There’s no shortage of books about security, and it can be difficult to determine which titles are worth your time. Security how-to books also run the risk of becoming outdated quickly as methodologies and techniques grow more advanced or technologies change.
In the spirit of past articles like Music to Hack to, How to Build a Hacker Home Workstation, and Security Lessons From Hacker-Themed Board Games, we’ve assembled a list of books we recommend. Since one of our core values is continuous learning – after all, the bad guys never stop learning, it’s paramount we keep pace – you’ll find titles here for improving your pen testing skillset. And because being a security professional goes beyond technical acumen, we also feature titles related to soft skills. Finally, because if you read about work stuff all the time it can get boring, we’ve included a few favorite fiction selections that might be of interest to fellow nerds.
"The Pentester BluePrint: Starting a Career as an Ethical Hacker" – Phillip Wylie and Kim Crawley: Wylie and Crawley have put together a thorough penetration testing primer for anyone who is just starting out in security. Both Wylie and Crawley are accomplished figures in the cybersecurity industry, and for newbies, getting these seasoned veterans’ perspectives on how to make pen testing a professional pursuit is a good starting point. As a plus, the first edition was released in 2020, so the information is pretty up to date.
“Metasploit: The Penetration Tester’s Guide” – David Kennedy, Jim O'Gorman, Devon Kearns, Mati Aharoni: This is another title that is perfect for someone who is just starting out in security. This book has the honor of being named “the best guide to the Metasploit framework” by Metasploit founder H.D. Moore himself. Not only does the book provide a great crash course into using the powerful Metasploit framework, but it’s also useful for doing vulnerability research. (One possible caveat: The book was originally published in 2011, so some of the material may be slightly outdated.)
"Social Engineering: The Science of Human Hacking” – Chris Hadnagy: If social engineering is a skill you’re hoping to build, then give this book by Hadnagy a read. It’s considered one of the top resources on the subject, which is helpful to know for pen testing and Red Teaming engagements (you’ve probably heard that an organization’s people usually are their weakest asset, which is often true). And on the opposite side of the coin, it’s also insightful for picking up on the signs that you’re being socially engineered.
“Linux Basics for Hackers: Getting Started With Networking, Scripting, and Security in Kali”– “OccupyTheWeb”: “Linux Basics” is another title from famed technology publisher No Starch Press that is designed to serve as a “practical, tutorial-style book.” As a Bishop Fox consultant phrased it, “it’s more of a guidebook than a book you only read once and put away.”
“Web Security for Developers: Real Threats, Practical Defense” – Malcolm McDonald: You can frame the usefulness of this book several ways: It’s well suited to those who are transitioning from development to security. It’s also another great security beginner-level read, providing introductions to an array of pen testing tools that will help you do your job better. And finally, it’s a terrific resource for developers looking to build more secure applications.
"RTFM: Red Team Field Manual" – Ben Clark: This book promises to be “no fluff,” and it delivers on that promise. If your goal is to accrue some additional red teaming techniques for your arsenal, make sure to score a copy of this book. The expansiveness of the guide’s contents make it a must-read for a hacker of any skill level.
“CISSP All-in-One Exam Guide” – Shon Harris and Fernando Maymi: The CISSP (Certified Information Systems Security Professional) certification is a notoriously difficult security certification to earn, so any guidance on how to pass the brutal exam is worth pursuing. The “CISSP All-in-One Exam Guide” should give you the boost you need to ace the exam, but it also is helpful to simply have in your library. Just don’t expect this to be a light read – it clocks in at around 1400 pages.
“The Tangled Web: A Guide to Securing Modern Web Applications” – Michal Zalewski: The final title on this list is “The Tangled Web,” which is considered a classic – arguably canon – as far as security training books go, and especially when it comes to web application security. The internet was not built to be safe, but to share information, and browsers can cause a lot of problems. “The Tangled Web” – while somewhat on the older side (it was published in 2011) – addresses the root cause behind many common security problems head on.
“It Was the Best of Sentences, It Was the Worst of Sentences: A Writer's Guide to Crafting Killer Sentences” – June Casagrande: Writing is probably not the first skill that comes to mind when you consider how to be a better security professional, but it is one of the most critical non-technical skills. Communication is key, and if you’re writing reports that will eventually land in the hands of clients, you need to communicate clearly and precisely. Not to mention that if you aspire to someday move into a security leadership role, being able to write well will prove immensely valuable.
“The Elements of Style” – William Strunk Jr.: And on a similar note, this is the definitive writing resource that has haunted English classrooms around the world for nearly a century. That being said, it’s a perfect reference for some pointers on how to better refine your writing, but you likely won’t read the whole thing (and we don’t blame you).
“The Leadership Challenge: How to Make Extraordinary Things Happen in Organizations” – James M. Kouzes: If you find yourself managing a team for the first time or would like to prime yourself for a future leadership role, check out this book that will help you learn the ropes of a not-easy-to-learn soft skill.
“How to Win Friends and Influence People” – Dale Carnegie: This might not seem like the most intuitive choice for this list, but it actually does make some sense. If you’re hoping to build your confidence at work, develop your public speaking skills, and eventually step into more of a leadership role, Carnegie’s wisdom from ages ago still holds up in our modern era. Fight imposter syndrome by building those communication skills!
“Little Brother” – Cory Doctorow: While intended for more of a young adult audience, this book is still an extremely enjoyable read that will prove hard to put down no matter your age. It’s also heavy on technology and security concepts, which makes it somewhat informative without being obnoxiously so. And if you do happen to have a young person in your life who is curious about hacking, make sure they get this book ASAP.
“The Laundry Files” – Charles Stross: This Hugo Award-nominated series is pretty distanced from the realm of reality, but it’s a delightful read. There are nine books in total; imagine “The IT Crowd” meets “The Call of Cthulhu” with a dash of security thrown in, and you’ll have nailed this series.
“The Murderbot Diaries” – Martha Wells: These widely lauded books have won Hugo Awards and topped many year-end best-of lists. The series focuses on “a murderous, self-hacking robot” – and if that doesn’t sell you, then we don’t know what will.
“The Peripheral” – William Gibson: “The Peripheral” is a trilogy that provides a glimpse into a disturbing future. You really can’t go wrong with any work by Gibson, who wrote the legendary cyberpunk “Neuromancer” in the 1980s.
“The Cuckoo’s Egg” – Clifford Stoll: A throwback from the late ‘80s, “The Cuckoo’s Egg” is a look into the dangers of the internet that still hold up today. Stoll might be an unlikely candidate to write such a book, being an astronomer, but he actually engaged in one of the first known examples of digital forensics in his relentless pursuit of a KGB-affiliated hacker.
"Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground" – Kevin Poulsen: A riveting story from a former black-hat-hacker-turned-investigative-journalist that gives you a firsthand look into the profitable world of cybercrime – specifically as it relates to identity thieves and credit card skimmers.
"Future Crimes: Inside the Digital Underground and the Battle for Our Connected World" – Mark Goodman: Goodman’s book is another account of how the “digital underground” works, and an overview of the variety of risks present in our interconnected world. There’s also a Bishop Fox shoutout in this book: You’ll see the Tastic RFID Thief make an appearance.
“The Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon” – Kim Zetter: Zetter is one of the most decorated security journalists, and her work chronicling the U.S. government-created computer worm Stuxnet in “Countdown to Zero Day” illustrates precisely why. Another enthralling read, this book highlights some of the horrors made possible by cyberwarfare.
“Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers” - Andy Greenberg: Greenberg takes the reader right into the heart of one of the most infamous cyberattacks ever, the NotPetya ransomware attacks of 2017.
“Work-From-Home Hacks” – Aja Frost: The title says it all – get more done while working at home and ensuring you stick to a healthy work-life balance. It might seem like a lofty goal, but Frost shows it is well within reach. (And for some other tips on how to make working from home a touch more tolerable, you can check out our previous post.)
“Invisible Women: Data Bias in a World Designed for Men” - Caroline Criado Perez: Perez’s must-read “Invisible Women” dives into how data can breed gender discrimination. With men treated as the norm, anything other than that can be treated as a “deviation.” “Invisible Women” is as fascinating as it is eye-opening.
“The Smart Girl's Guide to Privacy: Practical Tips for Staying Safe Online” - Violet Blue: If you have someone in your life who might be unaware of the various dangers lurking online (like a parent, child, or friend), gift them a copy of this book that covers online security and privacy basics. Blue does a commendable job of ensuring the reader stays informed, but far from overwhelmed.
Remember: This list is not all encompassing. If we included every worthwhile book related to security, we’d probably have a blog post rivalling “War and Peace.” Hopefully though, you now have some ideas for more books to read. After all, is there a thing as having too many books to read?
Thanks to Kelly Albrink, Ashley Ruiz, Matthieu Keller, and Shanni Prutchi for their help in compiling this list!