
Ask HN: What are the best books for learning information security? - hwhatwhatwhat
For topics like: common vulnerabilities and mitigations, secure programming techniques, static analysis, reverse engineering, fuzzing, cryptography, and so on.<p>Looking for some good tomes to expand my mind and bookshelf.
======
dsacco
Glad you asked. This is a list I like to call, "how to become an extremely
effective and formidable security engineer."

1\. _The Web Application Hacker 's Handbook_

Probably the first book you want to read; this will teach you the core mindset
you need for finding security flaws in web applications as well as give a very
strong foundation for the different classes of vulnerabilities.

2\. _The Mobile Application Hacker 's Handbook_

Good supplement to #1 for application security, obviously focused on mobile
apps.

3\. _The Art of Software Security Assessment_

The bible of the security industry. Especially instructive for source code
review.

4\. _Security Engineering_ (Ron Anderson)

Supplements #3. Very instructive for injecting security into the overall SDLC
and designing secure software.

5\. _The Tangled Web_

Excellent historical background and good high level overview of many
information security topics. Every engineer should read this, even if they
don't work in security.

6\. _Gray Hat Python_

Very hands on, good introduction to aspects of reverse engineering and the
typical work an e.g. security consultant will do at a top firm.

7\. _Practical Malware Analysis_

Very good introduction to malware analysis.

8\. _Practical Reverse Engineering_

This book, along with #9 will teach you everything you need to know to
effectively reverse engineer software for security-focused analysis.

9\. _Reversing: Secrets of Reverse Engineering_

10\. _The IDA Pro Book_

You'll want this if you have any plan to work with IDA Pro at all, which is
the gold standard for decompiling and reversing software.

11\. _The Shellcoder 's Handbook_

If you'd like to write exploits after you're done reversing software to find
an exploitable bug, this is a good book to pick up.

12\. _Cryptography Engineering_

Very solid and broad introduction to cryptography. Every engineer should read
this, even if they don't work in security.

13\. _Introduction to Modern Cryptography_

This book, along with #14 is what you want to read if you're going to work as
a cryptographer or cryptanalyst professionally.

14\. _Handbook of Applied Cryptography_

\--------------------------------------

Theoretically, these books should resolve your known-unknowns and your
unknown-unknowns. Anyone who reads and _works through_ the list should be
capable of designing secure software, finding errors in white and black box
source code reviews and finding errors in white and black box penetration
tests.

If you're looking to get into this professionally, feel free to contact me if
you have any questions and I'll do my best to help.

~~~
Creepy-ish
If you're interested in iOS, I would also include "iOS Application Security"
[0] by David Thiel. It's relatively up to date, very practical and actionable.
David's resume [1] is also a good example of what a successful career in
"cyber security" can look like.

[0]
[https://www.nostarch.com/iossecurity](https://www.nostarch.com/iossecurity)

[1]
[http://redundancy.redundancy.org/resume.pdf](http://redundancy.redundancy.org/resume.pdf)

