Security Books You Should Read

I’ve had quite a few people that are new to the field of information security ask about some “key reads”, so instead of replying with the same info each time I created a link to that for ease-of-reference (and I will keep this evergreen!).

Title Topic Why
Secure By Design Application Security If you are a developer, and you have to read only one of these books read this one. It will allow you to “design away” a huge swathe of vulnerabilities from the software you write, if you can achieve this you will be loved by your security team(s).
Serious Cryptography Cryptography The most currently relevant cryptography book I’ve read, even provides an introduction to quantum computing and what post-quantum attacks look like on classical cryptography schemes. This author is well known and has contributed to major advances like siphash, BLAKE and Argon2, this should illustrate to you they aren’t just a theorist but also a practitioner!
Threat Modeling - Designing for Security Application Security The de-facto Threat Modeling guide, goes from fundamentals to more advanced techniques that I haven’t used in practice. Even if you read 25% of this book you’d advance your mental model for application security.
Silence on the Wire Network Security For anyone that has tried to do network forensics or reverse-engineering, you’ll be nodding your head throughout this book. Surprisingly, this book still feels relevant in the “Web 2.0™” world we’re currently in (approx. 15 years ago at time of writing this). This book will help you realize that anonymity over a network is difficult, which is challenge for privacy and a boon for network defenders!
The Art of Software Security Assessment Vuln Hunting If you want to someday to be able to read and comprehend a Google Project Zero write-up then this is how you get ready for that. This is very comprehensive and used to be the required reading though perhaps in cloud security age it may be aging fast.
How to Measure Anything Quantification of Risk Firstly, don’t let the “cheesyness” of the websites and quotes around this book discourage you. Sadly they do themselves no favours by making it look like some MLM scheme. This really is legit, and backed by basic mathematical foundations. Additionally the author later attempted an application of this to cybersecurity (How to Measure Anything in Cybersecurity Risk), I’d only recommmend that after reading the first book as it skips some of the fundamental points that are more useful than the domain-context exercise.

You’ll (hopefully) reach an epiphany that currently in software development and security we model far too many things as a Boolean, when in fact everything has a confidence-interval. Risk estimation is not just about estimating the likelihood and impact of an event, but also your own (and your systems) confidence in what those estimates. Once you have those you can tolerate far more uncertainty while still prioritizing what needs to be worked on next.