├── CONTRIBUTING.md
└── README.md


/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing
2 | 
3 | I welcome suggestions for additions to this reading list; please [open an issue on GitHub](https://github.com/jacobian/infosec-engineering/issues) to suggest additions. Please feel free to suggest ideas or areas that you'd like to see a resource for, as well as specific reading suggestions.
4 | 
5 | Note that I'm only including material that I've read personally (and found useful), so it might take some time until I get around to reading your suggestions (especially true of books).
6 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # InfoSec Engineering Reading List
 2 | 
 3 | A reading list for InfoSec engineers.
 4 | 
 5 | This is *my* list, not a definitive one; that is, these are resources I've found useful. As such it has some baises:
 6 | 
 7 | - It's oriented towards providers of Software-, Platform-, and Infrastructure-as-a-Service.
 8 | - It tends to focus on the human factors aspects of security practice (there's deeply technical stuff too, just not as much).
 9 | - There's some random stuff that's not explicitly "about infosec", but that I've nonetheless found extremely useful in thinking about infosec. Dekker's *Field Guide to Understanding 'Human Error'* is a good example of this kind of resource. 
10 | 
11 | Stars :star: indicate especially good "starting point" resources - things to read first as an introduction to the topic.
12 | 
13 | [Suggestions are welcome!](CONTRIBUTING.md)
14 | 
15 | *[This list is inspired by Mark McGranaghan's [Services Engineering Reading List](https://github.com/mmcgrana/services-engineering/), which super-great. Thanks for the list, and the inspiration, Mark!]*
16 | 
17 | ## Books
18 | 
19 | * [The Art of Software Security Assessment](https://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426) (Dowd, McDonald, Schuh)
20 | * [Bulletproof SSL and TLS](https://www.feistyduck.com/books/bulletproof-ssl-and-tls/) (Ristić)
21 | * [Crypto 101](https://www.crypto101.io/) (lvh) :star:
22 | * [The Field Guide to Understanding 'Human Error'](http://amazon.com/dp/1472439058) (Dekker)
23 | * [How To Measure Anything in Cybersecurity Risk](https://www.amazon.com/How-Measure-Anything-Cybersecurity-Risk/dp/1119085292/) (Hubbard and Seiersen)
24 | * [The New School of Information Security](http://amazon.com/dp/0321502787) (Shostack and Stewart)
25 | * [The Security Development Lifecycle](https://blogs.msdn.microsoft.com/microsoft_press/2016/04/19/free-ebook-the-security-development-lifecycle/) (Howard and Lipner)
26 | * [The Tangled Web](http://amazon.com/dp/1593273886) (Zalewski) :star: 
27 | * [The Web Application Hacker's Handbook](http://amazon.com/dp/8126533404) (Stuttard)
28 | * [Security Engineering](https://www.cl.cam.ac.uk/~rja14/book.html) (Anderson)
29 | * [Threat Modeling: Designing for Security](http://amazon.com/dp/1118809998) (Shostack)
30 | 
31 | ## Blog posts
32 | 
33 | * [A Tale of Security Gone Wrong](http://gavinmiller.io/2016/a-tale-of-security-gone-wrong/) (Miller)
34 | * [Anatomy of a Crypto Vulnerability](https://alexgaynor.net/2016/mar/14/anatomy-of-a-crypto-vulnerability/) (Gaynor)
35 | * [Bounty Launch Lessons](https://medium.com/starting-up-security/bounty-launch-lessons-c7c3be3f5b#.1hbi9xp4n) (McGeehan and Honeywell)
36 | * [Building a Let's Encrypt client from scratch](https://github.com/alexpeattie/letsencrypt-fromscratch) (Peattie)
37 | * [Cryptographic Right Answers](http://latacora.singles/2018/04/03/cryptographic-right-answers.html) (Latacora) :star:
38 | * [HTTPS is Hard](https://blog.yell.com/2016/03/https-is-hard/) (Workman)
39 | * [Learning From A Year Of Security Breaches](https://medium.com/starting-up-security/learning-from-a-year-of-security-breaches-ed036ea05d9b) (McGeehan) :star:
40 | * [PagerDuty Incident Response Documentation](https://response.pagerduty.com/) (PagerDuty) :star:
41 | * [Security Breach 101](https://medium.com/starting-up-security/security-breach-101-b0f7897c027c) and [Security Breach 102](https://medium.com/starting-up-security/security-breach-102-d5fc88c5660f) (McGeehan) :star:
42 | * [Security Engineeing as Caring-For](https://noncombatant.org/2016/03/27/security-as-caring-for/) (Palmer)
43 | * [What Werewolf teaches us about Trust & Security](https://eaves.ca/2013/11/07/what-werewolf-teaches-us-about-trust-security/) (Eaves)
44 | * Who Fixes That Bug: [Part One: Them!](https://medium.com/starting-up-security/who-fixes-that-bug-d44f9a7939f2), [Part Two: Us!](https://medium.com/starting-up-security/who-fixes-that-bug-f17d48443e21) (McGeehan)
45 | 
46 | ## Papers
47 | 
48 | * [2016 Data Breach Investigation Report](http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/insiders/) (Verizon Enterprise) - see also previous years: [2015](http://www.verizonenterprise.com/DBIR/2015/) [2014](http://www.verizonenterprise.com/DBIR/2014/reports/rp_Verizon-DBIR-2014_en_xg.pdf), [2013](http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf), [2012](http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf), [2011](http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf), [2010](http://www.verizonenterprise.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf), [2009](http://www.verizonenterprise.com/resources/security/reports/2009_databreach_rp.pdf), [2008](http://www.verizonenterprise.com/resources/security/databreachreport.pdf).
49 | * [BeyondCorp: A New Approach to Enterprise Security](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf) (Ward, Beyer)
50 | * [Doomed to Repeat History? Lessons from the Crypto Wars of the 1990s](https://static.newamerica.org/attachments/3407-doomed-to-repeat-history-lessons-from-the-crypto-wars-of-the-1990s/Crypto%20Wars_ReDo.7cb491837ac541709797bdf868d37f52.pdf) (Kehl, Wilson, and Bankston)
51 | * [Practical Security Stories and Security Tasks for Agile Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf) (SAFECode)
52 | * [Security for Startups: The Affordable Ten-Step Plan for Survival in Cyberspace](http://www.clearslide.com/view/mail?iID=4N4CK3RAZ62TSQ8FTVJV) (Cowan)
53 | * [The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis]( http://cs.unc.edu/~fabian/papers/PasswordExpire.pdf) (Zhang, Monrose, and Reiter)
54 | * [Smashing The Stack For Fun And Profit](http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf) (Aleph One)
55 | 
56 | ## Video
57 | 
58 | * [Crypto 101](https://www.youtube.com/watch?v=3rmCGsCYJF8) (Van Houtven)
59 | * [Lessons Learned While Protecting Gmail](https://www.youtube.com/watch?v=nkV9kOsTyJU) (Bursztein)
60 | * [Web Security Fundamentals](https://info.varonis.com/web-security-fundamentals) (Hunt)
61 | 


--------------------------------------------------------------------------------