Security Reading List

Here is my reading list related to securing your web services.

1. Web Security 2016, https://www.phparch.com/books/web-security-2016/. This anthology includes Ed Barnard’s Securing Your Web Services series.
2. Survive The Deep End: PHP Security by Padraic Brady, http://phpsecurity.readthedocs.org/en/latest/. Excellent survey of what you need to know about PHP security. This short online book is a good starting point.
3. PHP Security Cheat Sheet by The Open Web Application Security Project (OWASP), https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet. I include the OWASP page to point out that you should be long past dealing with these basic web site security issues. But if you are new to PHP security, this is a good reference.
4. Web Service Security Cheat Sheet by OWASP, https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet. Checklists are valuable. Visit this cheat sheet from time to time to ensure you still have the right things covered.
5. Information Security at Stack Exchange, http://security.stackexchange.com/. I find the Information Security folks to be friendly, helpful, authoritative, and thorough. Learn to ask questions correctly and you’ll be delighted with the responses. Don’t be shy, but show that you’ve thought things through before typing out the question.
6. How to Hack a Paysite: What the Good Guys Need to Know by Ed Barnard, http://otscripts.com/how-to-hack-a-paysite-articles/. The article series is old, but my exploration of attitude and motivation remain relevant.
7. The Art of War: Complete Text and Commentaries by Sun Tzu, translated by Thomas Cleary, http://www.amazon.com/gp/product/1590300548. Various Twitter accounts quote this two-thousand-year-old classic including @battlemachinne. One line at a time, these can help you retain that all-important security attitude.
8. Threat Modeling: Designing for Security by Adam Shostack, http://www.amazon.com/gp/product/1118809998. This is the “big picture” look at formally anticipating security threats to your software. It’s a tough row to hoe. But if you don’t, who will?
9. Web Security: A WhiteHat Perspective, by Hanqing Wu and Liz Zhao, http://www.amazon.com/gp/product/1466592613. This one is tough to read but worth the energy expended. I believe there were two editions of the book published, one in Chinese and one in English. A former hacker himself, the author brings a useful perspective and solid information.
10. Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Edition, by Ross J. Anderson, http://www.amazon.com/gp/product/0470068523. This thousand-page monster won’t be read in one sitting. Like Threat Modeling, this “big picture” book will give you perspective and strategies you won’t find elsewhere.
11. Cryptography Engineering: Design Principles and Practical Applications by Niels Ferguson, Bruce Schneier, Tadayoshi Kohno, http://www.amazon.com/gp/product/0470474246. I saved the best for last. If you’re planning to write security-related code, read this book first. It’s a good and surprisingly fast read. You’ll come away with a far better understanding of how things hold together and why.