22

If you could have only one book on web security, what would it be?

Gumbo
  • 2,003
  • 1
  • 13
  • 17
Moshe
  • 1,721
  • 3
  • 16
  • 22
  • Well, now clear. But again - question needs to be specified. There are lot of different fields in security, it is a very wide term. What would you like to hear about - cryptography, web-application security, servers administration, source code analysis and vulnerabilities, deep OS's inspections, user management and policies, etc.? No one good book can cover all the items at once. –  Nov 17 '10 at 18:07
  • @Ams - once again, edited. – Moshe Nov 17 '10 at 18:08
  • Still not narrow enough... How to *break* websecurity (i.e. web attacks), or how to *make* it (i.e. secure coding and the like). Or, how to use it, e.g. secure browsing... – AviD Nov 17 '10 at 20:24
  • Btw, @Moshe, welcome to the site! Note you might want to wait a while before accepting an answer, especially to a question like this - it will discourage additional answers, which might be even better. Note that this is also quite subjective... – AviD Nov 17 '10 at 20:26

7 Answers7

13

Many people do recommend this one book: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, which I also find very useful. But you should not rely upon only on one book. This book was released back in 2007 year, now there have appeared many new technologies. So, besides books you should follow standards, RFC's and other documents. I know other really good and fresh book. I have only hard copy in German, not aware if it is available in English - Sichere Webanwendugen.

9

Since it's now out, my answer would be The Tangled Web by Michal Zalewski.

Bruno Rohée
  • 5,221
  • 28
  • 39
6

Ross Anderson's Security Engineering is excellent (and the first edition is currently available online. Some sample chapters from the second edition are online at the time of writing).

frankodwyer
  • 1,907
  • 12
  • 13
6

alt text

For books on how to build web security, Writing Secure Code v2 from MS Press is still a seminal classic, and even though it was written quite a few years ago by Internet standards, it is still very relevant, and relatively up to date (if no longer complete because of new attack techniques). And it's not just for MS platforms (though many of the newer frameworks are missing)...

AviD
  • 72,138
  • 22
  • 136
  • 218
4

I prefer Hunting Security Bugs to The Web Application Hacker's Handbook, but fortunately, you can have more than one book in your life. I have about 40,000.

atdre
  • 18,885
  • 6
  • 58
  • 107
3

I nice introductionary book to web security I am reading now is Hacking: The Next Generation.

alt text

It covers a wide range of topics, so maybe it could not be for you if you are looking for something deeper and more focused.

gbr
  • 2,000
  • 1
  • 16
  • 22
1

the Web Application Hackers handbook v2 and as a hacker/security guy one book is not what you look for ,also OWASP books are very good in the subject

P3nT3ster
  • 877
  • 7
  • 10