Software Security Books

Essential reading from Cigital security experts

Gary McGraw, Cigital CTO
Addison-Wesley, 2006.

Cigital’s approach to software security is rooted in the “Building Security In” methodology outlined in Software Security, written by our CTO Dr. Gary McGraw.

Software Security is a practical guide to building and maintaining secure software. The security touchpoints described in this book have their basis in good software engineering and involve explicitly pondering security throughout the software development lifecycle. This means knowing and understanding common risks (including implementation bugs and architectural flaws), designing for security, and subjecting all software artifacts to thorough, objective risk analyses and testing.

Learn More

Joel Scambray, Principal, Cigital
Neil Bergman, Senior Consultant, Cigital
Mike Stanfield, Consultant, Cigital
Jason Rouse, Security Architect, Bloomberg LP
McGraw-Hill, 2013.

Hacking Exposed Mobile: Security Secrets & Solutions will help you identify key threats across the expanding mobile risk landscape and evade them with ready-to-use countermeasures. This cutting-edge guide reveals secure mobile development guidelines, ways to leverage mobile OS features and MDM to isolate apps and data, and techniques the pros use to secure mobile payment systems.

You’ll find out how attackers compromise networks and devices, attack mobile services, and subvert mobile apps. Then, you’ll learn how to battle these attacks by encrypting mobile data, fortifying mobile platforms, and eradicating malware.

Learn More

Caroline Wong, Security Initiative Director, Cigital
McGraw-Hill, 2011.

Security Metrics: A Beginner’s Guide explains, step by step, how to develop and implement a successful security metrics program. You’ll discover how to communicate the value of an information security program, enable investment planning and decision-making, and drive necessary change to improve your organization’s security.

This practical resource covers project management, communication, analytics tools, target identification, objective definition, obtaining stakeholder buy-in, metrics automation, data quality, and resourcing. You’ll also get details on cloud-based security metrics and process improvement. Templates, checklists, and examples give you the hands-on help you need to get started right away.

Learn More

Joel Scambray, Principal, Cigital
McGraw-Hill, 2012.

Since 1999, Hacking Exposed has educated millions of readers about how easy it is to hack into computer networks and systems. Hacking Exposed 7: Network Security Secrets & Solutions builds on the fundamentals of earlier editions and discusses topics including enumeration, footprinting, scanning, operating system detection, and more. The latest edition examines current threats, including the new menace APT, embedded hacking, database hacking, and mobile devices.

Hacking Exposed 7 covers every core area of interest to penetration testers, including countermeasures to the various threats and vulnerabilities it details. Written in an easy-to-read style, the updated version remains the best book available on the topic.

Learn More

David Lindsay
Elsevier, 2010.

Millions of people use web applications daily, making them a popular attack vector. Using code obfuscation, hackers can evade your security measures by creating hundreds—if not millions—of variants from just one attack.

Web Application Obfuscation considers web infrastructure and security controls from an attacker’s perspective, revealing the common shortcomings of security systems. You’ll find out how attackers can bypass different types of security controls, how these security controls can introduce new types of vulnerabilities, and how to avoid common pitfalls so you can strengthen your defenses.

Learn More