Cybersecurity books recommended by top security researchers
Looking for a career in security research? You’re not alone. According to job site Indeed, job searches for cybersecurity roles increased by 5.7 percent between March 2017 and March 2018. Happily, it's not just more people looking for those jobs—they're finding them: Security research jobs increased by 3.5 percent.
With the prevalence of data breaches, there’s still plenty of room for the industry to grow. Unlike other IT specialties, businesses often are open to hiring security professionals based on their knowledge rather than certifications. What better way to acquire that acumen than personally driven education?
I asked several top security researchers which books helped them on their path. I also asked which books they’d recommend to people who want to follow in their footsteps. These are the titles they told me you should put on your Kindle or bedside table.
Nuts and bolts
If you want to level up, it’s always best to start with the basics.
Parisa Tabriz, engineering director at Google, recommends a classic: "Hacking: The Art of Exploitation" by Jon Erickson. The book was her introduction to buffer overflows and exploits. “It was not an easy read, but I still remember it, since I had to really work through it, sometimes putting it down and returning after I'd seek out supplemental resources on C or x86,” she says. Tabriz still has her coffee-stained copy of the first edition of the book, which she says remains relevant as a deep introduction to hacking. The second edition, which came out in 2008, is the most recent version.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, recommends "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" by Michael Sikorski and Andrew Honig. This book teaches readers how to safely analyze, debug, and disassemble malware, and it offers hands-on labs to help readers practice their skills.
Galperin further recommends "Threat Modeling: Designing for Security" by Adam Shostack. This book delves into building better security into system, software, or service designs, and how to test those designs. It explores different approaches for different types of threat models.
White Ops chief scientist and founder Dan Kaminsky, a longtime security researcher best known for finding a critical flaw in the Internet’s DNS, recommends "The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities" by Justin Schuh, John McDonald, and Mark Dowd. “[The book] is something of the bible of infosec,” Kaminsky says. It covers software vulnerabilities in Unix/Linux and Windows environments, delves into how to audit various apps, and teaches with examples of real code drawn from security flaws found in high-profile applications.
Ready for more reading? Join over a million subscribers to our weekly newsletter.
Kaminsky also appreciates any books written by Michal Zalewski, a vulnerability researcher from Poland, “less for the individual details and more for him capturing the playfulness that got me into security in the first place,” he says. Zalewski’s books include "The Tangled Web: A Guide to Securing Modern Web Applications" and "Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks."
Cryptography and cryptocurrency
This past fall, I rounded up a dozen blockchain courses being offered in universities across the country. But you don’t have to go to school to brush up on all things crypto. You could just work through the textbooks.
Dan Boneh, professor of computer science and electrical engineering at Stanford University and co-director of the Stanford Computer Security Lab, recommends "Introduction to Modern Cryptography," by Jonathan Katz and Yehuda Lindell. The book is often used as a cryptography textbook in both undergraduate and graduate crypto courses, but it can also be used for self-study or as a reference guide, Boneh says.
To learn about blockchains, Boneh recommends "Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction" by Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, and Steven Goldfeder. The book, which was a runner-up for the 2017 PROSE Award in Computing and Information Sciences from the Association of American Publishers, has been used in more than 50 courses across the world. The Coursera course "Bitcoin and Cryptocurrency Technologies" complements the textbook with video lectures, programming assignments, and quizzes.
And of course, there’s Boneh’s own book, "A Graduate Course in Applied Cryptography," cowritten with computer scientist and mathematician Victor Shoup. The text is available online for free download.
When it comes to online security, humans are often the weakest link. It’s worth technologists’ time to explore the art of human exploitation with the same vigor one would use to analyze technical exploits.
For EFF’s Galperin, the books that really make her think generally are not technical books. “To Engineer Is Human: The Role of Failure in Successful Design by Henri Petroski is one that I've found both inspiring and useful,” she says. The book looks at the engineering failures behind great engineering successes.
Galperin further recommends "The Confidence Game: Why We Fall for It… Every Time by Maria Konnikova. The book examines how people’s instincts often lead them to being scammed. “I've found that a lot of the history of confidence games and psychology has applicable insights into social engineering,” she says.
The nonintuitive choices
Technologists sometimes have to communicate danger to users, just as health professionals, occupational safety specialists, and government regulators do. Adrienne Porter Felt, a senior engineering manager on the Google Chrome team, recommends "Handbook of Warnings (Human Factors and Ergonomics)" by Michael S. Wogalter. “The book talks about how humans react to security-related information across fields, ranging from chemical warnings to street signs,” she says. “The book contains lessons that are valuable for computer security professionals. If everyone read this book, I think we could avoid remaking mistakes that other fields have already made.”
Boneh would also add "The Master Switch: The Rise and Fall of Information Empires" by Tim Wu to your book list. “It is a history book but predicts the future of the Internet,” Boneh says. The book, written by a Columbia Law School professor, looks at historical cycles where open information systems become closed off and are disrupted by innovation.
Troy Hunt, Australian web security expert and creator of the data breach search website Have I Been Pwned, recommends a nontechnical book: "We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency by Parmy Olson. “I found this book fascinating because it dealt with the personalities behind a bunch of the hacktivist activity we saw around the LulzSec era,” Hunt says. “There’s been a lot written on the mechanics of many of their attacks, but this book focuses much more on the people: what motivated them, how they communicated, and eventually, what brought them undone. It was one of very few books I could actually really get into and look forward to picking up each time.”
Are there books you’d press into the hands of a would-be computer security expert? Tell us about them at @enterprisenxt.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.
Yael Grauer is a tech reporter covering online privacy, security, and digital freedom. She's written for The Intercept, Wired, Ars Technica, Motherboard, Slate, and more. She's also the author of the college textbook Business Writing: A Content Marketing Approach.