So, I've read most of these. Here's a tour of what is definitely useful and what you should probably avoid.
_________________
Do Read:
1. The Web Application Hacker's Handbook - It's beginning to show its age, but this is still absolutely the first book I'd point anyone to for learning practical application security.
2. Practical Reverse Engineering - Yep, this is great. As the title implies, it's a good practical guide and will teach many of the "heavy" skills instead of just a platform-specific book targeted to something like iOS. Maybe supplement with a tool-specific book like The IDA Pro Book.
3. Security Engineering - You can probably read either this orThe Art of Software Security Assessment. Both of these are old books, but the core principles are timeless. You absolutely should read one of these, because they are like The Art of Computer Programming for security. Everyone says they have read them, they definitely should read them, and it's evident that almost no one has actually read them.
4. Shellcoder's Handbook - If exploit development if your thing, this will be useful. Use it as a follow-on from a good reverse engineering book.
5. Cryptography Engineering - The first and only book you'll really need to understand how cryptography works if you're a developer. If you want to make cryptography a career, you'll need more; this is still the first book basically anyone should pick up to understand a wide breadth of modern crypto.
_________________
You Can Skip:
1. Social Engineering: The Art of Human Hacking - It was okay. I am biased against books that don't have a great deal of technical depth. You can learn a lot of this book by reading online resources and by honestly having common sense. A lot of this book is infosec porn, i.e. "Wow I can't believe that happened." It's not a bad book, per se, it's just not particularly helpful for a lot of technical security. If it interests you, read it; if it doesn't, skip it.
2. The Art of Memory Forensics - Instead of reading this, consider reading The Art of Software Security Assessment (a more rigorous coverage) or Practical Malware Analysis.
3. The Art of Deception - See above for Social Engineering.
4. Applied Cryptography - Cryptography Engineering supersedes this and makes it obsolete, full stop.
_________________
What's Not Listed That You Should Consider:
1. Gray Hat Python - In which you are taught to write debuggers, a skill which is a rite of passage for reverse engineering and much of blackbox security analysis.
2. The Art of Software Security Assessment - In which you are taught to find CVEs in rigorous depth. Supplement with resources from the 2010s era.
3. The IDA Pro Book - If you do any significant amount of reverse engineering, you will most likely use IDA Pro (although tools like Hopper are maturing fast). This is the book you'll want to pick up after getting your IDA Pro license.
4. Practical Malware Analysis - Probably the best single book on malware analysis outside of dedicated reverse engineering manuals. This one will take you about as far as any book reasonably can; beyond that you'll need to practice and read walkthroughs from e.g. The Project Zero team and HackerOne Internet Bug Bounty reports.
5. The Tangled Web - Written by Michal Zalewski, Director of Security at Google and author of afl-fuzz. This is the book to read alongside The Web Application Hacker's Handbook. Unlike many of the other books listed here it is a practical defensive book, and it's very actionable. Web developers who want to protect their applications without learning enough to become security consultants should start here.
6. The Mobile Application Hacker's Handbook - The book you'll read after The Web Application Hacker's Handbook to learn about the application security nuances of iOS and Android as opposed to web applications.
Actually a great comment. This is what I wish all those "awesome lists" were: lists written by people actually in the field who've actually read all the books they're recommending. Unlike the current state, which is lists compiled by people completely new to the field looking for easy github stars putting up every book they can find with a Google search.
Funny you mention that, because I'm currently working on a GitHub repo as a research aid for myself. It's a compendium of all major cryptographic primitives and constructions (protocols) and the current state of the art in cryptanalysis against them, sorted by type (i.e. symmetric:block cipher:AES).
On the one hand it's rather straightforward because much of the state of the art in crypto research is in eprint or open access. On the other hand there isn't really a sane "landscape document" that elucidates all of this information in one place because it's so scattered and hard to organize.
Specifically: imagine a straightforward document with a handy table of contents that e.g. explains what a given cryptographic primitive is at a high level and what the current state of the art in attacking it is, like so: https://en.wikipedia.org/wiki/SHA-2#Cryptanalysis_and_valida...
I don't know how useful this would be to someone not working on cryptography research because it's heavily descriptive and academic (unlike, say, Cryptographic Right Answers, which is a good prescriptive document for developers).
How would you suggest approaching these books in order to translate the "reading" into practical/demonstrable skills?
For instance, I'm currently working through The Web Application Hacker's Handbook and also trying things out with OWASP's Broken Web App VM's. I feel like the book is covering a lot more than the broken web apps do, and the broken webapps don't really give a ton of practice, although so far I've only gotten into the "Training" webapps (Mutillidae, Webgoat, DVWA etc), so maybe just digging into the "realistic" apps more will expose me to more of what's in the book. Just looking for some guidance on how to approach the reading-vs-doing divide.
I'll echo what the sibling comment said about CTFs. Those are a great way of drilling the theory in the same way you need to drill problems to really cement mathematical maturity.
Practically speaking, read through each chapter and then try to find an example of this vulnerability in an existing web application. Try bug bounties as well to get a feel for where real world developers make mistakes. A lot of information security is learning to challenge assumptions.
Seconding Practical Malware Analysis and adding a write-in for The Rootkit Arsenal, which is a very practical guide and walkthrough for building functional rootkits.
I picked up the IDA Pro book on a sweet deal before getting an IDA Pro license and it just makes me sad, since I don't exactly want to shell out for the license yet.
>5. The Tangled Web - Written by Michal Zalewski, Director of Security at Google and author of afl-fuzz. This is the book to read alongside The Web Application Hacker's Handbook. Unlike many of the other books listed here it is a practical defensive book, and it's very actionable. Web developers who want to protect their applications without learning enough to become security consultants should start here.
I just finished this book last night, this is an invaluable resource.
While I agree with most of your comment, I think The Art of Memory Forensics is an absolute must read for the people that want to do digital forensics. Or attackers worrying about the footprint they leave behind...
The Art of Software Security Assessment is a great book, but it's on a totally different topic and there's zero comparison between these two.
The two books don't map to each other 1:1, but I'd consider a lot of the contents of TAOSSA to be very good foundational content for assessing malware. Much of malware is a practical implementation of faults explored within that book.
I'm a huge fan of the Tangled Web, but if you leverage stuff that modern browsers give you, you don't really need worry about most of the content discussed in the book. (I'm still a fan of the book from a web security history point of view).
Specifically, if you have CSP headers you can pretty much ignore XSS risks. Add something to handle CSRF (e.g. Original header or the more traditional cookie/post param) and you are golden.
I haven't read the web application hacker's handbook but I bet I'll reach a similar conclusion.
Is there a legal / not crazy expensive way to buy humble bundle books and get them printed on standard 8.5x11, bound in a series of binders / duotangs / twine? I'm going to buy the bundle, but greatly prefer physical pages to reading on a screen.
You can ask at a local copy/print shop, they often have the material and tools to turn a stack of paper into a binder or other book-like thing. They probably also have a good deal on printing a large number of pages :)
If you ask, some will even accept PDFs to print for you, so you can come back at a later time to pick up the finished binder/booklets.
Not sure if that's strictly legal, but many copy shops won't care and frankly, since you got the PDFs legally I don't really see the problem--in a pragmatic sense that is, going by copyright law, maybe. In some places you do have the right to transfer (copy) copyrighted stuff you have a license for (which is the case here) to another medium. But then you're not allowed to sell or give away that copy (not that anyone will check this ever, but it does make sense to have that as a rule).
That said, If you have a laser printer it is probably cheapest to print it yourself. Buy paper that already has the three holes in it for the binder.
Still probably near the price of buying the actual books.
Edit: And if you still want to have there be a bit of a charity tie-in, the Amazon smiles program smile.amazon.com has a lot of charitable organizations to choose from.
RE AmazonSmile: Be sure that the organization you wish to support is aware of the program and actually registered with Amazon to receive the funds.
The list of charities that Amazon shows are from GuideStar USA which has compiled the information from the IRS, but this includes organizations which may not have registered and thus may never receive the donations.
> Legal: No. These are copyrighted works after all.
I don't believe that is so clear cut. I think getting a ebook printed can be considered "format-shifting", which while somewhat gray area, leans towards the legal side.
I'm not sure if these books come with some additional licensing constraints that would trample fair-use format shifting, but based simply on copyright getting them printed might not be illegal.
> Legal: No. These are copyrighted works after all.
At least in Germany, Austria and Switzerland it is completely legal (under some restrictions) if you do it for yourself. Here is the German Wikipedia article on this topic:
lulu.com is a great place to cheaply print books and it only takes about a week. I am not a lawyer and have no idea about its legal applicability, but one just uploads a PDF.
I've used Lulu (years ago) and they do a great job. Not as cheap as a paperback of the same size, but for a one-off (or small number) they're pretty good.
I thought the paper felt a bit cheap and looked somewhat greyish. Although it might depend on the options you select.
But as far as the price goes, they're not expensive but for instance a 126 page book published there was $15.23 (ex. shipping) and you might want to check if the regularly available paperback is not cheaper than that.
It's absolutely great if you made something (wrote a book, or I dunno put your favourite sourcecode to PDF, whatever) with a load of pages and want to own it as a real paperback. There's something extra cool about turning something into an actual physical book :)
The first book, for example, is about $21 in paperback from Amazon and I'm having trouble finding a printer around here who would give me those 416 pages for less. Maybe it starts to make sense if you print several at once.
The OP said he wants physical, and I understand. For fiction or news, I am fine with my Kindle, but for tech manuals where I want to rapidly bookmark, highlight and reference, paper is really handy.
I use 2FA on Humble Bundle. In order to log in, I have to solve several captchas.
I then have to solve more to buy stuff.
All in all I have to solve the captcha 5 times or so, each time involves marking multiple images.
What sense does this make?
Either they trust the captchas (then they only need one), or they don't (then they should remove them). I've complained about this to them in the past but they haven't changed it.
I think Google is doing that "mark all cars/street stigns/etc" style of captcha and using the data for ML training and stuff
it asks juust a little too many it comes across as them using the captcha a little too eagerly to collect data.
Are you using an IP possibly in use by other people? As I'm seeing zero logging in. As to why multiple, they're to prevent bots. Random clicking succeeds some percent of the time, several decreases that percentage.
You need a captcha to log in so that it's hard to make multiple fake accounts. You need captchas to buy stuff because otherwise one could make all accounts manually and then use them to quickly buy products to spend some bank account before it's banned.
I think each smallish site would benefit from designing their own captchas because that way the effort to solve for machines would be harder than solving the Google captchas. The effort to solve for humans would be a lot lower. This is perhaps one of the few areas where rolling your own security solution is beneficial by virtue of it being different.
I think perhaps you underestimate how hard it is to make a good captcha, that is one that is hard to solve programatically but not too hard to solve for a real person (this second part is often overlooked as easy). I suspect you'll find a lot of the prior techniques work well when applied to someone's hand-rolled version, given that coming up with something unique enough to not have prior work put into solving it (and have enough variation to make learning the entire data-set infeasible) is likely much harder than you think.
I don't think this is such a good idea. First of all, designing a catch system that isn't terrible is a lot of work -- it doesn't really make sense for most dev teams to take it on when there are so many pre-built solutions out there. Second, dealing with proprietary captcha systems isn't actually that hard -- you can throw pretty much anything at anti-captcha.com.
But in the introduction to Bruce Schneier's book, Practical Cryptography, he himself says that the world is filled with broken systems built from his earlier book. In fact, he wrote Practical Cryptography in hopes of rectifying the problem.
Great, now there's another collection of books which I'll want to read which I'll feel bad about missing the deal for, then kick myself for never actually reading them in-depth.
I think I've bought 50 books from Humble Bundle (spending about $1/book), but I've only cracked open a few of them.
Readit News
_________________
Do Read:
1. The Web Application Hacker's Handbook - It's beginning to show its age, but this is still absolutely the first book I'd point anyone to for learning practical application security.
2. Practical Reverse Engineering - Yep, this is great. As the title implies, it's a good practical guide and will teach many of the "heavy" skills instead of just a platform-specific book targeted to something like iOS. Maybe supplement with a tool-specific book like The IDA Pro Book.
3. Security Engineering - You can probably read either this or The Art of Software Security Assessment. Both of these are old books, but the core principles are timeless. You absolutely should read one of these, because they are like The Art of Computer Programming for security. Everyone says they have read them, they definitely should read them, and it's evident that almost no one has actually read them.
4. Shellcoder's Handbook - If exploit development if your thing, this will be useful. Use it as a follow-on from a good reverse engineering book.
5. Cryptography Engineering - The first and only book you'll really need to understand how cryptography works if you're a developer. If you want to make cryptography a career, you'll need more; this is still the first book basically anyone should pick up to understand a wide breadth of modern crypto.
_________________
You Can Skip:
1. Social Engineering: The Art of Human Hacking - It was okay. I am biased against books that don't have a great deal of technical depth. You can learn a lot of this book by reading online resources and by honestly having common sense. A lot of this book is infosec porn, i.e. "Wow I can't believe that happened." It's not a bad book, per se, it's just not particularly helpful for a lot of technical security. If it interests you, read it; if it doesn't, skip it.
2. The Art of Memory Forensics - Instead of reading this, consider reading The Art of Software Security Assessment (a more rigorous coverage) or Practical Malware Analysis.
3. The Art of Deception - See above for Social Engineering.
4. Applied Cryptography - Cryptography Engineering supersedes this and makes it obsolete, full stop.
_________________
What's Not Listed That You Should Consider:
1. Gray Hat Python - In which you are taught to write debuggers, a skill which is a rite of passage for reverse engineering and much of blackbox security analysis.
2. The Art of Software Security Assessment - In which you are taught to find CVEs in rigorous depth. Supplement with resources from the 2010s era.
3. The IDA Pro Book - If you do any significant amount of reverse engineering, you will most likely use IDA Pro (although tools like Hopper are maturing fast). This is the book you'll want to pick up after getting your IDA Pro license.
4. Practical Malware Analysis - Probably the best single book on malware analysis outside of dedicated reverse engineering manuals. This one will take you about as far as any book reasonably can; beyond that you'll need to practice and read walkthroughs from e.g. The Project Zero team and HackerOne Internet Bug Bounty reports.
5. The Tangled Web - Written by Michal Zalewski, Director of Security at Google and author of afl-fuzz. This is the book to read alongside The Web Application Hacker's Handbook. Unlike many of the other books listed here it is a practical defensive book, and it's very actionable. Web developers who want to protect their applications without learning enough to become security consultants should start here.
6. The Mobile Application Hacker's Handbook - The book you'll read after The Web Application Hacker's Handbook to learn about the application security nuances of iOS and Android as opposed to web applications.
On the one hand it's rather straightforward because much of the state of the art in crypto research is in eprint or open access. On the other hand there isn't really a sane "landscape document" that elucidates all of this information in one place because it's so scattered and hard to organize.
Specifically: imagine a straightforward document with a handy table of contents that e.g. explains what a given cryptographic primitive is at a high level and what the current state of the art in attacking it is, like so: https://en.wikipedia.org/wiki/SHA-2#Cryptanalysis_and_valida...
I don't know how useful this would be to someone not working on cryptography research because it's heavily descriptive and academic (unlike, say, Cryptographic Right Answers, which is a good prescriptive document for developers).
For instance, I'm currently working through The Web Application Hacker's Handbook and also trying things out with OWASP's Broken Web App VM's. I feel like the book is covering a lot more than the broken web apps do, and the broken webapps don't really give a ton of practice, although so far I've only gotten into the "Training" webapps (Mutillidae, Webgoat, DVWA etc), so maybe just digging into the "realistic" apps more will expose me to more of what's in the book. Just looking for some guidance on how to approach the reading-vs-doing divide.
Thanks for the advice.
Practically speaking, read through each chapter and then try to find an example of this vulnerability in an existing web application. Try bug bounties as well to get a feel for where real world developers make mistakes. A lot of information security is learning to challenge assumptions.
I picked up the IDA Pro book on a sweet deal before getting an IDA Pro license and it just makes me sad, since I don't exactly want to shell out for the license yet.
I just finished this book last night, this is an invaluable resource.
The Art of Software Security Assessment is a great book, but it's on a totally different topic and there's zero comparison between these two.
Specifically, if you have CSP headers you can pretty much ignore XSS risks. Add something to handle CSRF (e.g. Original header or the more traditional cookie/post param) and you are golden.
I haven't read the web application hacker's handbook but I bet I'll reach a similar conclusion.
CEH v9: Certified Ethical Hacker Version 9 Study Guide
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Secrets and Lies: Digital Security in a Networked World, 15th Anniversary Edition
Threat Modeling: Designing for Security
Unauthorised Access: Physical Penetration Testing For IT Security Teams
Deleted Comment
Deleted Comment
If you ask, some will even accept PDFs to print for you, so you can come back at a later time to pick up the finished binder/booklets.
Not sure if that's strictly legal, but many copy shops won't care and frankly, since you got the PDFs legally I don't really see the problem--in a pragmatic sense that is, going by copyright law, maybe. In some places you do have the right to transfer (copy) copyrighted stuff you have a license for (which is the case here) to another medium. But then you're not allowed to sell or give away that copy (not that anyone will check this ever, but it does make sense to have that as a rule).
That said, If you have a laser printer it is probably cheapest to print it yourself. Buy paper that already has the three holes in it for the binder.
Still probably near the price of buying the actual books.
Edit: And if you still want to have there be a bit of a charity tie-in, the Amazon smiles program smile.amazon.com has a lot of charitable organizations to choose from.
The list of charities that Amazon shows are from GuideStar USA which has compiled the information from the IRS, but this includes organizations which may not have registered and thus may never receive the donations.
See the section "Charitable Organizations that Do Not Register" here: https://smile.amazon.com/gp/chpf/pd/ref=smi_se_saas_lpd_spd
I don't believe that is so clear cut. I think getting a ebook printed can be considered "format-shifting", which while somewhat gray area, leans towards the legal side.
I'm not sure if these books come with some additional licensing constraints that would trample fair-use format shifting, but based simply on copyright getting them printed might not be illegal.
IANAL etc.
At least in Germany, Austria and Switzerland it is completely legal (under some restrictions) if you do it for yourself. Here is the German Wikipedia article on this topic:
> https://de.wikipedia.org/w/index.php?title=Privatkopie&oldid...
150 pages of binding at a Office Depot is $6 max if you already have the pages.
I thought the paper felt a bit cheap and looked somewhat greyish. Although it might depend on the options you select.
But as far as the price goes, they're not expensive but for instance a 126 page book published there was $15.23 (ex. shipping) and you might want to check if the regularly available paperback is not cheaper than that.
It's absolutely great if you made something (wrote a book, or I dunno put your favourite sourcecode to PDF, whatever) with a load of pages and want to own it as a real paperback. There's something extra cool about turning something into an actual physical book :)
All in all I have to solve the captcha 5 times or so, each time involves marking multiple images.
What sense does this make?
Either they trust the captchas (then they only need one), or they don't (then they should remove them). I've complained about this to them in the past but they haven't changed it.
I think each smallish site would benefit from designing their own captchas because that way the effort to solve for machines would be harder than solving the Google captchas. The effort to solve for humans would be a lot lower. This is perhaps one of the few areas where rolling your own security solution is beneficial by virtue of it being different.
But in the introduction to Bruce Schneier's book, Practical Cryptography, he himself says that the world is filled with broken systems built from his earlier book. In fact, he wrote Practical Cryptography in hopes of rectifying the problem.
https://blog.cryptographyengineering.com/2011/11/07/in-defen...
For more information, 'tptacek explains this more succinctly that I could: https://sockpuppet.org/blog/2013/07/22/applied-practical-cry...
I think I've bought 50 books from Humble Bundle (spending about $1/book), but I've only cracked open a few of them.
Also thank you dsacco for the recommendations!
ProTip: entities like the FSF, the EFF, Wikimedia and many others can be helped via the humble bundle!!