Perodically I’ll get asked for recommendations for good resources to get started learning about information security. I’ve written reviews on a number of books, and on a handful of other sources, so I thought I’d collect together some of those, as well as make some new recommendations. Most of these recommendations come from the perspective of someone more on the development side of security than IT.

I’ve sorted things out into two broad categories -sources that can provide you with an underpinning for a security education, and sources that are good for on-going education (keeping up with news or learning new things on a random basis)

Gaining the Underpinning to Your Education

Where I’ve written up something about the item, I’ve linked to the more detailed review on my site. Otherwise, I’ve linked directly to the source.

  • CODE by Charles Petzold - Not actually a book on security, but rather a clearly-written book explaining how computers work, starting at encoding and working up. Being familiar with the how and why a computer works is essential to being effective in security.

  • The Code Book by Simon Singh - I largely credit this book on cryptography with getting me into security. Just like CODE, its clearly written, and so accessible to someone just getting into cryptography.

  • The Codebreakers by David Khan - The book on the history of cryptography. Which might seem like an odd choice for this list, but unlike most of the other topics covered in this list, cryptography has been around for thousands of years. And that means that we can learn a lot about how to approach security by looking at the mistakes that got made again and again … and again and again.

  • ISC Recordings - Recordings of the presentations that used to be given at the Information Security Club at UAH. Some of these are a bit rough (though at least the audio quality improves over time), but they were targeted towards teaching novices about information security.

  • Security Engineering by Ross Anderson - A fairly comprehensive book on security, while good this is definitely a very long read - but read it and understand it and you’re well on your way to being a competent security professional. It’s also available for free in PDF form on the author’s site.

  • Counterhack Reloaded by Ed Skoudis and Tom Liston - A bit dated (for example, it refers to Nesuss as open source and free), but a fairly engaging read on penatration testing.

  • Malware - Fighting Malicious Code by Ed Skoudis with Lenny Zeltser - A fairly light read, with some interesting topics on malware. Unlike some of the malware related material I’ll talk about later on, it is written with more of an IT view than a developer’s perspective.

  • Threat Modeling by Frank Swiderski and Window Snyder - No longer in publication, but this is the original book out of Microsoft on their threat modeling process. As a security professional or developer, you really should understand threat modeling. There’s a newer book out, I believe also called Threat Modeling, that I haven’t read yet, so I can’t speak to its quality.

  • Computer Security by Dieter Gollmann - Very much the compter science approach to computer security - you’d better understand what partially ordered sets and similar concepts are before tackling this book. I found in particular that it did a good job covering topics about security models.

  • Coursera’s Cryptography Course - A very well done cryptography course, but you’ll need to be comfortable with the mathematics involved before taking it.

  • Coursera’s Malicious Software and Its Underground Economy - An interesting course on malware. I found that it had something of a rough start, but got better as it went on.

  • The Art of Computer Virus Research and Defense by Peter Szor - Though certainly dated, this book talks in detail about how malware works, as well as how to handle it. It’s definitely an advance read, as you’ll need to understand how operating systems work for some of the content.

Ongoing Education

  • NetSec Subreddit - Covers a variety of security topics, like you’d expect of a Reddit subreddit.

  • Security StackExchange - While the content various greatly, you’ll often find good explanations to questions about how things work - maybe even to a question you posed.

  • Security Now - Security Now podcast. Good for news, but sometimes the explanations aren’t quite right, so be wary.

  • Blackhat Archives - Recordings/Presentations from the Black Hat conference.

Obviously there’s far more that could be in the lists, and maybe in time I’ll add more…or maybe not, we’ll see.