security books. recommend some.

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

security books. recommend some.

Post by jmut »

Hi,
What security books would you recommend buying. Unfortunately I can choosen only one for now, so I would like to hear you suggestions.

These are the books I currently have in mind in order of precedence.
1. http://www.microsoft.com/mspress/books/5957.aspx
2. http://www.swsec.com/
3. http://www.mhprofessional.com/product.p ... promocode=

Please ignore price on links provided, only content matters.
I am php developer so I am looking for either php security specific book (I don't think there any good), or some general security development book.

Thanks for you comments.
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

Books can only get you so far. I wouldn't say security books are the best answer either. The best way to attempt at securing a box as much as humanly possible is to learn the OS you are dealing with, and then trying to crack it yourself. Read up on the tutorials and exploits people write on how to take advantage of a site. Find the scripts and appy's most of the script kiddies are using to take control of the box with their 31337 cracking skills. once you know the exploits and vulnerabilities, that's when you know where to look for protecting yourself. That would probably be the best source of information than any book could ever teach you. Not to mention that most books cover old, outdated and obsolete exploits that havce been patched for years.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Chris Shifflet has a good O'Reilly one out (and he posts here on occassion :)).
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

d11wtq wrote:Chris Shifflet has a good O'Reilly one out (and he posts here on occassion :)).
if you mean this one.
http://phpsecurity.org/

I already got it.


@infolock
I think you miss the point. There is no ultimate security. But good books about the topic exists no matter what. And it definately don't have to be OS specific or whaterver. There are just general developement principles and stuff that is just hard to guess yourself as newbie programmer and good developers, actually write about them. So in my opinion, a book might make a huge difference.
Last edited by jmut on Mon Mar 05, 2007 9:11 am, edited 1 time in total.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

I did indeed :)
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Post by seodevhead »

Schifflet's 'PHP Security' Book is top-notch and I have learned so much from that (and implemented). Another good book I bought is 'PHP Pranks'. But Schifflet's is by far the one you need to read first. His blog is also very good (as linked to above).
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

jmut wrote: @infolock
I think you miss the point. There is no ultimate security. But good books about the topic exists no matter what. And it definately don't have to be OS specific or whaterver. There are just general developement principles and stuff that is just hard to guess yourself as newbie programmer and good developers, actually write about them. So in my opinion, a book might make a huge difference.
I guess the point i missed was the type of security you were talking about. I was speaking of network security, not code security. So, in a sense, I guess I was missing the point, that being my interpretation of "What security books would you recommend buying" =)

Secondly, I agree 100% about there not being a ultimate security. I don't think I stated there was (= In either case, that is why I recommended what I did and I still stand by it ;)

On a network prespective, it's all about determining the methods in which the intruder (or script kiddie/cracker) attempts to break in. In the code world, it's all about what to look for when dealing with data, and how to prevent overflows/escape sequences that could allow them to jump down to console.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I have Shiflett's book and Ilia Alshanetsky's book 'Guide to PHP Security'. It has a foreword by Rasmus Lerdorf. It is a very handy reference.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Besides the books from Shiflett and Ilia which I also can recommend, there is Pro PHP securityby Chris Snyder. It's a bigger and - for me - more difficult book then the other two. Snyders book goes a lot deeper into server config stuff. Haven't read it all yet, only a few chapters, but it seems like a good book. So much to read, so little time ..
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: security books. recommend some.

Post by Mordred »

jmut wrote:Hi,
What security books would you recommend buying. Unfortunately I can choosen only one for now, so I would like to hear you suggestions.

These are the books I currently have in mind in order of precedence.
1. http://www.microsoft.com/mspress/books/5957.aspx
2. http://www.swsec.com/
3. http://www.mhprofessional.com/product.p ... promocode=

Please ignore price on links provided, only content matters.
I am php developer so I am looking for either php security specific book (I don't think there any good), or some general security development book.

Thanks for you comments.
I have the M$ book, but I don't think you'll benefit from it with regards to PHP security, go for it only if you're interested in C/C++ development. I have skimmed over some PHP security books (I think I've read Shiflett's almost in full) and found that they basically cover the same ground. I also found nothing that I didn't know before from reading the manual, so that's another option for you ;) The great benefit of a security book is that it will offer concentrated on-topic information about security (mis)practices. In that light, pick whichever you can find, there's no difference really ;) Since so many people recommend Shiflett's, maybe it's the most friendly choice.

Doing *cough* pen tests to sites is also extremely beneficial to one's security awareness, and reading vulnerability mailing lists also helps. They are lately spammed with too much fake PHP vulns to be really helpful right away, but there is the long-term benefit of having seen many different vulnerabilities as they happened in real-life living code.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Re: security books. recommend some.

Post by jmut »

Mordred wrote:..and reading vulnerability mailing lists also helps. ...
Would you recommend any?
I am currently following this RSS feed
http://www.securityfocus.com/rss/vulnerabilities.xml
Good stuff but by no means php specific.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

Everah wrote:I have Shiflett's book and Ilia Alshanetsky's book 'Guide to PHP Security'. It has a foreword by Rasmus Lerdorf. It is a very handy reference.
You mean this one http://phpsec.org/projects/guide/ ?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

I'll just dump the mails, you'll easily find how to subscribe

web-related:
webappsec@securityfocus.com
websecurity@webappsec.org
(the above two are not the same)

General purpose, higher traffic, but this is where the bulk of bugs are reported:
bugtraq@securityfocus.com
full-disclosure@lists.grok.org.uk

Penetration testing, sometimes relevant:
pen-test@securityfocus.com

Can someone recommend more resources?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

jmut wrote:
Everah wrote:I have Shiflett's book and Ilia Alshanetsky's book 'Guide to PHP Security'. It has a foreword by Rasmus Lerdorf. It is a very handy reference.
You mean this one http://phpsec.org/projects/guide/ ?
Nope, this one.
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Both Shiflett's and Alshanetsky's books are good. There's also "Pro PHP Security" by Chris Snyder and Michael Southwell which goes a wee bit outside of the topic of PHP security and covers things like Captcha and updating software. All good books.
Post Reply