Reference Books on Computer Security, Internet Security, and Applied Cryptography.
The names used for subdisciplines related to computer security vary, and are often conflated.
As a general roadmap, common subdisciplines are (representative topics are listed in brackets):
computer security (access control, remote access, user authentication, OS security, isolation);
applied cryptography (encryption, digital signatures, hash functions, key management protocols);
networking security (firewalls, intrusion detection, networking protocols);
software security (buffer overflows, web and browser security);
malware (worms, viruses, botnets, ransomware).
The term "network security" (in the 1990 sense) often signals a
largely cryptography-centered focus on securing communications data,
in contrast to software security or networking security as just noted.
The term "information security" when used by researchers often signals a cryptography-centered
view of security (with focus on securing data), but among practitioners may be
a synonym for "information systems security" (spanning data, software,
computer and communication systems, and business assets).
-pvo
Below are some resources that security students may find helpful.
They are grouped by rough category.
Print vs digital books...pros and cons (ACM Inroads, March 2014)
Computer security (often including overviews of network security, and cryptography):
-
new P.C. van Oorschot,
Computer Security and the Internet: Tools and Jewels from Malware to
Bitcoin
(2021, 2/e; Springer). Personal use copy openly available on author's web site.
- Wenliang Du, Computer Security: A Hands-on Approach (2017, self-published).
Updated May 2019.
- Stallings and Brown,
Computer
Security: Principles and Practice (2014, 3/e; Prentice Hall).
- Dieter Gollmann, Computer
Security (2011, 3/e; Wiley).
- Smith,
Elementary Information Security (2011, Jones & Bartlett Learning).
- Mark Stamp, Information
Security: Principles and Practice (2011, 2/e; Wiley).
- Goodrich and Tamassia,
Introduction to Computer Security
(2010, Addison-Wesley).
-
Smith and Marchesini,
The
Craft of System Security (2007, Addison-Wesley).
- Pfleeger and Pfleeger, Security
in Computing (2007, 4/e; Prentice Hall).
- Matt Bishop,
Computer Security: Art and Science (2002, Addison-Wesley).
Shorter version "omits much of the mathematical formalism":
Introduction to Computer Security (2005, Addison-Wesley).
Firewalls and network (Internet) security:
- Zwicky, Cooper, Chapman
Building
Internet Firewalls (2000, 2/e; O'Reilly).
- Cheswick and Bellovin, Firewalls and Internet Security
(1994, 1/e, openly available online; Addison-Wesley).
Second edition with Rubin (Feb.2003).
- Boyle and Panko,
Corporate Computer Security (2013, 3/e; Prentice Hall).
See also: Panko,
Corporate
Computer and Network Security (2009, 2/e; Prentice Hall).
Applied cryptography and "network security" (meaning here: cryptography-focused):
- Menezes, van Oorschot and Vanstone, Handbook of Applied
Cryptography (1996, CRC Press), openly available online for personal use.
- Keith M. Martin, Everyday
Cryptography (2017, 2/e; Oxford University Press).
- David Wong,
Real-World Cryptography (2021, Manning).
- Kaufman, Perlman and Speciner, Network
Security: Private Communications in a Public World
(2003, 2/e; Prentice Hall).
- William Stallings, Cryptography
and Network Security: Principles and Practice
(2010, 2/e; Prentice Hall). Relative to this book's 4th edition,
the network security components and an extra chapter on
SNMP are also packaged as Stallings'
Network Security Essentials: Applications and Standards
(2007, 3/e; Prentice Hall).
Review of 10 cryptography books (plus background introduction), Susan Landau.
Bull. Amer. Math. Soc. 41 (2004), pp.357-367.
Quantum Computing (and its potential impact on cryptography):
-
Quantum Computing: Progress and Prospects (2019, National Academies Press, US).
US National Academies of Sciences, Engineering, and Medicine.
-
The Quantum Hype
Bubble is About to Burst (20min video, 2023).
Why to be skeptical about quantum computers, by theoretical physicist Sabine Hossenfelder.
-
Quantum computing for
the very curious.
Andy Matuschak and Michael Nielsen, online.
Bitcoin and cryptocurrencies:
- "Bitcoin, Blockchains and Ethereum" (P. van Oorschot), Chapter 13 in:
Computer
Security and the Internet: Tools and Jewels (2021, 2/e; Springer).
- Narayanan et al., Bitcoin and Cryptocurrency Technologies: A Comprehensive
Introduction (2016, Princeton University Press).
Pre-publication PDF available from the author's home page.
- Andreas M. Antonopoulos, Mastering Bitcoin: Unlocking Digital
Cryptocurrencies (2017, 2/e; O'Reilly).
First edition (Dec. 2014) openly available online.
Operating systems security:
-
Trent Jaeger, Operating
System Security (2008, Morgan and Claypool).
-
Saltzer and Kaashoek,
Principles
of Computer System Design (2009, Morgan Kaufmann). Open online chapters include
(pdf)
Ch.11: Information Security.
- Morrie Gasser, Building a Secure Computer System (1988, Van Nostrand Reinhold).
PDF online.
Recommended for security kernels; a definitive early treatment of computer systems security.
- (openly available book for OS background) Operating Systems:
Three Easy Pieces, Arpaci-Dusseau and Arpaci-Dusseau, 2018 (v1.0)
Software security:
- Mark Dowd, John McDonald, Justin Schuh, The Art of Software Security Assessment: Identifying and Preventing
Software Vulnerabilities (2007, Addison-Wesley).
- Mathias Payer. Software Security: Principles, Policies, and Protection.
July 2021 (version 0.37), updated regularly at this link.
- P. van Oorschot. "Memory
errors and memory safety" (2023 extended notes; see also COMP 5407).
- Viega and McGraw, Building
Secure Software (2001, Addison-Wesley).
- Howard and LeBlanc,
Writing Secure
Code, second edition (2002, Microsoft Press).
Web security, mobile code security, malicious code:
- Michal Zalewski, The Tangled Web: A Guide to
Securing Modern Web Applications (2011, No Starch Press).
- OWASP project online resources.
- McGraw and Felton, Securing
Java: Getting Down to Business with Mobile Code (1999,
Wiley). First edition (1997): Java Security, open online web edition.
- Lincoln Stein, Web Security: A Step-By-Step Reference Guide (1998, Addison-Wesley).
- Rubin, Geer and Ranum, Web Security Sourcebook: A
Complete Guide to Web Security Threats and Solutions (1997, Wiley).
- Avi Rubin, White-Hat Security Arsenal (2001, Addison-Wesley).
Security in real-life systems (including anecdotes):
- Ross Anderson, Security
Engineering: A Guide to Building Dependable Distributed Systems
(2008, 2/e; Wiley). The first edition (2001) is openly available online.
- Bruce Schneier. Secrets and Lies: Digital Security in a Networked
World (2000, Wiley).
Security infrastructures and digital signatures:
- Adams and Lloyd, Understanding
Public-Key Infrastructure (2002, 2/e; Macmillan Technical).
- Housley and Polk, Planning
for PKI: Best Practices Guide for Deploying Public Key
Infrastructures (2001, Wiley).
Rust (a systems-level programming language designed with inherent "memory safety" features):
- Steve Klabnik, Carol Nichols.
The Rust Programming Language (covers Rust 2018).
Free online; hard copy from No Starch Press, 2019.
- Ballo, Ballo, James. High
Assurance Rust: Developing Secure and Robust Software, 2022 (in
progress). Free online.
- The Rust
Reference (draft, in progress). Includes informal description of
Rust constructs and their use; memory and
concurrency models; motivations/influences for language features. Free online.
- The
Rustonomicon: The Dark Arts of Unsafe Rust (draft with ongoing updates).
Guidance for unsafe Rust (and related background of general use). Free online.
- Wikipedia overview of
Rust
(programming language).
Miscellaneous resources and advice:
Updated: Apr 2024