A Curated List of Security Readings
When you decide to work in Security you automatically sign up to a professional life of continuous learning. Technologies, cultures and threats are constantly changing, and anyone who is trying to “do security” in this environment must keep up.
Just because something is written (a book, a paper) or spoken (a presentation, a podcast) doesn’t mean it’s valuable. For books, I look to the cybersecurity canon to find curated titles. There, a Hall of Fame winner is one that is important to everyone in the industry, and can withstand the test of time. But there isn’t an industry resource for papers, so I thought I’d go to the socials (LinkedIn, Twitter, Mastodon) to find the answers.
As always, I was gratified that people chose to share their knowledge with me, and I was surprised by the selections. You can see that there is a wide, wide, wide array of topics and ages of these nominations.
Here’s the list (and any comments came from the nominating individual):
Aleph1: “Smashing the Stack for Fun and Profit” (Recommended twice)
Anderson, R: “Why Information Security is Hard — An Economic Perspective” for outlining the non-technical challenges that arise when dealing with security (and basically giving rise to InfoSec Economics).
Arthur, W. B.: “All Systems Will Be Gamed” on the nature of exploitative behavior.
Bellovin, S: “The Security Flag in the IPv4 Header”
Bender, E. et al: “On the Dangers of Stochastic Parrots, Can Language Models be Too Big?” Now seems quite prescient given the hallucinations we’ve seen in recent GPT models, but which will nonetheless begin to mediate our experience of the internet and other tech.
Butler, S.: “Darwin Among The Machines”
Caltagirone, S. et al: “The Diamond Model of Intrusion Analysis”