This is of course one of the best sources for anyone who not only wants to understand the details of applied cryptography but also wants to see exmaples implemented in C language and learn the politics behind cryptography. The book covers the following topics – algorithms, protocols, examples in C language and the politics behind security.

I would also recommend to refer to this book whenever you need to make sure that some assumption about some algorithm or protocol is true. Just refer to this book and you will definitely get the right answer.

Highly recommended.

I don’t remember how I found this book but it left a very big influence on my professional orientiation.

The book discusses cryptographic algorithms in very details and focuses more on usage of them in security rather than pure mathematics. It helps you to think in security.

The book covers the following topics:

• symmetric key crypto
• public key crypto
• hash functions
• advanced cryptanalysis
• access control
• security protocols
• software flows and malwares
• insecurity in software
• operating systems and security

A great book to read.

Highly recommended for software secuirty experts.

If you want to deeply udnerstand the math behind modern cryptography algorithms, protocols and also “feel” how this math solves real life security problems – this is probably the best book available. It’s very accurately written from matchematical point of view.

The book covers the following topcis:

• Math: Probability and Information Theory, Computational Complexity, Algebraic Functions, Number Theory
• Cryptographic Techniques: Symmetric and Assymetric Encyrption, Data Integrity
• Authentication Protocols
• Formal Approaches to Security Establishment (excellent chapter!)
• Cryptographic Protocols

Recommended for security experts and researchers.

Simply the best handbook about details of applied cryptography.

This was my first book on cryptography when I started to dig into this field. It’s the best source if you are planning to implement an existing algorithm, protocol or just understand the details behind those.

Highly recommended.

This is another very useful book which has had influence on my vision of security. The book is co-written by one of the most famous specialists in the area of software security – Gary McGrow.

If you want to understand how attackers are trying to break code – this is a good startoing point. Although in my opinion it doesn’t provide thorough analysis of different attacking techniques and tools – it overviews existing attacks and software flaws and also provides details about economics and reasons of software vulnerabilities.

Defintiely good reading.

Recommended for software security engineers and for future hackers.

Btw, if you are looking for information about how to break code – you can refer to this article – How the crackers crack code?

There are not many books in the area of software exploitation and cracking and that’s why each book is very valuable.

It provides goods overview of different attacks such as buffer overflow, format string, etc. It also explains different methods of attacking the network layer – TCP/IP, different layers, port scanning, etc.

Definitely a very useful source of information for those who wants to understand how hackers think.

Recommended for software security engineers and for future hackers.

This is probably one of the first books about reverse engineering techniques in the field. It overviews reversing techniques, cracking techniques, obfuscation, anti-debugging techniques and lists the available tools which will help you to apply these techniques.

I find it more a high-level ovreview rather than detailed explanation. It gives the first level information you need but if you are looking for something more – you should definitely refer to “Surreptitious Software: Watermarking, Tamperproofing”. You can find the review of this book in “Anti Cracking” section.

Recommended for software security engineers and for future hackers.

Practical disassembling and debugging… If you want to learn more about these topics – this is one the best books in the field. It provides examples and explains how become handy with IDA Pro and Softice tools.

Highly recommended for those who wants to learn disassembling and debugging.

An excellent publication from Open Group.

It defines several security design patterns which might be very useful during security design phase. Security Design Patterns are devided in two major groups:

• Available System Patterns: Checkpointed System, Standby, Comparator-Checked Fault-Tolerant System, Replicated System, Error Detection/Correction
• Protected System Patterns: Protected System, Policy, Authenticator, Subject Descriptor, Secure Communication, Security Context, Security Association, Secure Proxy

Definitely a good reading. As per my knowledge this is the only publication which tries to define security design patterns in such formality and details.

Highly recommended for software secuirty architects.

This book is about everything that is related to security.

It overviews lot of technologies: Architecture Patterns in Security, Cryptography, Trusted Code, Secure Communications, Middleware Security, Web Security, Application and OS Security, Database Security, and much more.

Although I don’t think that it’s possible to cover all these topics in 400 pages, however if you want to understand high-level security applications – it’s a good starting point.

Recommended for those who wants to see the big picture.

The classics of security engineering. This is the first book that presents Security Engineering as a standalone discipline and defines the areas where it may be applied. It’s a must read for everybody who wants to position as a security oriented engineer.

The book covers the following topics:

• Defines who is the Security Engineer
• Security Protocols, Passwords, Access Controls and Cryptography
• Multilevel Security and Multiriteral Security
• Banking
• Monitoring Systems
• Physical Tamper Resistance
• Security Printing
• Biometrics
• Telecom System Security
• Network Attacks
• Security in E-Commerce Systems
• Copyright and Privacy Protection
• and much more

You can see that the range of discussed topics is very big. However Ross Anderson (who is known to be the “father” of security engineering) was able to present these topics in a very effective way in this comparable small book. The information and knowledge that this book gives to the reader is irreplaceable.

Btw, I would highly recommend to focus on section Physical Tamper Resistance if you are interested in that area. In fact I think it’s not possible to read this book entirely and understand everything there immediately. You must read it again and again and refer to it carefully when you are specializing in an area which is covered in the book.

Highly recommended to everyone!

Again Ross Anderson. An excellent publication about the economical aspects of security.

The publication gives an alternate rationale why security is so hard to design and implement. Very often people think about security as a problem which has only technical problems. After implementing a system by only taking into account the technical aspects – the system fail. It fails because security is not only about implementation of security controls, encryption, secure storage… it’s also (even more) about people, privacy, convenience, economics… If these factors are not taken into account- people won’t use the system and it will just fail.

This publication is a must read for any security solution designer.

Highly recommended to secure solution designers!

Another book/publication which had a very big influence on my vision.

This book is probably the best information source of software security – available in the area. When I first found it I couldn’t believe that something like this exists. It really overviews the entire software security market, discusses the lacks in the industry, problems, available tools, methodologies, resources, Organizations, and many many other things.

If you are really iterested in software security – just download it and read. I’m sure it will leave a big impact on your professionalism and future vision.

Highly recommended to software security engineers!

If you need to develop techniques for integrating security in your software development processes – this will probably be the best guide for you. It discusses:

• Why Is Security a Software Issue?
• What Makes Software Secure?
• Requirements Engineering for Secure Software
• Secure Software Architecture and Design
• Considerations for Secure Coding and Testing
• Security and Complexity: System Assembly Challenges

Basically it goes over all important phases of software development lifecycle and describes the steps of integrating security into them.

Recommended for project managers who are managing security oriented projects.

Very practical book about how to make your software more secure. As I discuss in one of my articles (Testing the Security of Software) testing the software from security perspective is becoming a very important aspect in software development lifecycle. This book overviews several key concept which will definitely be useful for any software engineer.

We, as software engineers and testers, should all remember that security of software is similraly important as the quality of software and in many aspects they are even equal entities.

The book discusses: Code review using static analysis tools, Architectural risk analysis, Penetration testing, Security testing and Abuse case development.

Highly recommended to software security engineers.

A great encyclopedia about the topics of software protection and software breaking. This is really a handbook for anyone who needs information about how to protect software.

The book discusses lots of interesting topics. It’s very well written – from both academical and practical point of view.

It brings lot of examples and techniques how to protect software via obfuscation and tamperproofing. By the time I’m writing this review, it’s probably the only book about this topic and I’m sure it will become a classics over time. I’m really impressed with the way the authors have created this book and appreciate their effort as someone who has learned lots of interesting from it.

The book discusses the following topics:

• Mastering techniques that both attackers and defenders use to analyze programs
• Using code obfuscation to make software harder to analyze and understand
• Fingerprinting software to identify its author and to trace software pirates
• Tamperproofing software using guards that detect and respond to illegal modifications of code and data
• Strengthening content protection through dynamic watermarking and dynamic obfuscation
• Detecting code theft via software similarity analysis and birthmarking algorithms
• Using hardware techniques to defend software and media against piracy and tampering
• Detecting software tampering in distributed system
• Understanding the theoretical limits of code obfuscation

All hte topics are very well covered and there also exist lot of references to other resources. So in a few words – this is a really encyclopedia of how to protect software!

Highly recommended for those who is interested in software obfuscation, tamper-proofing, watermarking and fingerprinting!

Another book about software protection. Comparing to the book mentioned above this one is lightweight. However taking into account that there are no many books on this topic – any information will be useful for you if you are interested in how to protect software.

The book discusses anti-debugging, anti-disassembling, anti-tracing techniques.

Recommended for those who is interested in software protection.

This was the first publication I have reviewed about security development methodologies and probably that’s why it left a very big influence on my future work, focus and vision.

This publication disucsses a capability maturity model for systems security engineering. It presents a view of how system needs to be designed in order to meet several maturity criteria. It’s a very recommended reading.

I learned from here what mean threat, vulnerability, asset and risk. It provides an excellent aproach of how to think about security, where to start, how to design a secure system and how to further maintain it.

It may be difficult to read for someone who doesn’t have experience with CMMs. But it’s worth trying as the knowledge you will get may remain with you for a long time.

Highly recommended to software architects.

The Security Development Lifecycle discusses Microsoft’s approach to the problem of how to design secure systems. It’s an interesting and very practical tool for software project managers, architects and software engineers.

Project managers can learn how to integrate different security techniques in the project development lifecycle, architects can learn an institutional way of thinking about security and software engineers can learn what practical techiniques to use while writing software and testing it.

It has excellent demonstration about what compiler flags to turn on, how to use the least privilige technique, what crypto algorithms and what API to not use, and, finally, what tools to use during software engineering.

Recommended for project managers, software architects and engineers.

An excellent book about Windows Vista security.

This is a must read for any windows developer, especially for engineers who are creating security oriented product. It discusses:

• Code Quality
• User Account Control
• Buffer Overrun Defenses
• Networking Defenses
• Creating Secure and Resilent Services (excellent chapter!)
• Internet Explorer 7 Defenses
• Cryptographic Enhancements
• Authentication and Authorization

Very practical and useful.

Highly recommended for windows deveopers.