10 Tech Books That Matter
One of the questions I get frequently is about what I recommend for new learners to read. So, I started compiling a larger reading list that I will release shortly— but I thought I’d start with offering up the top 10 books that I believe have helped me throughout my career. I have limited this to technical books with one exception. Please note, I am not sponsored by anyone for this, it is just some real reviews of books I consider formative and some I still come back to years later. With out further ado:
- Pragmatic Programmer (your journey to mastery) This book came out right around the time I had transitioned from hobbyist developer to professional. I remember being utterly captivated both by the simplicity of how the book was written (it is a series of concepts) coupled with the philosophical perspectives that came along with it. This book covered some early ideas about building test code for things you were writing, keeping code fresh, not repeating yourself, and a whole bunch of other concepts that I used all the time. It was first book put out by pragpress, and shaped and kicked off the agile alliance.
They later produced books dedicated to the topic (Practices of an Agile Developer) and others that lined up with their thinking. While I promised to keep it related to tech, another notable call out is the book “Pragmatic thinking and learning.” It is all about how YOU learn, and how you can take advantage of that to make learning a continuous thing. I re-read that book once every 2 years basically. - Patterns of Enterprise Application Architecture I have referenced this book in nearly all of my talks, as I think it is as foundational to programming as one can get. Many people will point to the ‘gang of four’ as having put out the first book on patterns (aptly named, Design Patterns) as a call out to the fact that reusable ideas help programmers solve complex problems. This book takes that idea and breaks programming out into a variety of activities used in enterprise development and then showcases various ideas on HOW they work and why you might want to use them. It ranges from writing scripts, to controllers, to data access patterns. If you really want to learn about enterprise patterns, this is for sure an absolute must read book. I consider this to be one my least best kept secrets to my testing approach for web/application penetration tests.
- Web Application Hackers Handbook This is literally the first ‘book’ on web application security that I ever read. I am not sure what revision this book is on, and it is likely a bit dated for modern web applications, it is still arguably the go to reference book for web attacks. It showcases a variety of ways to think about testing problems with out being so simplistic as “this is xss, this is sql injection” Instead it goes through the variety of tasks that web pentester generally goes through to help you become familiar with how to test not just what to test for. Second, it is one of the most practical books for learning. As the authors created ‘burp suite’, they couple each lesson with a how to guide on using their own tooling to solve the problem. This is perhaps one of the most fantastic ways to learn. Explain, Show, Do.
It is still a must read, even if for no other reason than reference. - The Art of Software Security AssessmentOutside of the Patterns of Enterprise Application Architecture book, this is the next book I recommend the most. Don’t be scared by the utter size of the book, as it is really the first few chapters that I think are the real gems. This book is the single greatest book on performing source code reviews ever. It covers all the different methods you could take to categorize and work source code. It has had profound impacts on my personal testing approaches, and I end up using nearly all the concepts today in a bit more fluid of a fashion. I have taught courses on this book, and I am likely to teach it again in the future.
The book is massive, as I stated before. The last 3/4ths of the book is a deep dive into a whole sundry of vulnerabilities so you can build up a repository of understanding for yourself. If you are doing c++ or compiled language tests, this book will introduce you to a whole bunch of beginning concepts that will help you. I cannot say I’ve read the whole thing, but this does nearly literally cover most of that space. - About Face - The Essentials of Interaction DesignWhen I was building desktop applications, I ran into this book relatively early on. It was written by the guy who actually created the programming language Visual Basic, and was ultimately on the singular concept of usability and discoverability before they became popularized terms. The author talks a great deal about how you can’t think about the digital realm with the same constraints as the physical one, and how our natural tendency will be to do so. Further, he talks about how important it is to build applications in a fashion that leads people to answers so that they can master the tool themselves. When I was developing a lot of software, I’d always reference back to these ideas to try and make software more intuitive and useful for people. I’d also point others to it when they didn’t seem to grok that idea.
- Structure and Interpretation of Computer ProgramsThis book has always been near and dear to my heart, though full confession— I’ve only read a bit more than half of it. Before you judge me too harshly, I want to explain. First— this book is (or at least was) required learning for every comp sci student at MIT. Having always been enamored with that school, and because the book was available for download online, I printed out my first copy of this at home… all 600+ pages of it. I have read large portions of it, but then realized that MIT had actually released video recordings of the class being taught and so I watched all of those as well. The book itself is about the application of solving core programming concepts using Lisp. If you want to ever learn about functional programming and why it matters, this book (and also there is another book just on Lisp I recommend) does a fantastic job. It breaks up all the very low level things that most programmers gloss over and teaches you how things like linked lists work and other types of data structures and state management, etc. I highly recommend it as almost a required reading for advanced concepts you will run into later in life in things like JavaScript and other functional languages.
- Hacking - The art of ExploitationThis book is one of the best introductions to compiled binary attacks. It is a very good primer for working through some hands on lessons on buffer overflows and understanding the basic mechanics of compromising binaries. In addition to being just all sorts of super duper approachable, like the Web App Hackers Handbook, it is very practical and comes with a Live CD that you can use to actually work through several of the challenges. Many of the attacks may not work anymore due to new protections offered by operating systems and whatnot, so having a distribution that lets you work through the challenges is a must have. It covers things like understanding network sockets, countermeasures, developing exploits, and a whole variety of useful concepts to have under your hat. Also, if you happen to have a copy of the live cd… let me know I may have lost mine :’(
- The Security Development Lifecycle - Michael Howard & Steve Lipner This book helped me transition from software engineer to security engineer. When I first got interested in transitioning my career to becoming security focused, I joined owasp and did a whole lot of research into developing secure code. Microsoft, by basically every account, has put more time and money into this problem then just about anyone. This book is one of the first (and quite old now) where they talk about the history and processes they took to create their own SDLC (which is still used today). It covers everything from executive buy in, setting security gates, final security reviews, threat modeling and attack mapping. Every one of these concepts I have taken and developed various trainings on, and many of them have pivoted out to their own books (Threat Modeling by Shostack is another great read). If you really want to get some deeper insights into the mechanics and efforts used to try and secure code at scale— this is a must read.
- The Tangled Web - Michał ZalewskiWhen one graduates from the school of Web Hackers Handbook, there really wasn’t much else to read on the subject until this book came out. The Tangled Web does a world class study of how browsers work (and don’t work), and all sorts of problems that come along with managing ambiguity in this crazy thing called the internet. I believe that this book is a must read for anyone serious about web application security, as most of the problems that are covered here still affect modern applications today. I have read this book twice all the way through, and even designed several research projects based on the authors ideas. Zalewski became well known through his other book ‘Silence on the Wire’, but for me this one really defined the latter part of my career as a pentester.
- Flawless Consulting - Peter BlockFlawless consulting is one of my all time favorite books as a consultant. It covers the entire spectrum of an engagement from pre-sales to close. It covers how to be authentic, how to understand the political forces at play, and how to be successful in whatever it is you consult on. As most of my career at this point has been in consulting, I have recommended this to nearly every single person in my company since the day I walked in. It is a good pairing to “Trusted Advisor” by David Maister, however I still prefer this one over by Peter Block. There are directly applicable actions one can pull out of regardless of where in the spectrum you are as a consultant and even if you don’t have full control over the scope of work that you do.