Page 1 of 1
security books. recommend some.
Posted: Mon Mar 05, 2007 8:31 am
by jmut
Hi,
What security books would you recommend buying. Unfortunately I can choosen only one for now, so I would like to hear you suggestions.
These are the books I currently have in mind in order of precedence.
1.
http://www.microsoft.com/mspress/books/5957.aspx
2.
http://www.swsec.com/
3.
http://www.mhprofessional.com/product.p ... promocode=
Please ignore price on links provided, only content matters.
I am php developer so I am looking for either php security specific book (I don't think there any good), or some general security development book.
Thanks for you comments.
Posted: Mon Mar 05, 2007 8:59 am
by infolock
Books can only get you so far. I wouldn't say security books are the best answer either. The best way to attempt at securing a box as much as humanly possible is to learn the OS you are dealing with, and then trying to crack it yourself. Read up on the tutorials and exploits people write on how to take advantage of a site. Find the scripts and appy's most of the script kiddies are using to take control of the box with their 31337 cracking skills. once you know the exploits and vulnerabilities, that's when you know where to look for protecting yourself. That would probably be the best source of information than any book could ever teach you. Not to mention that most books cover old, outdated and obsolete exploits that havce been patched for years.
Posted: Mon Mar 05, 2007 9:08 am
by Chris Corbyn
Chris Shifflet has a good O'Reilly one out (and he posts here on occassion

).
Posted: Mon Mar 05, 2007 9:09 am
by jmut
d11wtq wrote:Chris Shifflet has a good O'Reilly one out (and he posts here on occassion

).
if you mean this one.
http://phpsecurity.org/
I already got it.
@infolock
I think you miss the point. There is no ultimate security. But good books about the topic exists no matter what. And it definately don't have to be OS specific or whaterver. There are just general developement principles and stuff that is just hard to guess yourself as newbie programmer and good developers, actually write about them. So in my opinion, a book might make a huge difference.
Posted: Mon Mar 05, 2007 9:10 am
by Chris Corbyn
I did indeed

Posted: Mon Mar 05, 2007 10:13 am
by seodevhead
Schifflet's 'PHP Security' Book is top-notch and I have learned so much from that (and implemented). Another good book I bought is 'PHP Pranks'. But Schifflet's is by far the one you need to read first. His blog is also very good (as linked to above).
Posted: Mon Mar 05, 2007 10:55 am
by infolock
jmut wrote:
@infolock
I think you miss the point. There is no ultimate security. But good books about the topic exists no matter what. And it definately don't have to be OS specific or whaterver. There are just general developement principles and stuff that is just hard to guess yourself as newbie programmer and good developers, actually write about them. So in my opinion, a book might make a huge difference.
I guess the point i missed was the type of security you were talking about. I was speaking of network security, not code security. So, in a sense, I guess I was missing the point, that being my interpretation of "What security books would you recommend buying" =)
Secondly, I agree 100% about there not being a ultimate security. I don't think I stated there was (= In either case, that is why I recommended what I did and I still stand by it
On a network prespective, it's all about determining the methods in which the intruder (or script kiddie/cracker) attempts to break in. In the code world, it's all about what to look for when dealing with data, and how to prevent overflows/escape sequences that could allow them to jump down to console.
Posted: Mon Mar 05, 2007 11:09 am
by RobertGonzalez
I have Shiflett's book and Ilia Alshanetsky's book 'Guide to PHP Security'. It has a foreword by Rasmus Lerdorf. It is a very handy reference.
Posted: Mon Mar 05, 2007 2:46 pm
by matthijs
Besides the books from Shiflett and Ilia which I also can recommend, there is
Pro PHP securityby Chris Snyder. It's a bigger and - for me - more difficult book then the other two. Snyders book goes a lot deeper into server config stuff. Haven't read it all yet, only a few chapters, but it seems like a good book. So much to read, so little time ..
Re: security books. recommend some.
Posted: Mon Mar 05, 2007 3:20 pm
by Mordred
I have the M$ book, but I don't think you'll benefit from it with regards to PHP security, go for it only if you're interested in C/C++ development. I have skimmed over some PHP security books (I think I've read Shiflett's almost in full) and found that they basically cover the same ground. I also found nothing that I didn't know before from reading the manual, so that's another option for you

The great benefit of a security book is that it will offer concentrated on-topic information about security (mis)practices. In that light, pick whichever you can find, there's no difference really

Since so many people recommend Shiflett's, maybe it's the most friendly choice.
Doing *cough* pen tests to sites is also extremely beneficial to one's security awareness, and reading vulnerability mailing lists also helps. They are lately spammed with too much fake PHP vulns to be really helpful right away, but there is the long-term benefit of having seen many different vulnerabilities as they happened in real-life living code.
Re: security books. recommend some.
Posted: Tue Mar 06, 2007 12:46 am
by jmut
Mordred wrote:..and reading vulnerability mailing lists also helps. ...
Would you recommend any?
I am currently following this RSS feed
http://www.securityfocus.com/rss/vulnerabilities.xml
Good stuff but by no means php specific.
Posted: Tue Mar 06, 2007 12:49 am
by jmut
Everah wrote:I have Shiflett's book and Ilia Alshanetsky's book 'Guide to PHP Security'. It has a foreword by Rasmus Lerdorf. It is a very handy reference.
You mean this one
http://phpsec.org/projects/guide/ ?
Posted: Tue Mar 06, 2007 3:34 am
by Mordred
I'll just dump the mails, you'll easily find how to subscribe
web-related:
webappsec@securityfocus.com
websecurity@webappsec.org
(the above two are
not the same)
General purpose, higher traffic, but this is where the bulk of bugs are reported:
bugtraq@securityfocus.com
full-disclosure@lists.grok.org.uk
Penetration testing, sometimes relevant:
pen-test@securityfocus.com
Can someone recommend more resources?
Posted: Tue Mar 06, 2007 10:47 am
by RobertGonzalez
jmut wrote:Everah wrote:I have Shiflett's book and Ilia Alshanetsky's book 'Guide to PHP Security'. It has a foreword by Rasmus Lerdorf. It is a very handy reference.
You mean this one
http://phpsec.org/projects/guide/ ?
Nope,
this one.
Posted: Tue Mar 06, 2007 1:53 pm
by Buddha443556
Both Shiflett's and Alshanetsky's books are good. There's also "Pro PHP Security" by Chris Snyder and Michael Southwell which goes a wee bit outside of the topic of PHP security and covers things like Captcha and updating software. All good books.