I've got this right at the top of my wish list. Got a list of other books I gotta finish first though, lol:

Code Complete 2, The Web Application Hacker's Handbook, Algorithms in a Nutshell, and Code.

Not to mention an Arduino book - but I'll probably get Effective Java and read it first.

The Web Application Hacker's Handbook is most widely cited in a more general sense. I'm reading it myself at the moment - http://www.amazon.com/Web-Application-Hackers-Handbook-Disco...

A very well-known and recommended book in this space is "The Web Application Hacker's Handbook."

I like Dafydd Stuttard's "The Web Application Hacker's Handbook", despite the title. Work through the examples.

A lot of people will direct you to OWASP, which is not a bad free tertiary source (owasp.org). There's lots of HOWTO stuff there. Be careful about the OWASP Top 10. You want to know what it is, but it's showing its age.

For what it's worth, that's a fair concern. I offer two things that make it not quite as bad as you may think, though :-)

1. We don't expect applicants to be amazing at this already. Having a background in security is good, of course, but not necessary. As a data point: in the office I work out of, we have someone who used to work in a bakery, someone who worked for an insurance company, and several people who had never done security before applying to Matasano. It's my opinion that you generally learn more "on the job", as it were, than you would preparing for an interview anyway. @tptacek's post at [0] is a good example of the type of people we have working for us.

2. We generally send candidates resources to help them prepare - I believe a couple recent applicants got free copies of "The Web Application Hacker's Handbook" [1].

[0]: https://news.ycombinator.com/item?id=8395627

[1]: http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...

Start by learning the basics. If you don't know how to code, that's probably a good place to start. Learn about web applications and network protocols. Learn the basics of Linux and Windows system administration.

Read some books, e.g. The Web Application Hacker's Handbook [1], The Tangled Web [2], Nmap Network Scanning [3]. Study the OWASP wiki [4]. Familiarize yourself with the tools of the trade: Nmap, Burp Suite, Nessus, IDA Pro, ...

Learn to recognize strange and suspicious behaviors in applications. Learn to recognize implementations that are almost, but not quite, what they should be. To get good at this, you have to be familiar with the underlying technologies, frameworks, and best practices. Having experience in software development or system administration helps a lot.

Most importantly: hack. You really only learn by doing. There are plenty of opportunities to hack legally and ethically and even make some money doing it. Set up WebGoat [5] and go through the lessons. Get on HackerOne [6] and participate in bug bounty programs. Learn how to responsibly disclose issues to vendors.

And finally, get involved in the infosec community. Follow interesting people on Twitter. Attend local meetups. Go to conferences. Ask questions and help others to learn as well.

[1] http://mdsec.net/wahh/
[2] http://lcamtuf.coredump.cx/tangled/
[3] https://nmap.org/book/
[4] https://www.owasp.org/index.php/Main_Page
[5] https://github.com/WebGoat/WebGoat
[6] https://hackerone.com/

Leisure Stuff:

Boom Town: The Fantastical Saga Of Oklahoma City, It's Chaotic Founding... by Sam Anderson

Midnight In Chernobyl by Adam Higginbotham

Dune by Frank Herbert

The Three Body Problem by Cixin Liu (tried it this year and stopped, want to give it another go)

Stories of Your Life and Others - Ted Chiang (just finished Exhalation and I think it's great)

An Ursula K. Le Guin novel, have not picked one out yet

A book related to basketball (possibly Dream Team, but IDK yet)

Less Leisure Stuff:

Locked In: The True Causes of Mass Incarceration and How to Achieve Real Reform by John Pfaff

Evicted: Poverty and Profit in the American City by Matthew Desmond

The End Of Policing by Alex S Vitale

Either Manufacturing Consent or Understanding Power by Chomsky

The Annotated Turing by Charles Petzold

Work:

Code Complete 2 by Steve McConnell

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard, Marcus Pinto

Finish Writing An Interpreter In Go by Thorsten Ball

If I can get through all of these, I will be very pleased. Throw in a book or two at recommendation from friends and I think I'm full for the year.

As a security engineer, I'm really happy to see news like this enter the mainstream more and more on HN. These bounties are well deserved.

For those of you who would like to try and earn bounties like these, I recommend the same books I always do:

1. The Art of Software Security Assessment

2. Gray Hat Python

3. The Web Application Hacker's Handbook

This is your ethical hacker starter kit. The first two are good for foundational knowledge and will show you how to find the bugs worth something. The third book is specialized for web applications, which is still great but not quite as lucrative.

You will also want to check out CTFs, Cryptography Engineering and the Matasano Crypto Challenges.

If you're looking to join a top tier security firm, Matasano is great for those who like offices and Accuvant (my employer) is great for those who like working fully remotely.

If you are going to be doing sysadmin work, and you want to get a feel for the attacker mentality, there are a few things you could do.

If you have the money, know at least 1 scripting language, and have an aptitude for technology, the OCSP certification course is pretty good.

If you want to go the cheaper route, there are lots of books. One introductory text a lot of people like is Hacking: the Art of Exploitation.

If you want to learn about web security, the Web Application Hacker's Handbook is a great book. For something less intensive, The Tangled Web would suffice.

If you want to learn to harden Linux servers, reedit.com/r/linuxadmin, /r/linux and /r/linux4noobs are great resources. Before you post questions, however, I suggest using the search function because lots of people ask for hardening guides.

It's not a big secret at all ;)

tptacek has a list of books on Amazon, linked to from his news.yc profile, which cover a wide range of application security topics (http://amzn.to/cthr46). I own The Art of Software Security Assessment and The Web Application Hacker's Handbook and I can vouch for them as quality resources, although I'm not sure how accessible they would be for a beginner.

In terms of a more practical introduction, Google Gruyere is an application deliberately built with security vulnerabilities for the purposes of learning (http://google-gruyere.appspot.com/). There are plenty of other projects along those lines: WebGoat is another good example.

I'll echo what debatem1 and tptacek said here with what I tell everyone:

0. Do not pursue certifications at all.

1. Learn to code. C + Python is a great choice, to start with (or C + Ruby).

2. Start with application security, because it's the easiest place to get your feet wet.

3. Work through The Web Application Hacker's Handbook (don't just read it).

4. Find bug bounties in as many programs on BugCrowd or HackerOne as you can. Extra resume points (and money!) for bug bounties in Google, Facebook etc.

5. Join a reputable security consultancy (NCC Group, Optiv, Bishop Fox, etc.) and mature your skills.

6. Decide how you'd like to specialize.

> All the same things that are difficult to get right in any other chunk of code that handles arbitrary input from across the internet.

That's about as unspecific as you can be, isn't it? So, let me give the equally uninformative answer: All of those are either easy to prevent, or they lead to a DoS, which isn't a big concern for a personal email server.

> "The Art of Software Security Assessment" is 1200 pages long

Haven't read it, but by its TOC, it's mostly irrelevant to the given problem (except maybe that it teaches you to not write you personal mail server in C, who would have thought ...).

> "The Web Application Hacker's Handbook" is another 900 pages.

Didn't I say something about avoiding complexity? No, you should not build your mail server as a web application, in case that wasn't clear.

> Nobody has solved all the issues discussed in those (and many other) books in such a way that makes this no longer "hard".

Well, how about you give an example of one problem that you think is still hard enough to be a major obstacle to implementing you own secure personal mail server?

> [...] that I personally don't think it's worth the effort to run network-connected services unless they're for a business that I'm hoping will pay for my time and effort somehow.

How is it that you suddenly switched to "services"? I thought we were talking about "network software"? Am I supposed to believe that you are not running a web browser unless it's for a business that you're hoping will pay for your time and effort somehow? How about web applications? Or what is your justification for a distinction between "services" and "network software", as far as possible security impact is concerned?

For anyone who's after a book: I've found Dafydd Stuttard and Marcus Pinto's "The Web Application Hacker's Handbook" to be invaluable.

All the same things that are difficult to get right in any other chunk of code that handles arbitrary input from across the internet. I have a couple tomes on this subject: "The Art of Software Security Assessment" is 1200 pages long, "The Web Application Hacker's Handbook" is another 900 pages. Nobody has solved all the issues discussed in those (and many other) books in such a way that makes this no longer "hard".

Note that I'm not at all claiming this stuff is impossible or a total lost cause, just that I think it easily passes the bar for "hard", and is certainly tricky enough to get right that I personally don't think it's worth the effort to run network-connected services unless they're for a business that I'm hoping will pay for my time and effort somehow.

  Location: Providence, Rhode Island, USA
  Remote: Yes
  Willing to relocate: Within the country
  Technologies: Perl, Golang, HTML, CSS, Javascript, jQuery, Bootstrap, SQL, Git, Heroku
  Portfolio: http://patrickhurd.pro/portfolio
  Email: patrick.hurd.1995@gmail.com

I'm graduating with a degree in Computer Science in two weeks. I would like a job in software engineering or cybersecurity. The most recent books I've read for industry knowledge are The Web Application Hacker's Handbook and The Art of Software Security Assessment.

I would agree. Some of the books I'd highly recommend for anyone looking to be a well-rounded hacker:

* TCP/IP Illiustrated (Volumes 1,2 & 3) - W. Richard Stephens

* The Web Application Hacker's Handbook - Stuttard, Pinto et al

* The Shellcoder's Handbook - Kozoil, Aitel et al

* The Cuckoo's Egg - Clifford Stoll

* Neuromancer - William Gibson

* ARM System-on-chip Architecture - Stephen B. Furber

* Operating Systems Design & Implementation - Tanenbaum

* The Design and Implementation of the FreeBSD Operating System - McKusick, Neville-Neil

These are just a few, and I'm sure there's plenty of others, even better ones. But to truly round yourself out you need to know more than programming a few languages - you need to know the low-level end of things and the high-level view of the world.

For PHP: PHP and MySQL Web Development, 4th Edition by Welling and Thomson. Learn about PDO and parameterized queries and such from the online docs; the book treats security poorly. The Web Application Hacker's Handbook would probably be a nice third book if you're feeling indulgent.

For JS: JavaScript: The Definitive Guide, 5th Edition by Flanagan. Until Secrets of the JS Ninja (or the Rhino book's 6th edition) comes out, then get those.

Out of curiosity, what have you worked with previously?