Amazon Vehicles Back to School Amazon Fashion Learn more nav_sap_plcc_ascpsc Joseph Fire TV Stick Happy Belly Coffee Totes Amazon Cash Back Offer ElvisandNixon ElvisandNixon ElvisandNixon  Amazon Echo  Echo Dot  Amazon Tap  Echo Dot  Amazon Tap  Amazon Echo Starting at $49.99 All-New Kindle Oasis Florida Georgia Line Shop Now STEM

An Application Security Reading List

Thomas Ptacek
 
Gray Hat Python: Python Programming for Hackers and Reverse Engineers
Gray Hat Python: Python Programming for Hackers and Reverse Engineers
"Literally the first book I thought of when I started this list, and I don't even like writing in Python. A headfirst dive into the day-to-day coding all app pentesters end up doing."
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
"The same way you can say "TAOCP" on a programming site and everyone knows you mean "Knuth", say "TOASSA" to a security person and they know this book. This is the McGee, the Cormen/Rivest, the "Theory Of Poker" for our industry: how to find vulnerabilities by reading software."
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
"As much as 50% of your app security work is going to involve finding flaws in web applications, and that percentage is only going to go up. The good news, as far as your book budget goes: (a) this is the only book you need to get started (and it's great) - (b) web security work is something you can learn very quickly by practicing with tools, and (c) the rest of what you need is all online."
Cryptography Engineering: Design Principles and Practical Applications
Cryptography Engineering: Design Principles and Practical Applications
"The best security books, you can read "inside out", taking any recommendation on what to do and looking for people to do the opposite to find flaws. "Firewalls and Internet Security" was like that. So was "Practical Unix Security", and so is TOASSA. This is that book for crypto. It's also the one book on crypto you should allow yourself to read until you start actually finding crypto flaws."
The Practice of Programming (Addison-Wesley Professional Computing Series)
The Practice of Programming (Addison-Wesley Professional Computing Series)
"Skip it if you've already done dev professionally (and, if you can, try to spend a couple years doing that before coming to app security). Otherwise: you want to (a) get good at busting our reliable, readable security testing tools without losing cycles figuring out how to start, and (b) to know how pro devs think before trying to tear up their software."
C Interfaces and Implementations: Techniques for Creating Reusable Software
C Interfaces and Implementations: Techniques for Creating Reusable Software
"You need C. This is the single best book on C software development that has ever been written. It takes everything you've been doing in Python, Ruby, or Perl, but have lost in C, and gives it back to you -  while explaining each line of code it takes to do that, and making you a competent C API designer in the process."
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
"The best end-to-end treatment of the theory and practice of taking compiled binary software and working it back to its design and internal function. Read this to understand why writing your own version of IDA Pro is more trouble than its worth, or to see why you'd want to do that in the first place."
JavaScript: The Good Parts
JavaScript: The Good Parts
"This book is tiny. Most books about Javascript are 18,000 pages long, explain how to write 1000 lines of JS to make rounded corners in IE5, and suck. This book contains nothing but how to write serious code in Javascript, a surprisingly serious language that it turns out owns a surprisingly huge portion of the Internet security model by enforcing the "same origin policy" that secures browsers."
SQL For Dummies
SQL For Dummies
"You have to know SOME SQL to do web security work. My theory: the less of it you end up knowing, the happier you'll end up being. Thus: this book."
Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition (Developer Reference)
Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition (Developer Reference)
"You want to know how modern OS's work on x86. Especially memory management. You want to know why system calls work the way they do. You want to grok IPC. You can learn with Unix or with Windows, but Windows depth has more market value, and there's no comparably good (and modern) Unix internals book."
The Mac Hacker's Handbook
The Mac Hacker's Handbook
"Union rules require me to recommend at least one book by Charlie Miller and one book by Dino Dai Zovi, and this book, which is great, kills two birds with one stone."
The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler
The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler
"Don't buy this until you get your IDA Pro license. And if you've been using IDA for years already, borrow it instead. But this book is the manual Hexrays should ship with the IDA, and IDA is the de facto standard binary reversing tool for our industry. Know that if you grok assembly and C, then a week or two, a copy of IDA, and this book combined will get you reversing WinAPI programs reliably."
Internetworking with TCP/IP Vol. II: ANSI C Version: Design, Implementation, and Internals (3rd Edition)
Internetworking with TCP/IP Vol. II: ANSI C Version: Design, Implementation, and Internals (3rd Edition)
"Sooner or later you're going to hit a project where the only way to listen to and talk to the target is to bust out libpcap and do IO with raw frames. In TCP/IP books, there's the Comer camp and the W. Richard Stevens camp. I'm a Comer guy. This book is more general than Stevens, and works from a far cleaner codebase (Stevens' 4.4BSD, while venerable, is ugly as sin)."
Network Algorithmics,: An Interdisciplinary Approach to Designing Fast Networked Devices (The Morgan Kaufmann Series in Networking)
Network Algorithmics,: An Interdisciplinary Approach to Designing Fast Networked Devices (The Morgan Kaufmann Series in Networking)
"Do any of those tools you wrote with libpcap after reading Comer & Stevens have to work fast? Do they have to deal with more than a couple hundred hosts? This book isn't cheap, and it's somewhat specialized, but it's well written, interesting, and authoritative."
Computation Structures (MIT Electrical Engineering and Computer Science)
Computation Structures (MIT Electrical Engineering and Computer Science)
"Eventually you'll get a project that's going to involve an exotic target, maybe synthesized onto an FPGA in some crazy RISC architecture, maybe on an embedded controller you can only talk to with JTAG. You want to know how computer systems are designed and engineered from electrical signals on up. This book starts from circuits and ends with compiler design and may be all you'll ever need."
Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection: Obfuscation, Watermarking, and Tamperproofing for Software Protection
Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection: Obfuscation, Watermarking, and Tamperproofing for Software Protection
"One branch of binary runtime security work involves software protection, which means "copy protection" and "tamper proofing" and "anti-cheating" and "malware countermeasures" all at this same time. This book is somewhat stuffily written and uses formalisms more than case studies, but if runtime security is your thing, you'll forgive those quirks for the breadth and authority in this book."
A Supposedly Fun Thing I'll Never Do Again: Essays and Arguments
A Supposedly Fun Thing I'll Never Do Again: Essays and Arguments
"I had a CISSP book here as a joke, but then realized that someone who clicked "buy whole list" would end up accidentally owning a CISSP book. Far better that they accidentally end up owning David Foster Wallace's most accessible book. The state fair essay in particular, worth the price of admission."