I have been asked a few times over the years for a good reading list of cybersecurity books and references to get to know more on the different aspects of the Information Security field. I decided to document this list here so it can be used by a broader public. There are some really nice books in here which I would recommend to everyone, from pentesters to CEOs, passing by incident responders and lawyers.
Note: I used “Cybersecurity books” just so I get good SEO results. To know why, you can read my post Information Security Synonyms.
I will start by providing general cybersecurity books that covers a large portion of the different subjects in the InfoSec field. Then I will provide some field specific books and references (like crypto, incident response, etc.). I will update this post as I discover more books and resources, so keep it in your browser favorites so you can come back from time to time to see if the list is updated!
General Cybersecurity Books and References
The following books cover most aspects of the InfoSec field. I would recommend to anyone to have them handy and refer to them when needed.
This is one of my favorite books. I always have it close to me in case I need to go back to find a reference or an explanation. This book covers the basics of pretty much all aspects of the InfoSec field and is an excellent book to use when starting a security program. Even for well established programs, it’s good to go back to it to confirm we didn’t forgot anything. It also provides some useful tips on some widely used technologies (like Microsoft’s Windows Infrastructure). This book is well written and lightweight (but complete), making it an ideal reference to keep handy.
This book is probably the most known book in the InfoSec world. This is because this is the InfoSec CBK used for the CISSP exam. This book of around 1000 pages is the bible of the InfoSec world. It covers all aspects of the field from the base up to an advanced level. You won’t go into the details as a white paper would and you won’t gain a doctorate level understanding of a field, but you will learn a lot of things on all the subjects. So with this book, you will have a good understanding of all aspects of InfoSec. The CISSP certification is often a requirements for some jobs so it’s definitely useful.
This one is for my French speaking peers so I’ll explain the following in French. C’est un excellent livre, accessible à tous mais où même les experts apprennent des choses! Je le recommande à tous comme lecture légère. On y parle de toute de sorte de sujet en liens avec la sécurité de l’information et des bonnes pratiques à adopter en ligne. On y parle aussi de sujets connexes comme le “dark net”, comment faire des achats sécuritaire en ligne, les types de surveillances que divers groupes pratiquent, etc.
The Computerphile YouTube channel is a channel I really like. They are able to simplify complex concepts and they often talk about security subjects. I recommend it to everyone!
Field Specific Books and References
The cryptopals crypto challenges website offer challenges to learn how cryptography works with practice. They start from the very base with things like “Convert hex to base64”, “Fixed XOR [encryption]”, “Single-byte XOR cipher [encryption]” and eventually cover advanced subjects like RSA, Diffie-Hellman, SHA, AES, etc.
The Introduction to Cryptography by Christof Paar YouTube channel is a channel really interesting. It’s a channel where a actual university class is filmed and then put un YouTube. We can see the professor give his course and students ask questions. Because of this, the content is of really high quality! The videos are long and we have the chance to cover a subject in great depth. It is from this channel that I learned how many algorithms work, like AES. I highly recommend it to anyone interesting in learning how crypto algorithms work.
This is the first Incident Response book I read in my life. This book is an excellent resource as an introduction to Incident Response (IR) as well as how to manage a IR program. They provide many tips and resources to use when we need to respond to an incident. One of the main aspects I retained from this book is the organizational aspect of the team when we have a big incident and many stakeholders are implicated (chapter 4).
I am currently reading this book, I’ll provide feedback when I finish it. This book looks really promising!
I bought this book for a University course on software architecture. Although this book is about documenting architecture, many architecture patterns are explained, as well as how to document them. I won’t go into the details on how to document, when and up to what level of details, but I will tell you this: documentation is important. I would advise any developer that would like to become an architect, and any architect, to read this book. It is in this book that I learned about many patterns like “Pipe and Filter“.
This is a classic in the development world. This book by Robert Martin, a.k.a Uncle Bob, describes many techniques and the philosophy to create clean code. You may be unaware, but the vast majority of the code people write is hard to maintain and inherently slows down future development. The different techniques available in this book can be used to reduce the amount of badly written code. I highly recommend anyone writing code to read this book.
Pentesting / Hacking
The LiveOverflow YouTube channel is a high quality and deeply technical channel where they address hacking techniques. The channel starts with basic principles so anyone technical interested to learn different hacking / pentesting subject could be interested in this one. I have been following this channel for many years now and everytime I watch a video, new or old, I learn something!
Blue Teaming – miscellaneous
This book is one of my favorites I read recently. It’s easy to read for someone that have some base on the subject. They address Threat Intelligence (TI): what it is, how to do it, what to do with it, etc. They provide many hints on how to manage a TI program. I highly recommend this book to people who have some experience in the field and are curious to learn more about Threat Intelligence.