Reference Books on Computer Security, Internet Security, and Applied Cryptography.

The names used for subdisciplines related to computer security vary, and are often conflated. As a general roadmap, common subdisciplines are (representative topics are listed in brackets): computer security (access control, remote access, user authentication, OS security, isolation); applied cryptography (encryption, digital signatures, hash functions, key management protocols); networking security (firewalls, intrusion detection, networking protocols); software security (buffer overflows, web and browser security); malware (worms, viruses, botnets, ransomware). The term "network security" (in the 1990 sense) often signals a largely cryptography-centered focus on securing communications data, in contrast to software security or networking security as just noted. The term "information security" when used by researchers often signals a cryptography-centered view of security (with focus on securing data), but among practitioners may be a synonym for "information systems security" (spanning data, software, computer and communication systems, and business assets). -pvo

Below are some resources that security students may find helpful. They are grouped by rough category.

Print vs digital books...pros and cons (ACM Inroads, March 2014)
    Computer security (often including overviews of network security, and cryptography):

  1. new P.C. van Oorschot, Computer Security and the Internet: Tools and Jewels from Malware to Bitcoin (2021, 2/e; Springer). Personal use copy openly available on author's web site.
  2. Wenliang Du, Computer Security: A Hands-on Approach (2017, self-published). Updated May 2019.
  3. Stallings and Brown, Computer Security: Principles and Practice (2014, 3/e; Prentice Hall).
  4. Dieter Gollmann, Computer Security (2011, 3/e; Wiley).
  5. Smith, Elementary Information Security (2011, Jones & Bartlett Learning).
  6. Mark Stamp, Information Security: Principles and Practice (2011, 2/e; Wiley).
  7. Goodrich and Tamassia, Introduction to Computer Security (2010, Addison-Wesley).
  8. Smith and Marchesini, The Craft of System Security (2007, Addison-Wesley).
  9. Pfleeger and Pfleeger, Security in Computing (2007, 4/e; Prentice Hall).
  10. Matt Bishop, Computer Security: Art and Science (2002, Addison-Wesley). Shorter version "omits much of the mathematical formalism": Introduction to Computer Security (2005, Addison-Wesley).

    Firewalls and network (Internet) security:

  11. Zwicky, Cooper, Chapman Building Internet Firewalls (2000, 2/e; O'Reilly).
  12. Cheswick and Bellovin, Firewalls and Internet Security (1994, 1/e, openly available online; Addison-Wesley). Second edition with Rubin (Feb.2003).
  13. Boyle and Panko, Corporate Computer Security (2013, 3/e; Prentice Hall). See also: Panko, Corporate Computer and Network Security (2009, 2/e; Prentice Hall).

    Applied cryptography and "network security" (meaning here: cryptography-focused):

  14. Menezes, van Oorschot and Vanstone, Handbook of Applied Cryptography (1996, CRC Press), openly available online for personal use.
  15. Keith M. Martin, Everyday Cryptography (2017, 2/e; Oxford University Press).
  16. David Wong, Real-World Cryptography (2021, Manning).
  17. Kaufman, Perlman and Speciner, Network Security: Private Communications in a Public World (2003, 2/e; Prentice Hall).
  18. William Stallings, Cryptography and Network Security: Principles and Practice (2010, 2/e; Prentice Hall). Relative to this book's 4th edition, the network security components and an extra chapter on SNMP are also packaged as Stallings' Network Security Essentials: Applications and Standards (2007, 3/e; Prentice Hall).

    Review of 10 cryptography books (plus background introduction), Susan Landau. Bull. Amer. Math. Soc. 41 (2004), pp.357-367.

    Quantum Computing (and its potential impact on cryptography):

  19. Quantum Computing: Progress and Prospects (2019, National Academies Press, US). US National Academies of Sciences, Engineering, and Medicine.
  20. The Quantum Hype Bubble is About to Burst (20min video, 2023). Why to be skeptical about quantum computers, by theoretical physicist Sabine Hossenfelder.
  21. Quantum computing for the very curious. Andy Matuschak and Michael Nielsen, online.

    Bitcoin and cryptocurrencies:

  22. "Bitcoin, Blockchains and Ethereum" (P. van Oorschot), Chapter 13 in: Computer Security and the Internet: Tools and Jewels (2021, 2/e; Springer).
  23. Narayanan et al., Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction (2016, Princeton University Press). Pre-publication PDF available from the author's home page.
  24. Andreas M. Antonopoulos, Mastering Bitcoin: Unlocking Digital Cryptocurrencies (2017, 2/e; O'Reilly). First edition (Dec. 2014) openly available online.

    Operating systems security:

  25. Trent Jaeger, Operating System Security (2008, Morgan and Claypool).
  26. Saltzer and Kaashoek, Principles of Computer System Design (2009, Morgan Kaufmann). Open online chapters include (pdf) Ch.11: Information Security.
  27. Morrie Gasser, Building a Secure Computer System (1988, Van Nostrand Reinhold). PDF online. Recommended for security kernels; a definitive early treatment of computer systems security.
  28. (openly available book for OS background) Operating Systems: Three Easy Pieces, Arpaci-Dusseau and Arpaci-Dusseau, 2018 (v1.0)

    Software security:

  29. Mark Dowd, John McDonald, Justin Schuh, The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (2007, Addison-Wesley).
  30. Mathias Payer. Software Security: Principles, Policies, and Protection. July 2021 (version 0.37), updated regularly at this link.
  31. P. van Oorschot. "Memory errors and memory safety" (2023 extended notes; see also COMP 5407).
  32. Viega and McGraw, Building Secure Software (2001, Addison-Wesley).
  33. Howard and LeBlanc, Writing Secure Code, second edition (2002, Microsoft Press).

    Web security, mobile code security, malicious code:

  34. Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications (2011, No Starch Press).
  35. OWASP project online resources.
  36. McGraw and Felton, Securing Java: Getting Down to Business with Mobile Code (1999, Wiley). First edition (1997): Java Security, open online web edition.
  37. Lincoln Stein, Web Security: A Step-By-Step Reference Guide (1998, Addison-Wesley).
  38. Rubin, Geer and Ranum, Web Security Sourcebook: A Complete Guide to Web Security Threats and Solutions (1997, Wiley).
  39. Avi Rubin, White-Hat Security Arsenal (2001, Addison-Wesley).

    Security in real-life systems (including anecdotes):

  40. Ross Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems (2008, 2/e; Wiley). The first edition (2001) is openly available online.
  41. Bruce Schneier. Secrets and Lies: Digital Security in a Networked World (2000, Wiley).

    Security infrastructures and digital signatures:

  42. Adams and Lloyd, Understanding Public-Key Infrastructure (2002, 2/e; Macmillan Technical).
  43. Housley and Polk, Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructures (2001, Wiley).

    Rust (a systems-level programming language designed with inherent "memory safety" features):

  44. Steve Klabnik, Carol Nichols. The Rust Programming Language (covers Rust 2018). Free online; hard copy from No Starch Press, 2019.
  45. Ballo, Ballo, James. High Assurance Rust: Developing Secure and Robust Software, 2022 (in progress). Free online.
  46. The Rust Reference (draft, in progress). Includes informal description of Rust constructs and their use; memory and concurrency models; motivations/influences for language features. Free online.
  47. The Rustonomicon: The Dark Arts of Unsafe Rust (draft with ongoing updates). Guidance for unsafe Rust (and related background of general use). Free online.
  48. Wikipedia overview of Rust (programming language).
Miscellaneous resources and advice: Updated: Apr 2024