//Books
Cybersecurity books, reviewed honestly.
Reviews aimed at the people who have to actually learn something from these books, engineers, defenders, students. Each entry says who it's for, who it isn't, and what to read alongside it.
The Pragmatic Programmer
David Thomas, Andrew Hunt · 2019
Thomas and Hunt's career-defining set of practical heuristics for writing software professionally — orthogonality, broken-windows, DRY, tracer bullets, and the underlying argument that craftsmanship is a posture, not a process.
BeginnerSoftware EngineeringCareerRead reviewThe Shellcoder's Handbook
Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte · 2007
A foundational text on memory-corruption exploitation across Linux, Windows, Solaris and embedded targets. Pre-modern-mitigations in spirit but still the canonical introduction to the techniques the modern toolchain is built to defeat.
AdvancedOffensiveBinary ExploitationRead reviewThe Tangled Web
Michal Zalewski · 2011
The deepest book ever written on the strange, accreted security model of the web browser.
AdvancedWeb SecurityBrowser InternalsRead reviewThe Web Application Hacker's Handbook
Dafydd Stuttard, Marcus Pinto · 2011
The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.
IntermediateWeb SecurityOffensiveRead reviewThis Is How They Tell Me the World Ends
Nicole Perlroth · 2021
Nicole Perlroth's reporting on the global zero-day market: how exploits get bought, by whom, and how the gray-then-black market shapes which vulnerabilities get fixed and which get hoarded.
BeginnerVulnerability ResearchGeopoliticsRead reviewThreat Modeling
Adam Shostack · 2014
Adam Shostack's practitioner-oriented introduction to threat modeling: STRIDE, attack trees, and how to fit the practice into a real software-development lifecycle.
IntermediateThreat ModelingDefensiveRead reviewTracers in the Dark
Andy Greenberg · 2022
Andy Greenberg's investigative narrative of how Bitcoin's allegedly-anonymous public ledger became, in the hands of researchers and federal investigators, the most powerful OSINT tool of the last decade.
BeginnerCybercrimeCryptocurrencyRead reviewTribe of Hackers
Marcus J. Carey, Jennifer Jin · 2019
An interview anthology of practitioners answering the same set of career and craft questions, useful as a wide-angle view of how working security people actually think about the field.
BeginnerCareerCultureRead reviewWe Are Anonymous
Parmy Olson · 2012
Parmy Olson's reconstruction of LulzSec, AntiSec, and the early-2010s Anonymous moment — the chat logs, the infighting, the Sabu turn, and the FBI takedown that ended the era.
BeginnerNarrativeHacktivismRead reviewWeb Security for Developers
Malcolm McDonald · 2020
Malcolm McDonald's developer-side primer on the OWASP-class issues, framed around real attacks and defended with code patterns rather than vendor products.
BeginnerWeb SecurityDefensiveRead reviewWindows Internals, Part 1
Pavel Yosifovich, Alex Ionescu, Mark Russinovich, David Solomon · 2017
The canonical Microsoft Press reference on Windows internals: how processes, threads, memory and system services are actually implemented in the modern Windows kernel. User-mode focus in this volume.
AdvancedWindows InternalsOperating SystemsRead reviewZero Trust Networks
Evan Gilman, Doug Barth · 2017
Evan Gilman and Doug Barth's pre-marketing-bubble treatment of zero-trust architecture — what it is when you actually implement it (trust evaluation, device identity, dynamic policy) versus what the vendor pitch turned it into.
IntermediateNetworkingArchitectureRead review