do digital forensics. Or attackers worrying about the footprint they leave behind...
The Art of Software Security Assessment is a great book, but it's on a totally different topic and there's zero comparison between these two.
The two books don't map to each other 1:1, but I'd consider a lot of the contents of TAOSSA to be very good foundational content for assessing malware. Much of malware is a practical implementation of faults explored within that book.
I second the reply above. I don't see much overlap between TAOSSA and Security Engineering. And I would absolutely recommend TAOSSA above Security Engineering. I'd almost go as far as to say that if you only read 1 book it should be TAOSSA, but really it depends what you want to do.
TAOSSA also has nothing to do with malware whatsoever. Are you perhaps thinking of a different book?
Also, I would point out that Shellcoders Handbook is extremely dated now. It was excellent in its time, but you won't be able to do much with that anymore. It could still be interesting background, but exploits and exploit mitigations have changed a lot in 13 years. We are talking Windows XP/2003 era.
For all of the flak that Applied Crypto gets, it's actually a very good book for what it is. It's just full of bad/outdated advice. For someone who wants a history lesson and plans to update their knowledge before engaging in malpractice based on what that book teaches, it's still a good read. Cryptography Engineering is a very different style of book. While also good, it doesn't get the reader excited about crypto in the way that Applied Cryptography did. AC also has quite a bit of background and explanation of very basic fundamentals, written for humans as opposed to programmers or math majors, that makes a lot of the ideas behind cryptography more accessible.
Applied Cryptography is pop science. It's a book written breezily and unseriously, a sort of whirlwind tour of a subject its author is fascinated and engaged with, but without rigor. Approached on those terms, it's a fun read. I sure enjoyed it when it first came out.
Unfortunately, it's also a showcase for what can go wrong if you provide too much technical content in a pop science book. What happened with A.C. is similar to what you'd think might happen in a book about home anesthesiology, complete with resources to show you how you'd put someone under from first principles and household chemicals.
On the whole, because it's generally taken by its readers as authoritative and prescriptive, A.C. has done a lot more harm than good.
Cryptography Engineering is imperfect, too. But it was written seriously, accepting and engaging with the fact that readers will use it as a guidebook to serious implementation. It's a much safer book than Applied Cryptography.
Moreover, if you're serious about engaging with crypto in your career, it's a better book. You won't learn much about what goes wrong with crypto from Applied Cryptography, which happily documents a number of weak or even broken constructions and describes protocols and techniques that were obsolete years before the book was published. Cryptography Engineering is aware of much of the cryptographic literature, and almost every chapter concerns itself first and foremost with what goes wrong with crypto constructions. You can read it "inside out" as a sort of first course in attacking cryptosystems.
I'll clarify - I consider Security Engineering and TAOSSA to be landscape volumes - they cover a great deal of depth. Security Engineering is more on the defensive/development side while TAOSSA is on the offensive/assessment side. I agree with you that TAOSSA should be the one to read if you have to only read one.
With regard to malware analysis - TAOSSA teaches source code review to a depth that very few other texts approach in a useful way. Source code review - and the category of vulnerabilities that lend themselves to that assessment - is useful for malware analysis in turn because it teaches the reader what sort of issues malware might try to exploit in a system.
This focuses on the high end of malware - for rote malware analysis and incident response I agree it's not going to be helpful. Like I said, it's more of a foundational work.
I'm a huge fan of the Tangled Web, but if you leverage stuff that modern browsers give you, you don't really need worry about most of the content discussed in the book. (I'm still a fan of the book from a web security history point of view).
Specifically, if you have CSP headers you can pretty much ignore XSS risks. Add something to handle CSRF (e.g. Original header or the more traditional cookie/post param) and you are golden.
I haven't read the web application hacker's handbook but I bet I'll reach a similar conclusion.
Very pleasant read. It's the kind of book I'd expect at university. Some background / history, explanations, presenting both the used and the slightly obsolete methods, (with explanation why they're worse) some practical hints. It's a good threat modelling 101 book in my opinion.
_________________
Do Read:
1. The Web Application Hacker's Handbook - It's beginning to show its age, but this is still absolutely the first book I'd point anyone to for learning practical application security.
2. Practical Reverse Engineering - Yep, this is great. As the title implies, it's a good practical guide and will teach many of the "heavy" skills instead of just a platform-specific book targeted to something like iOS. Maybe supplement with a tool-specific book like The IDA Pro Book.
3. Security Engineering - You can probably read either this or The Art of Software Security Assessment. Both of these are old books, but the core principles are timeless. You absolutely should read one of these, because they are like The Art of Computer Programming for security. Everyone says they have read them, they definitely should read them, and it's evident that almost no one has actually read them.
4. Shellcoder's Handbook - If exploit development if your thing, this will be useful. Use it as a follow-on from a good reverse engineering book.
5. Cryptography Engineering - The first and only book you'll really need to understand how cryptography works if you're a developer. If you want to make cryptography a career, you'll need more; this is still the first book basically anyone should pick up to understand a wide breadth of modern crypto.
_________________
You Can Skip:
1. Social Engineering: The Art of Human Hacking - It was okay. I am biased against books that don't have a great deal of technical depth. You can learn a lot of this book by reading online resources and by honestly having common sense. A lot of this book is infosec porn, i.e. "Wow I can't believe that happened." It's not a bad book, per se, it's just not particularly helpful for a lot of technical security. If it interests you, read it; if it doesn't, skip it.
2. The Art of Memory Forensics - Instead of reading this, consider reading The Art of Software Security Assessment (a more rigorous coverage) or Practical Malware Analysis.
3. The Art of Deception - See above for Social Engineering.
4. Applied Cryptography - Cryptography Engineering supersedes this and makes it obsolete, full stop.
_________________
What's Not Listed That You Should Consider:
1. Gray Hat Python - In which you are taught to write debuggers, a skill which is a rite of passage for reverse engineering and much of blackbox security analysis.
2. The Art of Software Security Assessment - In which you are taught to find CVEs in rigorous depth. Supplement with resources from the 2010s era.
3. The IDA Pro Book - If you do any significant amount of reverse engineering, you will most likely use IDA Pro (although tools like Hopper are maturing fast). This is the book you'll want to pick up after getting your IDA Pro license.
4. Practical Malware Analysis - Probably the best single book on malware analysis outside of dedicated reverse engineering manuals. This one will take you about as far as any book reasonably can; beyond that you'll need to practice and read walkthroughs from e.g. The Project Zero team and HackerOne Internet Bug Bounty reports.
5. The Tangled Web - Written by Michal Zalewski, Director of Security at Google and author of afl-fuzz. This is the book to read alongside The Web Application Hacker's Handbook. Unlike many of the other books listed here it is a practical defensive book, and it's very actionable. Web developers who want to protect their applications without learning enough to become security consultants should start here.
6. The Mobile Application Hacker's Handbook - The book you'll read after The Web Application Hacker's Handbook to learn about the application security nuances of iOS and Android as opposed to web applications.