More security books...

docrice

It recently occurred to me that I spend a lot ... a lot of my off-time reading, either today's news, blogs, whitepapers, vendor sites, mailing list threads, or books (usually certification-related as of late). I'd argue that I have no life beyond infosec, and my skills are still mediocre. It's sad, really.

So there I go again, I just clicked on that "Proceed to Checkout" button and within a couple of weeks I should have:

• TCP/IP Illustrated, Vol. 1: The Protocols (W. Richard Stevens)
• Security Metrics: Replacing Fear, Uncertainty, and Doubt (Andrew Jaquith)
• Security Warrior (Cyrus Peikari)
• Inside Network Perimeter Security, 2nd Edition (Stephen Northcutt)
• Network Intrusion Detection, 3rd Edition (Stephen Northcutt)
• BackTrack 4: Assuring Security by Penetration Testing (Shakeel Ali)

Granted, many of these books should already have been on my shelves for years now, but hey ... better late than never. The question is how am I going to find the time to read all of them. I'll have to dial down my certification ambitions.

There was a thread a while back where people listed their favorite books, but I couldn't find it on this forum in a manner that didn't test my patience, so I'll just start another. My search kung-fu is weak tonight.

What are your book purchase plans for this year (aside from the Metasploit one)?

the_Grinch

Well, I am currently reading the Backtrack book. The plan is to actually finish it this weekend, Monday at the latest. My problem is sometimes my mind tends to wander, so I often read three books at a time. Such as currently I've been reading a book on economics, Atlas Shrugged (been on a philosophy kick the past few months), and the Backtrack 4 book. At this point I will be attempting to finish my CCNA and then will jump into the following books (I already have them):

Amazon.com: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (9780979958717): Gordon Fyodor Lyon: Books

Amazon.com: Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide (978189393999: Laura Chappell, Gerald Combs: Books

Amazon.com: Gray Hat Hacking The Ethical Hackers Handbook, 3rd Edition (9780071742559): Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gideon Lenkey, Terron Williams: Books

Amazon.com: Social Engineering: The Art of Human Hacking (9780470639535): Christopher Hadnagy, Paul Wilson: Books

Amazon.com: Network Security Auditing (Networking Technology: Security) (978158705352: Chris Jackson: Books

Only downside to the Kindle is the fact that I can get the books so quickly. I have others on my list, but these should get me through the next couple of months.

NightShade03

Good topic choice! Here is whats on my list:

Amazon.com: The Tangled Web: Securing Modern Web Applications (9781593273880): Michal Zalewski: Books

Amazon.com: Web Application Security, A Beginner's Guide (9780071776165): Vincent Liu, Bryan Sullivan: Books

Amazon.com: Software Security: Building Security In (9780321356703): Gary McGraw: Books

Amazon.com: XSS Attacks: Cross Site Scripting Exploits and Defense (9781597491549): Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, Petko D. Petkov: Books

Amazon.com: The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (9780321444424): Mark Dowd, John McDonald, Justin Schuh: Books

Amazon.com: SQL Injection Attacks and Defense (9781597494243): Justin Clarke: Books

Amazon.com: Code Complete: A Practical Handbook of Software Construction (0790145196705): Steve McConnell: Books

Amazon.com: The Security Development Lifecycle (9780735622142): Michael Howard, Steve Lipner: Books

Amazon.com: Fuzzing: Brute Force Vulnerability Discovery (9780321446114): Michael Sutton, Adam Greene, Pedram Amini: Books

Amazon.com: Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-' (9781597496049): Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, David Lindsay: Books

Amazon.com: Securing the Cloud: Cloud Computer Security Techniques and Tactics (9781597495929): Vic (J.R.) Winkler: Books

Amazon.com: Client-Side Attacks and Defense (9781597495905): Books

It is a rather aggressive list of books and many aren't really *new* per-se but I have been meaning to get through most of these since last year.

JDMurray

Consider collecting InfoSec people in addition to InfoSec books. I'm always amazed at how much I learn from other security people at conventions, formal security group meetings, or just hanging around people working on InfoSec problems. Next to working shoulder-to-shoulder in solving actual InfoSec problems, hanging out socially with a diverse group of InfoSec people is an excellent way to broaden your InfoSec skills. No one person can know/do everything, so you need to build up your "living Rolodex" of InfoSec cronies to help you out.

NightShade03

JDMurray wrote: »

InfoSec cronies

Haha can I get this put as my title on my business cards

GAngel

I've got the CCNP/DP books to round off my networking knowledge besides those its a lite year for me.

CircuitMeltdown

I have TCP/IP illustrated vol 1, but I have not got a chance to look through it yet. I am reading the official wireshark cert study guide.

I was wondering if the books mentioned in Docrine's initial post would help for prestudy for the GCFW. I am sceduled to take it soon, and I really study the concepts that we will be covering since I am relatively new to the field, and I don't have engineer work experience, just Analyst/policy experience. The books listed by Stephen Northcut were recomended to me for this class, but I noticed that they were published a long time ago. Are they still relevant for catching up before the class?

Any other book suggestions are appreciated. I am mainly focusing on things that will specifically help me with the GCFW class and exam right now but any other good security books are appreciated as well. I am trying to transition into an Engineer role, possibily in a SOC. Thanks.

contentpros

My $.02 a few other books of my quick list of books to own:

Amazon.com: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (9780470170779): Dafydd Stuttard, Marcus Pinto: Books

Amazon.com: Google Hacking for Penetration Testers (9781597491761): Johnny Long: Books

Amazon.com: The Security Development Lifecycle (9780735622142): Michael Howard, Steve Lipner: Books

Amazon.com: Hunting Security Bugs (9780735621879): Tom Gallagher, Lawrence Landauer, Bryan Jeffries: Books

Amazon.com: The Tao of Network Security Monitoring: Beyond Intrusion Detection (9780321246776): Richard Bejtlich: Books

Amazon.com: Extrusion Detection: Security Monitoring for Internal Intrusions (9780321349965): Richard Bejtlich: Books

The following books may be a little dated but are really worth having as a reference on your bookshelf. I highly recommend the "Hardening" series. you can find these used on amazon for $3 or $4 each:

Amazon.com: Hardening Network Security (978007225703: John Mallery, Jason Zann, Patrick Kelly, Wesley Noonan, Eric S. Seagren, Paul Love, Rob Kraft, Mark O'Neill, Robert McMullin: Books

Amazon.com: Hardening Network Infrastructure: Wes Noonan: Books

Amazon.com: Hardening Windows Systems: Roberta Bragg: Books

and there is a Hardening Linux book from the same series I wasn't able to find on Amazon by John H. Terpestra, Paul Love, Ronald P. Reck and Tim Scanlon ISBN: 0-07-225497-1

HTH

~Cp

contentpros

JDMurray wrote: »

Consider collecting InfoSec people in addition to InfoSec books. I'm always amazed at how much I learn from other security people at conventions, formal security group meetings, or just hanging around people working on InfoSec problems. Next to working shoulder-to-shoulder in solving actual InfoSec problems, hanging out socially with a diverse group of InfoSec people is an excellent way to broaden your InfoSec skills. No one person can know/do everything, so you need to build up your "living Rolodex" of InfoSec cronies to help you out.

+1 invaluable advice! I frequent the ISSA, ISACA and OWASP meetings I can. I have made many valuable contacts within the community at these events.

If you are in the Los Angeles area come join us tomorrow night for the OWASP meeting which is held at Symantec. Brian Chess is one of the co-founders of Fortify (now part of HP) will be giving a talk on grey box testing. If you've ever seen Brian speak you know this will be a great presentation.

Get the info or register here:

https://www.owasp.org/index.php/Los_Angeles

sb97

the_Grinch wrote: »

Well, I am currently reading the Backtrack book. The plan is to actually finish it this weekend, Monday at the latest. My problem is sometimes my mind tends to wander, so I often read three books at a time. Such as currently I've been reading a book on economics, Atlas Shrugged (been on a philosophy kick the past few months), and the Backtrack 4 book. At this point I will be attempting to finish my CCNA and then will jump into the following books (I already have them):

Amazon.com: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (9780979958717): Gordon Fyodor Lyon: Books

Amazon.com: Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide (978189393999: Laura Chappell, Gerald Combs: Books

Amazon.com: Gray Hat Hacking The Ethical Hackers Handbook, 3rd Edition (9780071742559): Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gideon Lenkey, Terron Williams: Books

Amazon.com: Social Engineering: The Art of Human Hacking (9780470639535): Christopher Hadnagy, Paul Wilson: Books

Amazon.com: Network Security Auditing (Networking Technology: Security) (978158705352: Chris Jackson: Books

Only downside to the Kindle is the fact that I can get the books so quickly. I have others on my list, but these should get me through the next couple of months.

The Wireshark book is high on my list even though I do not plan on getting certified.

sb97

I am looking for a book that offers guidance on developing log analysis techniques.

JDMurray

Boy, let me know when you find devoted to log analysis. I scoured O'Reilly's Safari Books Online for that topic and came up with only a few books that even attempt to breech the subject. I'd love to see a full book on it.