5 (Software) Security Books That Every (Software) Developer Should Read
Are a developer interested in learning more about cybersecurity techniques? Check out this list of great books that will teach you all you need to know.
Join the DZone community and get the full member experience.Join For Free
I must admit that I went with this title because it is a little bit catchy, but a better title would have been, "5 software security books that every developer should be aware of." Depending on your interests, you might want to read all of these books or you could just know that they exist. There must be tons of software security books on the market, but this is my short list of books about software security that I think every developer that is interested in software security should be aware of.
Hacking: The Art of Exploitation This book explains the basics of different hacking techniques, especially non-web hacking techniques: how to find vulnerabilities (and defend against) like buffer overflow or stack-based buffer overflow, how to write shellcodes, some basic concepts on cryptography and attacks linked to cryptography, like a Man-in-the-Middle Attack on an SSL connection. The author tried to make the text easy for non-technical people, but some programming experience is required (ideally C/C++) in order to get the most out of this book.
Iron-Clad Java: Building Secure Web Applications This book presents hacking techniques and countermeasures for web applications; you can see this book as complementary of the previous one; the first one contains the non-web hacking techniques, this one contains (only) web hacking techniques; XSS, CSRF, how to protect data at rest, SQL injection, and other types of injections attacks. In order to get the most of the book, some Java knowledge is required.
Software Security: Building Security In This books explains how to introduce the security into the SDLC; how to introduce abuse cases and security requirements in the requirements phase; and how to introduce risk analysis (also known as Threat Modeling) in the design phase and software qualification phase. I really think that each software developer should at least read the first chapter of the book where the authors explain why the old way of securing applications (seeing software applications as “black boxes” that can be protected using firewalls and IDS/IPS) cannot work anymore in today's software landscape.
The Tangled Web: A Guide to Securing Modern Web Applications This is another technical book about security on which you will not see a single line of code (the Software Security: Building Security In is another one) but it is highly instructive, especially if you are a web developer. The book presents all the “bricks” of internet: HTTP, WWW, HTML, Cookies, Scripting languages, how these bricks are implemented in different browsers, and especially how the browsers are implementing security mechanism against rogue applications.
Threat Modeling: Designing for Security
Threat modeling techniques (also known as Architectural Risk Analysis) were around for some time, but what has changed in the past few years is the accessibility of these techniques for the software developers. This book is one of the reasons why threat modeling is accessible to developers. The book is very dense but it supposes that you have no knowledge of the subject. If you are interested in the threat modeling topic you can check this ticket: threat modeling for mere mortals.
Published at DZone with permission of Adrian CITU, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.