//Books
Cybersecurity books, reviewed honestly.
Reviews aimed at the people who have to actually learn something from these books, engineers, defenders, students. Each entry says who it's for, who it isn't, and what to read alongside it.
@War
Shane Harris · 2014
Shane Harris on the entanglement of US military doctrine, the intelligence community, and private contractors after cyberspace was declared the fifth warfighting domain.
BeginnerGeopoliticsHistoryRead reviewA Bug Hunter's Diary
Tobias Klein · 2011
Tobias Klein walks through seven real vulnerabilities he found and exploited, in the form of personal lab notes, what he tried, what failed, and what eventually shipped to vendors.
IntermediateVulnerability ResearchOffensiveRead reviewA Hacker's Mind
Bruce Schneier · 2023
Bruce Schneier extends the security-engineering frame of "hacking" to law, finance, politics, and tax: every rule-based system has exploitable seams, and the wealthy and powerful exploit them constantly.
BeginnerStrategyPolicyRead reviewAlice and Bob Learn Application Security
Tanya Janca · 2020
Tanya Janca's hands-on AppSec primer covering threat modeling, secure design, secure coding, testing, deployment, and the social side of running an AppSec program — through a friendly, narrative-driven structure.
BeginnerAppSecFoundationsRead reviewAndroid Security Internals
Nikolay Elenkov · 2014
Nikolay Elenkov on the actual implementation of Android's security model: package manager internals, permissions, keystore, SELinux integration, verified boot.
AdvancedMobileAndroidRead reviewAttacking Network Protocols
James Forshaw · 2017
James Forshaw, Project Zero veteran, on how to capture, parse, and break protocols from the wire up to the application layer, with a strong focus on building reusable analysis tooling.
AdvancedNetworkingProtocol AnalysisRead reviewBlack Hat Bash
Nick Aleks, Dolev Farhi · 2024
Nick Aleks and Dolev Farhi on getting offensive work done with the shell: privilege escalation tooling, lateral movement, and pipelining bash with the rest of the toolkit.
IntermediateOffensiveToolingRead reviewBlack Hat Go
Tom Steele, Chris Patten, Dan Kottmann · 2020
Tom Steele, Chris Patten, and Dan Kottmann show how to use Go's networking primitives, concurrency model, and cross-compilation to write offensive tooling that runs almost anywhere.
IntermediateOffensiveToolingRead reviewBlack Hat GraphQL
Nick Aleks, Dolev Farhi · 2023
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
IntermediateWeb SecurityAppSecRead reviewBlack Hat Python
Justin Seitz, Tim Arnold · 2021
Justin Seitz and Tim Arnold's hands-on tour of writing offensive tooling in Python: network sniffers, web scrapers, GitHub-based command-and-control, screen capture, keylogging, and Volatility extensions.
IntermediateOffensiveToolingRead reviewBug Bounty Bootcamp
Vickie Li · 2021
Vickie Li's pragmatic walk through the bug-bounty workflow, from picking a program and recon to reporting findings that actually pay out.
BeginnerWeb SecurityBug BountyRead reviewBuilding Secure and Reliable Systems
Heather Adkins, Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea, Adam Stubblefield · 2020
Google's site-reliability and security teams jointly write down what it actually takes to build systems that are both safe and dependable, from threat models and design reviews to rollback culture and crisis response.
AdvancedSecurity ArchitectureDefensiveRead review