A reading list for InfoSec engineers.
This is my list, not a definitive one; that is, these are resources I've found useful. As such it has some baises:
- It's oriented towards providers of Software-, Platform-, and Infrastructure-as-a-Service.
- It tends to focus on the human factors aspects of security practice (there's deeply technical stuff too, just not as much).
- There's some random stuff that's not explicitly "about infosec", but that I've nonetheless found extremely useful in thinking about infosec. Dekker's Field Guide to Understanding 'Human Error' is a good example of this kind of resource.
Stars ⭐ indicate especially good "starting point" resources - things to read first as an introduction to the topic.
[This list is inspired by Mark McGranaghan's Services Engineering Reading List, which super-great. Thanks for the list, and the inspiration, Mark!]
- The Art of Software Security Assessment (Dowd, McDonald, Schuh)
- Bulletproof SSL and TLS (Ristić)
- Crypto 101 (lvh) ⭐
- The Field Guide to Understanding 'Human Error' (Dekker)
- How To Measure Anything in Cybersecurity Risk (Hubbard and Seiersen)
- The New School of Information Security (Shostack and Stewart)
- The Security Development Lifecycle (Howard and Lipner)
- The Tangled Web (Zalewski) ⭐
- The Web Application Hacker's Handbook (Stuttard)
- Security Engineering (Anderson)
- Threat Modeling: Designing for Security (Shostack)
- A Tale of Security Gone Wrong (Miller)
- Anatomy of a Crypto Vulnerability (Gaynor)
- Bounty Launch Lessons (McGeehan and Honeywell)
- Building a Let's Encrypt client from scratch (Peattie)
- Cryptographic Right Answers (Latacora) ⭐
- HTTPS is Hard (Workman)
- Learning From A Year Of Security Breaches (McGeehan) ⭐
- PagerDuty Incident Response Documentation (PagerDuty) ⭐
- Security Breach 101 and Security Breach 102 (McGeehan) ⭐
- Security Engineeing as Caring-For (Palmer)
- What Werewolf teaches us about Trust & Security (Eaves)
- Who Fixes That Bug: Part One: Them!, Part Two: Us! (McGeehan)
- 2016 Data Breach Investigation Report (Verizon Enterprise) - see also previous years: 2015 2014, 2013, 2012, 2011, 2010, 2009, 2008.
- BeyondCorp: A New Approach to Enterprise Security (Ward, Beyer)
- Doomed to Repeat History? Lessons from the Crypto Wars of the 1990s (Kehl, Wilson, and Bankston)
- Practical Security Stories and Security Tasks for Agile Environments (SAFECode)
- Security for Startups: The Affordable Ten-Step Plan for Survival in Cyberspace (Cowan)
- The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis (Zhang, Monrose, and Reiter)
- Smashing The Stack For Fun And Profit (Aleph One)
- Crypto 101 (Van Houtven)
- Lessons Learned While Protecting Gmail (Bursztein)
- Web Security Fundamentals (Hunt)