Reference Books on Computer Security, Internet Security, and Applied Cryptography.
The names used for subdisciplines related to computer security vary, and are often conflated.
As a general roadmap, common subdisciplines are (representative topics are listed in brackets):
computer security (access control, remote access, user authentication, OS security, isolation);
applied cryptography (encryption, digital signatures, hash functions, key management protocols);
networking security (firewalls, intrusion detection, networking protocols);
software security (buffer overflows, web and browser security);
malware (worms, viruses, botnets, ransomware).
The term "network security" (in the 1990 sense) often signals a
largely cryptography-centered focus on securing communications data,
in contrast to software security or networking security as just noted.
The term "information security" when used by researchers often signals a cryptography-centered
view of security (with focus on securing data), but among practitioners may be
a synonym for "information systems security" (spanning data, software,
computer and communication systems, and business assets).
-pvo
Below are some resources that security students may find helpful.
They are grouped by rough category.
Computer security (often including overviews of network security, and cryptography):
-
new P.C. van Oorschot,
Computer Security and the Internet: Tools and Jewels from Malware to
Bitcoin
(2021, 2/e; Springer). Personal use copy openly available on author's web site.
- Wenliang Du, Computer Security: A Hands-on Approach (2017, self-published).
Updated May 2019.
- Stallings and Brown,
Computer
Security: Principles and Practice (2014, 3/e; Prentice Hall).
- Dieter Gollmann, Computer
Security (2011, 3/e; Wiley).
- Smith,
Elementary Information Security (2011, Jones & Bartlett Learning).
- Mark Stamp, Information
Security: Principles and Practice (2011, 2/e; Wiley).
- Goodrich and Tamassia,
Introduction to Computer Security
(2010, Addison-Wesley).
-
Smith and Marchesini,
The
Craft of System Security (2007, Addison-Wesley).
- Pfleeger and Pfleeger, Security
in Computing (2007, 4/e; Prentice Hall).
- Matt Bishop,
Computer Security: Art and Science (2002, Addison-Wesley).
Shorter version "omits much of the mathematical formalism":
Introduction to Computer Security (2005, Addison-Wesley).
Firewalls and network (Internet) security:
- Zwicky, Cooper, Chapman
Building
Internet Firewalls (2000, 2/e; O'Reilly).
- Cheswick and Bellovin, Firewalls and Internet Security
(1994, 1/e, openly available online; Addison-Wesley).
Second edition with Rubin (Feb.2003).
- Boyle and Panko,
Corporate Computer Security (2013, 3/e; Prentice Hall).
See also: Panko,
Corporate
Computer and Network Security (2009, 2/e; Prentice Hall).
Applied cryptography and "network security" (meaning here: cryptography-focused):
- Menezes, van Oorschot and Vanstone, Handbook of Applied
Cryptography (1996, CRC Press), openly available online for personal use.
- Keith M. Martin, Everyday
Cryptography (2017, 2/e; Oxford University Press).
- David Wong,
Real-World Cryptography (2021, Manning).
- Kaufman, Perlman and Speciner, Network
Security: Private Communications in a Public World
(2003, 2/e; Prentice Hall).
- William Stallings, Cryptography
and Network Security: Principles and Practice
(2010, 2/e; Prentice Hall). Relative to this book's 4th edition,
the network security components and an extra chapter on
SNMP are also packaged as Stallings'
Network Security Essentials: Applications and Standards
(2007, 3/e; Prentice Hall).
Quantum Computing (and its potential impact on cryptography):
- US National Academies of Sciences, Engineering, and Medicine.
Quantum Computing: Progress and Prospects (2019, National Academies Press, US).
-
Andy Matuschak and Michael Nielsen.
Quantum computing for
the very curious. Online.
Bitcoin and cryptocurrencies:
- (self-contained book chapter), van Oorschot,
"Chapter 13: Bitcoin, Blockchains and Ethereum" in
Computer
Security and the Internet: Tools and Jewels (2021, 2/e; Springer).
- Narayanan et al., Bitcoin and Cryptocurrency Technologies: A Comprehensive
Introduction (2016, Princeton University Press).
Pre-publication PDF available from the author's home page.
- Andreas M. Antonopoulos, Mastering Bitcoin: Unlocking Digital
Cryptocurrencies (2017, 2/e; O'Reilly).
First edition (Dec. 2014) openly available online.
Operating systems security:
-
Trent Jaeger, Operating
System Security (2008, Morgan and Claypool).
- Saltzer and Kaashoek,
Principles
of Computer System Design (2009, Morgan Kaufmann). Open online chapters include
(pdf)
Ch.11: Information Security.
- Morrie Gasser, Building a Secure Computer System (1988, Van Nostrand Reinhold).
PDF online.
Recommended for security kernels; a definitive early treatment of computer systems security.
- (openly available book for OS background) Operating Systems:
Three Easy Pieces, Arpaci-Dusseau and Arpaci-Dusseau, 2018 (v1.0)
Software security:
- Mark Dowd, John McDonald, Justin Schuh, The Art of Software Security Assessment: Identifying and Preventing
Software Vulnerabilities (2007, Addison-Wesley).
- Mathias Payer. Software Security: Principles, Policies, and Protection.
July 2021 (version 0.37), updated regularly at this link.
- P. van Oorschot. "Memory
errors and memory safety" (2023 extended notes; see also COMP 5407).
- Viega and McGraw, Building
Secure Software (2001, Addison-Wesley).
- Howard and LeBlanc,
Writing Secure
Code, second edition (2002, Microsoft Press).
Web security, mobile code security, malicious code:
- Michal Zalewski, The Tangled Web: A Guide to
Securing Modern Web Applications (2011, No Starch Press).
- OWASP project online resources.
- McGraw and Felton, Securing
Java: Getting Down to Business with Mobile Code (1999,
Wiley). First edition (1997): Java Security, open online web edition.
- Lincoln Stein, Web Security: A Step-By-Step Reference Guide (1998, Addison-Wesley).
- Rubin, Geer and Ranum, Web Security Sourcebook: A
Complete Guide to Web Security Threats and Solutions (1997, Wiley).
- Avi Rubin, White-Hat Security Arsenal (2001, Addison-Wesley).
Security in real-life systems (including anecdotes):
- Ross Anderson, Security
Engineering: A Guide to Building Dependable Distributed Systems
(2008, 2/e; Wiley). The first edition (2001) is openly available online.
- Bruce Schneier. Secrets and Lies: Digital Security in a Networked
World (2000, Wiley).
Security infrastructures and digital signatures:
- Adams and Lloyd, Understanding
Public-Key Infrastructure (2002, 2/e; Macmillan Technical).
- Housley and Polk, Planning
for PKI: Best Practices Guide for Deploying Public Key
Infrastructures (2001, Wiley).
Rust (a systems-level programming language designed with inherent "memory safety" features):
- Steve Klabnik, Carol Nichols.
The Rust Programming Language (covers Rust 2018).
Free online; hard copy from No Starch Press, 2019.
- Ballo, Ballo, James. High
Assurance Rust: Developing Secure and Robust Software, 2022 (in
progress). Free online.
- The Rust
Reference (draft, in progress). Includes informal description of
Rust constructs and their use; memory and
concurrency models; motivations/influences for language features. Free online.
- The
Rustonomicon: The Dark Arts of Unsafe Rust (draft with ongoing updates).
Guidance for unsafe Rust (and related background of general use). Free online.
- Wikipedia overview of
Rust
(programming language).
Miscellaneous resources and advice:
-
You and your research (advice from R.W. Hamming)
-
The
Mistrust of Science (Caltech 2016 commencement address, Atul Gawande)
-
Heilmeier's
Catechism (seven questions towards effective research)
-
Bloom's
Taxonomy (model categorizing objectives for learning, and use of knowledge)
-
Networking:
A Guide to Professional Skills for PhD Students (Phil Agre).
Explains many secrets about the research world and how the real people in it operate.
-
Print vs digital books...pros and cons (ACM Inroads, March 2014)
-
IEEE Security & Privacy magazine tables of contents (since Jan.2003)
-
Review of 10 cryptography books (plus background introduction), Susan Landau.
Bull. Amer. Math. Soc. 41 (2004), pp.357-367.
-
(classic security paper)
J.H. Saltzer, M.D. Schroeder.
The protection of information in computer systems.
Web version.
Proc. IEEE 63(9):1278-1308 (Sept.1975).
DOI:
10.1109/PROC.1975.9939
-
DoD
Orange Book (1985)
-
Early papers
in computer security (thanks to Matt Bishop; see also NIST page)
-
Educational comic strips
teaching about password guessing attacks (thanks to Leah Zhang at Carleton)
-
The
limits of formal security models (Dorothy Denning, NCSS Award
Speech, Oct.18 1999)
-
Calling out
security researchers who study non-problems (a fun piece by James Mickens, MSR)
-
List of systematization (SoK) papers (compiled by David Evans)
-
Top-cited papers from top-tier security conferences
-
Michal Zalewski's homepage
(Tangled Web, Silence on the Wire, Practical Doomsday, p0f v3, AFL fuzzer/American Fuzzy Lop)
-
CHERI architecture
overview
-
Math
ability: a gift, or developed by effort? (2006 study exploring females in STEM).
Another study involving
young men of colour
recommends demographic-specific messaging.
-
Where Meta (Facebook) thinks their metaverse future is
as explained by Marques Brownlee (MKD)
-
Collection
of papers for Roger Needham, who passed 28 Feb 2003;
informal memoir
-
James P. Anderson (in
memory of his passing on 18 Nov 2007)
Updated: Apr 2023