1. The Web Application Hacker's Handbook - It's beginning to show its age, but this is still absolutely the first book I'd point anyone to for learning practical application security.
2. Practical Reverse Engineering - Yep, this is great. As the title implies, it's a good practical guide and will teach many of the "heavy" skills instead of just a platform-specific book targeted to something like iOS. Maybe supplement with a tool-specific book like The IDA Pro Book.
3. Security Engineering - You can probably read either this or The Art of Software Security Assessment. Both of these are old books, but the core principles are timeless. You absolutely should read one of these, because they are like The Art of Computer Programming for security. Everyone says they have read them, they definitely should read them, and it's evident that almost no one has actually read them.
4. Shellcoder's Handbook - If exploit development if your thing, this will be useful. Use it as a follow-on from a good reverse engineering book.
5. Cryptography Engineering - The first and only book you'll really need to understand how cryptography works if you're a developer. If you want to make cryptography a career, you'll need more; this is still the first book basically anyone should pick up to understand a wide breadth of modern crypto.
You Can Skip:
1. Social Engineering: The Art of Human Hacking - It was okay. I am biased against books that don't have a great deal of technical depth. You can learn a lot of this book by reading online resources and by honestly having common sense. A lot of this book is infosec porn, i.e. "Wow I can't believe that happened." It's not a bad book, per se, it's just not particularly helpful for a lot of technical security. If it interests you, read it; if it doesn't, skip it.
2. The Art of Memory Forensics - Instead of reading this, consider reading The Art of Software Security Assessment (a more rigorous coverage) or Practical Malware Analysis.
3. The Art of Deception - See above for Social Engineering.
4. Applied Cryptography - Cryptography Engineering supersedes this and makes it obsolete, full stop.
What's Not Listed That You Should Consider:
1. Gray Hat Python - In which you are taught to write debuggers, a skill which is a rite of passage for reverse engineering and much of blackbox security analysis.
2. The Art of Software Security Assessment - In which you are taught to find CVEs in rigorous depth. Supplement with resources from the 2010s era.
3. The IDA Pro Book - If you do any significant amount of reverse engineering, you will most likely use IDA Pro (although tools like Hopper are maturing fast). This is the book you'll want to pick up after getting your IDA Pro license.
4. Practical Malware Analysis - Probably the best single book on malware analysis outside of dedicated reverse engineering manuals. This one will take you about as far as any book reasonably can; beyond that you'll need to practice and read walkthroughs from e.g. The Project Zero team and HackerOne Internet Bug Bounty reports.
5. The Tangled Web - Written by Michal Zalewski, Director of Security at Google and author of afl-fuzz. This is the book to read alongside The Web Application Hacker's Handbook. Unlike many of the other books listed here it is a practical defensive book, and it's very actionable. Web developers who want to protect their applications without learning enough to become security consultants should start here.
6. The Mobile Application Hacker's Handbook - The book you'll read after The Web Application Hacker's Handbook to learn about the application security nuances of iOS and Android as opposed to web applications.
On the one hand it's rather straightforward because much of the state of the art in crypto research is in eprint or open access. On the other hand there isn't really a sane "landscape document" that elucidates all of this information in one place because it's so scattered and hard to organize.
Specifically: imagine a straightforward document with a handy table of contents that e.g. explains what a given cryptographic primitive is at a high level and what the current state of the art in attacking it is, like so: https://en.wikipedia.org/wiki/SHA-2#Cryptanalysis_and_valida...
I don't know how useful this would be to someone not working on cryptography research because it's heavily descriptive and academic (unlike, say, Cryptographic Right Answers, which is a good prescriptive document for developers).
but for constructions, and with more citations?
While we're at it, a similar resource for benchmarking instead of cryptanalysis exists here: https://bench.cr.yp.to/. This is maintained by Daniel Bernstein, who is probably the single most qualified person to lead that sort of work.
For instance, I'm currently working through The Web Application Hacker's Handbook and also trying things out with OWASP's Broken Web App VM's. I feel like the book is covering a lot more than the broken web apps do, and the broken webapps don't really give a ton of practice, although so far I've only gotten into the "Training" webapps (Mutillidae, Webgoat, DVWA etc), so maybe just digging into the "realistic" apps more will expose me to more of what's in the book. Just looking for some guidance on how to approach the reading-vs-doing divide.
Thanks for the advice.
Practically speaking, read through each chapter and then try to find an example of this vulnerability in an existing web application. Try bug bounties as well to get a feel for where real world developers make mistakes. A lot of information security is learning to challenge assumptions.
I picked up the IDA Pro book on a sweet deal before getting an IDA Pro license and it just makes me sad, since I don't exactly want to shell out for the license yet.
I just finished this book last night, this is an invaluable resource.
The Art of Software Security Assessment is a great book, but it's on a totally different topic and there's zero comparison between these two.
TAOSSA also has nothing to do with malware whatsoever. Are you perhaps thinking of a different book?
Also, I would point out that Shellcoders Handbook is extremely dated now. It was excellent in its time, but you won't be able to do much with that anymore. It could still be interesting background, but exploits and exploit mitigations have changed a lot in 13 years. We are talking Windows XP/2003 era.
For all of the flak that Applied Crypto gets, it's actually a very good book for what it is. It's just full of bad/outdated advice. For someone who wants a history lesson and plans to update their knowledge before engaging in malpractice based on what that book teaches, it's still a good read. Cryptography Engineering is a very different style of book. While also good, it doesn't get the reader excited about crypto in the way that Applied Cryptography did. AC also has quite a bit of background and explanation of very basic fundamentals, written for humans as opposed to programmers or math majors, that makes a lot of the ideas behind cryptography more accessible.
Unfortunately, it's also a showcase for what can go wrong if you provide too much technical content in a pop science book. What happened with A.C. is similar to what you'd think might happen in a book about home anesthesiology, complete with resources to show you how you'd put someone under from first principles and household chemicals.
On the whole, because it's generally taken by its readers as authoritative and prescriptive, A.C. has done a lot more harm than good.
Cryptography Engineering is imperfect, too. But it was written seriously, accepting and engaging with the fact that readers will use it as a guidebook to serious implementation. It's a much safer book than Applied Cryptography.
Moreover, if you're serious about engaging with crypto in your career, it's a better book. You won't learn much about what goes wrong with crypto from Applied Cryptography, which happily documents a number of weak or even broken constructions and describes protocols and techniques that were obsolete years before the book was published. Cryptography Engineering is aware of much of the cryptographic literature, and almost every chapter concerns itself first and foremost with what goes wrong with crypto constructions. You can read it "inside out" as a sort of first course in attacking cryptosystems.
With regard to malware analysis - TAOSSA teaches source code review to a depth that very few other texts approach in a useful way. Source code review - and the category of vulnerabilities that lend themselves to that assessment - is useful for malware analysis in turn because it teaches the reader what sort of issues malware might try to exploit in a system.
This focuses on the high end of malware - for rote malware analysis and incident response I agree it's not going to be helpful. Like I said, it's more of a foundational work.
Specifically, if you have CSP headers you can pretty much ignore XSS risks. Add something to handle CSRF (e.g. Original header or the more traditional cookie/post param) and you are golden.
I haven't read the web application hacker's handbook but I bet I'll reach a similar conclusion.
CEH v9: Certified Ethical Hacker Version 9 Study Guide
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Secrets and Lies: Digital Security in a Networked World, 15th Anniversary Edition
Threat Modeling: Designing for Security
Unauthorised Access: Physical Penetration Testing For IT Security Teams
Very pleasant read. It's the kind of book I'd expect at university. Some background / history, explanations, presenting both the used and the slightly obsolete methods, (with explanation why they're worse) some practical hints. It's a good threat modelling 101 book in my opinion.
If you ask, some will even accept PDFs to print for you, so you can come back at a later time to pick up the finished binder/booklets.
Not sure if that's strictly legal, but many copy shops won't care and frankly, since you got the PDFs legally I don't really see the problem--in a pragmatic sense that is, going by copyright law, maybe. In some places you do have the right to transfer (copy) copyrighted stuff you have a license for (which is the case here) to another medium. But then you're not allowed to sell or give away that copy (not that anyone will check this ever, but it does make sense to have that as a rule).
That said, If you have a laser printer it is probably cheapest to print it yourself. Buy paper that already has the three holes in it for the binder.
Still probably near the price of buying the actual books.
Edit: And if you still want to have there be a bit of a charity tie-in, the Amazon smiles program smile.amazon.com has a lot of charitable organizations to choose from.
The list of charities that Amazon shows are from GuideStar USA which has compiled the information from the IRS, but this includes organizations which may not have registered and thus may never receive the donations.
See the section "Charitable Organizations that Do Not Register" here: https://smile.amazon.com/gp/chpf/pd/ref=smi_se_saas_lpd_spd
The best way appears to be to pretend you want to register that organization on Amazon's Org Central site which shows which already registered. (An example search for Child's Play.)
As a shopper I do not believe Amazon makes this abundantly clear when you're selecting an organization. One thing to look for is the amount of information shown about the organization, specifically the incorporation year, as those that register have to fill out a profile.
According to the FAQ if a shopper selects an organization that is not registered and makes an eligible purchase they will track the donation. If the organization registers they'll get the donation, but if they have not after 2 years then Amazon will contact the shopper and give them 30 days to select a new charity. (I'm not sure if this then resets the 2 year clock or not.) If the shopper does not select a new organization then Amazon reallocates the donation across the registered organizations.
In any case the only way to be 100% sure is to inquire with the organization.
I don't believe that is so clear cut. I think getting a ebook printed can be considered "format-shifting", which while somewhat gray area, leans towards the legal side.
I'm not sure if these books come with some additional licensing constraints that would trample fair-use format shifting, but based simply on copyright getting them printed might not be illegal.
The reality is, if you are not printing a lot of copies and selling them, you are probably OK.
At least in Germany, Austria and Switzerland it is completely legal (under some restrictions) if you do it for yourself. Here is the German Wikipedia article on this topic:
150 pages of binding at a Office Depot is $6 max if you already have the pages.
I thought the paper felt a bit cheap and looked somewhat greyish. Although it might depend on the options you select.
But as far as the price goes, they're not expensive but for instance a 126 page book published there was $15.23 (ex. shipping) and you might want to check if the regularly available paperback is not cheaper than that.
It's absolutely great if you made something (wrote a book, or I dunno put your favourite sourcecode to PDF, whatever) with a load of pages and want to own it as a real paperback. There's something extra cool about turning something into an actual physical book :)
Looks like 450 pages, trade, 8x11 inces will run you about 20 USD with cheapest print/shipping combination (possibly with some added tax on top). (16 for printing, 4 for shipping - and this is for a single book - I assume shipping /book will be less if you order more than one book).
I haven't used them, but they were mentioned here a while back.
A quick google search turns up:
http://www.thebookpatch.com/#calculator (looks more expensive for single print runs) and of course good old: http://www.lulu.com/create/books (Appears to be somewhat cheaper).
So by pure material cost it can be done for 7 dollars (less if you have volume). But of course only if you have access to the equipment, nobody is selling it that cheap.
I read technical information slower and in shorter blocks of time, so being easy on the eyes like my Kindle isn't a requirement.
All in all I have to solve the captcha 5 times or so, each time involves marking multiple images.
What sense does this make?
Either they trust the captchas (then they only need one), or they don't (then they should remove them). I've complained about this to them in the past but they haven't changed it.
I think each smallish site would benefit from designing their own captchas because that way the effort to solve for machines would be harder than solving the Google captchas. The effort to solve for humans would be a lot lower. This is perhaps one of the few areas where rolling your own security solution is beneficial by virtue of it being different.
Basically, I can't think of a way to come up with something ez that defeats it. You would have to train a neural net specifically on these images because normally neural nets are bad at instagram filter removal unless trained on it. Plus you can slow down/ban/mess with requests based on cookies.
There are basically infinite solutions. Would take a couple of days to implement and would be really fun. I guarantee you: if your site gets maybe 30k visitors a week, nobody would bother spending a month cracking your captcha when there are much easier targets out there.
Finally, you can make it super annoying to actually find where the image is by converting to svg and messing with html structure/compose image in JS. Now they're going to be forced to run a headless browser, take screenshots of the captcha page and finding the image within the page.
If they take the pay-per-captcha approach, I don't think anti-captcha and the like would make it too ez. Still days of work to set up something really brittle.
That was a common captcha technique a decade ago. It didn't last.
> Basically, I can't think of a way to come up with something ez that defeats it.
You're mistaking your inexperience with the field and its methods for difficulty in solutions.
> Finally, you can make it super annoying to actually find where the image is by converting to svg and messing with html structure/compose image in JS.
This isn't hard to defeat. SVG is really no harder than PNG or JPEG to deal with, and if you are programatically altering it, it's trivial to figure out the purpose of the JS and re-implement it, and pass in whatever randomized variables change it. Or just use node, and scrape it from the page and run it as delivered.
> Now they're going to be forced to run a headless browser, take screenshots of the captcha page and finding the image within the page.
That's trivial. Far more trivial now than it was in the past, actually. There's plenty of systems around to run headless browsers. Some are to ease testing for developers, some are specifically designed for and marketed to people that want to do things just like this. Worst case, you use electron and make your own browser to do it.
But in the introduction to Bruce Schneier's book, Practical Cryptography, he himself says that the world is filled with broken systems built from his earlier book. In fact, he wrote Practical Cryptography in hopes of rectifying the problem.
For more information, 'tptacek explains this more succinctly that I could: https://sockpuppet.org/blog/2013/07/22/applied-practical-cry...
I think I've bought 50 books from Humble Bundle (spending about $1/book), but I've only cracked open a few of them.
Also thank you dsacco for the recommendations!
ProTip: entities like the FSF, the EFF, Wikimedia and many others can be helped via the humble bundle!!
Improved *nix version further down the thread
Change "MOBI" to "PDF"/"EPUB" if desired
To circle back to your question - nginx is fairly robust out of the box, but The Tangled Web will cover extra configuration steps. For example - how to securely handle and serve files uploaded by users, including file naming conventions.
Other best practices for configuring things like TLS and CORS will also be covered, which are in the purview of any developer setting up a web server. My interpretation of the book was that it covered attacks that are executed through the browser (especially via user input) insofar as it's instructive for developers to learn how to avoid them.
Most of the stuff here is general crypto, which is very helpful with respect to just learning about computer security, though not necessarily focused on securing something like nginx specifically. You'll learn a lot more about security in general though, which will make it easier to learn about security specific platforms.
I can't recommend this collection enough. I'd make the purchase, then dive into a couple and read whatever you find most interesting. I don't believe any will have the top keys of security technology X, Y, or Z. But you'll learn a lot in general, and it will be much easier to read other security how-tos and tutorials on locking down specific platforms.
As far as securely configuring them, that's maybe 2 pages worth of material and should be in their respective manuals. Beyond that, your options are standard host hardening and network segmentation. I actually don't think that is really covered in any of these.
Securing the web application running on those servers, however, is a book worth of material. All of these are too old for any mention of nodejs, but Web Application Hackers Handbook will have some generic web attack coverage.
I uploaded the file to virustotal.com and malwr.com. VirusTotal has reports from several scanners, so this is not just misreporting from a single scanner. malwr.com opens the file in a sandbox and it says that it makes HTTP connections and installs itself for autorun at Windows startup.
The Web Application Hacker's Handbook is reported by my local ClamAV 0.99.2 with current sigs but not by VirusTotal.
malwr.com also reports HTTP connections and autorun.
I uploaded several other EPUB files and none of them was reported to show such behaviour.
Personally speaking the only books valuable in this bundle are "Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation" and "Applied Cryptography: Protocols, Algorithms and Source Code in C, 20th Anniversary Edition" the other are either quite outdated, too oversimplified or script-kiddie level stuff.
It seems well written, and covers a lot of ground, but it's literally introductory in the sense of "hey, ianai, let's introduce you to the concepts. Concepts, this is ianai; ianai, these are the concepts, now wave them goodbye and let's move on to the next topic".
Answering the test questions included (indicative of the actual certification questions?) generally requires being aware of all the concepts - it doesn't require understanding how/why they work; it doesn't require being able to apply them; simply knowing that they exist and how they're named.
It might be a good starter book from someone coming in to the domain, since it would list all the key things that you'd need to know and introduce you to most of the terminology, but in order to actually learn any of these things (and IMHO to be able to pass certification related to any one of these things) you'd need to go much more in depth than this book will allow.
^As long as it's at least $15.
It bothers me that Humble Bundle has so heavily embraced this type of marketing.