2010-08-24

Technical security reading list


Here is a quick list of some good books for technical security. In no particular order …




Web

The Web Application Hacker's Handbook- Discovering and Exploiting Security Flaws Stuttard & Pinto Wiley 2008, ISBN 978-0-470-17077-9

IMHO this is the current "Bible" on Web application technical security testing. Thorough coverage of the main areas. In terms of tools, has a "Burp Suite" emphasis since one of the authors is also the developer of Burp Suite. Good introductory section on source code review for attack vectors. Solid coverage of SQL Injection (since the authors both work for NGS Software – D Litchfield's shop). Oriented more towards "traditional" web rather than Web 2.0 specific technologies but does have sections on Flash, ActiveX etc. Detailed 60+ pg methodology included at the end.
XSS Attacks – Cross site scripting exploits and defense Grossman, Hansen, et al, Syngress 2007, ISBN 1-59749-154-3

Still relevant, a great introduction to the subject of XSS
Hacking Exposed – Web 2.0 Cannings, Dwivedi, Lackey, McGraw Hill 2008, ISBN 978-0-07-149461-8

With the speed at which web technology is changing, you should probably buy this book quickly before it becomes completely out of date!
The chapter on Ajax gives a nice overview of some of the frameworks. Note that GWT communication now has been reversed (cf BlackHat USA 2010 Byrnes & Henderson). The chapters on ActiveX and Flash are also good basic intros to these subjects.

Reverse Engineering, Vulnerability research

The IDA Pro Book Chris Eagle, No Starch Press 2008, ISBN 978-1-59327-178-7

"The" book for anyone wanting to learn IDA Pro or wanting to deepen their knowledge of this important RE Tool. Extensive coverage of the software. Is well-written and is easy to understand.
Reversing – Secrets of Reverse Engineering, Eilam, Wiley 2005, ISBN 978-0-7645-7481-8

A good introduction to the subject of RE for newbies. Covers some basic Windows internals. Assumes you do not have access to IDA Pro so gives long examples in OllyDbg disassembled format (mostly without Olly's very helpful markup!). When reading, I found it a bit tiresome to wade through the pages of blank disassembled code with no visual help but only the text comments.
Still is a solid text that hits all the basic areas of RE: file formats, malware, copy protection, anti-reversing. Even has a section on .Net de-obfuscation.
The appendices on Code structures, and compiled arithmetic are good for newbies to help them start understanding "compiler-speak".
Professional Assembly Language Blum, Wrox Wiley 2005, ISBN 0-7645-7901-0

A good basic introduction / reference to Intel assembler for those who don't want to learn by wading through the Intel manuals. A bit dated by now, but still is an adequate coverage of all the basics.
Exploiting Software – How to Break Code, Hoglund and McGraw Addison Wesley 2004, ISBN 0-201-78695-8

Back when the book was written the ideas were cutting edge. Now is a bit dated but still covers a lot of the fundamentals.
Rootkits – Subverting the Windows Kernel, Hoglund & Butler, Addison-Wesley 2005, ISBN-13: 978-0321294319

Takes up where the previous book left off. Ground-breaking in its day but now dated (eg XP - 2K examples). Covers the basics clearly. Once you've read this, then head over to www.rootkit .com and read about Vista / Win7.

Databases

The Database Hacker's Handbook - Defending Database Servers, Litchfield, Anley, et al, Wiley2005, ISBN: 978-0-7645-7801-4

Good solid introduction to the main databases from an attacker's point of view.
The Oracle Hacker's Handbook: Hacking and Defending Oracle, Litchfield, Wiley 2007, ISBN: 978-0-470-08022-1

The "Bible" on the subject of Oracle technical security from an attacker's viewpoint.

VOIP

Hacking Exposed VOIP, Endler & Collier, McGraw-Hill 2007; ISBN: 0072263644

The technology examples are somewhat dated by now but covers the basics well, including Asterisk, SIP, and the importance of the Layer 2 attacks.

General

O'Reilly **** In a Nutshell books. Eg Java In a Nutshell, Unix in a Nutshell, etc

See http://oreilly.com/store/series/nutshells.html for the full list. Good for quick reference as you move from one technology to another.
Managing NFS and NIS 2cd edition, Stern et al, O'Reilly 2001, ISBN 978-1-56592-510-6

I have the 1st edition (which really dates me!). The 2cd edition is 512 pages of everything you ever wanted to know about NIS/ NFS but were maybe afraid to ask. Good reference even today.
TCP/IP Illustrated Vol1-3, W Richard Stevens Addison-Wesley, 1994, ISBN 0-201-63346-9, ISBN 0-201-63354-X, ISBN 0-201-63495-3

Unix Network Programming Vol1-2, W Richard Stevens Prentice Hall, 1998, ISBN 0-13-490012-X, ISBN 0-13-081081-9

The classics by the master.
Javascript – The Missing Manual, McFarland, Pogue Press O'Reilly 2008, ISBN 978-0-596-51589-8

A good basic introduction to Javascript in the first 4 chapters. In the middle of chapter 5, the book becomes completely jQuery-oriented. This is both good and bad. On the positive side, jQuery is covered in some depth and the reader is actually able to do interesting things by the end of the book. But adopting this approach limits the coverage by completing ignoring other important frameworks like Dojo and GWT.
Oracle Database 11g PL/SQL Programming, McLaughlin, Osborne ORACLE Press 2008

Solid reference on the subject of PL/Sql programming for Oracle Dbases.
Mastering Perl 5, Herrmann, Sybex 1999, ISBN 0-7821-2200-0

Oops, showing my age again… This book goes for cheap on Amazon (new $10 and up) but is still a comprehensive reference to Perl basics up through OOP. Lots of programming examples sprinkled liberally through the 900+pages. (The book also makes a great bookend if you don't read it that often. J) After reading this, you'll want to check out CPAN.

Stuff I'm reading now

Some other books mentioned at BlackHat 2010:

Art of Software Security Assessment Dowd MacDonald Schuh

Windows Shellcoders Handbook

Windows Internals Fifth Edition Russinovitch

Advanced windows debugging Hewardt & Pravat

No comments: