Resources to learn about security

Question

I am currently just finishing a undergrad computer science degree, but I know very little about computer security.

What are some good resources (aside from this site) to learn the fundamentals of security. I realise that good resources will probably vary depending on specifically what sort of security each is aimed at.

I've looked at this Linux Security HOWTO: http://tldp.org/HOWTO/Security-HOWTO/index.html

The question can be rephrased: If you were forced to employ someone in my situation (solid knowledge algorithms/data structures, a few languages and different programming paradigms and basic Unix knowledge), what would you make them read/learn?

You may take a look at [this topic](http://security.stackexchange.com/q/1/7). — M.S. Dousti, Nov 13 '10 at 04:27
You can start here http://security.stackexchange.com/questions/486/is-there-a-guide-of-general-common-it-vulnerabilities — bretik, Nov 22 '10 at 14:01
Is this a dupe of http://security.stackexchange.com/questions/2226/suggested-reading-list-security? — , Feb 23 '11 at 10:57

score 13 · Answer 1 · answered Nov 13 '10 at 02:52

That's a tough question to answer, because "Computer Security" is a very broad field--

If you are looking for just general computer security stuff, I would start following Richard Bejtlich, who has authored a couple very good network security & forensic books--But he also deals with the philosophical mindset of computer security--For instance, from the Tao of Network Security Monitoring:

“Security is the process of maintaining an acceptable level of perceived risk. A former director of education for the International Computer Security Association, Dr. Mitch Kabay, wrote in 1998 that “security is a process, not an end state.” No organization can be considered “secure” for any time beyond the last verification of adherence to its security policy. If your manager asks, “Are we secure?” you should answer, “Let me check.” If he or she asks, “Will we be secure tomorrow?” you should answer, “I don’t know.” Such honesty will not be popular, but this mind-set will produce greater success for the organization in the long run.”

I would also recommend Bruce Schneier, & most of SANS resources.

-Josh

score 7 · Answer 2 · edited Sep 24 '15 at 09:54

7

I highly recommend Ross Anderson's Security Engineering. The first and second editions are available as PDFs for free at the above link.

From Chapter 1:

Security engineering is about building systems to remain dependable in the face of malice, error, or mischance. As a discipline, it focuses on the tools, processes, and methods needed to design, implement, and test complete systems, and to adapt existing systems as their environment evolve.

edited Sep 24 '15 at 09:54

Cosmic Ossifrage

282
3
10

answered Aug 04 '11 at 06:50

Peter K.

283
1
4
8

@Cosmic Ossifrage! Thanks for the edit. I hadn't seen the second edition also available. – Peter K. Sep 24 '15 at 11:32

score 6 · Answer 3 · edited Mar 17 '17 at 13:14

6

Community side: IRC is your friend, imo. Otherwise I like those:

r/netsec
SecurityTube (and their Questions portal)
Hopefully ITsecurity here other stackoverflow portals (look for the "security" tag)

About written resources, I found extremely useful the security section of the FreeBSD Handbook. Computer Security is an huge landscape - depends on what are you looking for.

edited Mar 17 '17 at 13:14

Community

1

answered Nov 13 '10 at 10:52

gbr

2,000
1
16
22

AviD · Answer 4 · 2010-11-22T14:57:37.937

5

As you said, it really depends in what field of security you're referring to...
If you're looking for application security information, go straight to OWASP. Start there, lots of places to go after.

edited Nov 22 '10 at 14:57

answered Nov 14 '10 at 02:34

AviD

72,138
22
136
218

score 5 · Answer 5 · answered Dec 02 '10 at 20:08

There are a range of organisations who will not employ directly into security consulting or security audit roles unless you can evidence strong IT experience. This does help to build a more rounded, practical view of security in a real world operational environment, whereas sometimes when I have hired new graduates of security degrees they have required so much training in order to bring their ideas of security down from an 'ideal' but unworkable position to a practical level.

Examples of areas I have most successfully hired from - networking and firewalling (CISCO, Checkpoint, Telecoms etc), Computer Science degrees, Security and Forensics degrees.

And my most useful training for them - on the job with an experienced pro, first in audit roles, then consulting.

score 3 · Answer 6 · answered Feb 23 '11 at 19:42

Learning how to secure something means you understand, at a deep level, how that thing works and what it's weaknesses are. Risk assessment is also a big part.

I'm sure there are plenty of links to be found to security sites, mailing lists and books, but it really all comes down to understanding the weaknesses of the system and assessing the possible threats.

Generally, the best resource to securing something will be that things manual and your own critical thinking.

Phoenician-Eagle · Answer 7 · 2010-11-13T07:40:22.360

There is a huge variety of books on information security available for free. A simple google would make the deal in case you have the necessary topics!

Hereafter my personal recommendation as a must to enter to that world:

How to integrate security in software development lifecycle. You would get the Microsoft SDL (that would consume some of your time to read it and familiarize yourself with each topic separately), Building Security In (e.g. BSIMM...), security requirements, secure programming... With that you should cover (as i referred to the sub topics importance) security testing, fuzz testing, code review, ...
On the other hand you would need to learn the technology specific security solutions, like security for html frames..., access control models from the application layer until DBMS, security protocols and why are they used, security for web technologies and for RESTful web services or SOAP based web services.
Security properties offered by frameworks and IDEs, .Net framework, ...

Try googling for these, in case you couldn't get useful link, i would be able to provide it for you just leave me a comment.

score 3 · Answer 8 · answered Nov 22 '10 at 14:48

3

NYU:Poly has their whole security course about pen testing online: Penetration Testing and Vulnerability Analysis

answered Nov 22 '10 at 14:48

Andreas Arnold

2,353
19
19

1

Actually, this link was already mentioned in "Linked" topics, that directs to http://security.stackexchange.com/questions/1/courses-on-secure-software-development. – Nov 22 '10 at 14:51

Chris Dale · Answer 9 · 2010-11-23T17:18:57.020

3

The best way to learn is by having fun doing so. Thats why I got fond for "wargames" or hack challenges.

I would check out: http://hackquest.com/

And also:

http://www.slavehack.com/

http://www.overthewire.org/wargames/

For video tutorials and lectures I use:

http://securitytube.net/

edited Nov 23 '10 at 17:18

answered Nov 22 '10 at 19:07

Chris Dale

16,119
10
56
97

score 3 · Answer 10 · answered Nov 24 '10 at 15:56

3

Safari Books Online: http://www.safaribooksonline.com/

Amazon's Bestsellers in Computer Security & Encryption: http://www.amazon.com/gp/bestsellers/books/377560011/

answered Nov 24 '10 at 15:56

Tate Hansen

13,714
3
40
83

+1 for mentioning Safari books. I have a membership through my corporation and Im loving it. I would never go back! :) I also have my ipad hooked up to it making it easy to look up information anytime anywhere. – Chris Dale Nov 24 '10 at 20:56

score 0 · Answer 11 · answered Jul 19 '14 at 13:47

You've got a lot of suggestions from the generous people at security.stackexchnage. However, I am also sharing one great source to learn about computer security. It is http://opensecuritytraining.info/, the tutorials here will clear most of your basics and you will be all set to move forward.

Other than that I would suggest you to look into the archives of various hacking conferences such as

Defcon: http://defcon.org/html/links/dc-torrent.html
Black Hat: https://www.blackhat.com/html/archives.html

Resources to learn about security

11 Answers11

Linked

Related