Secure Coding mailing list archives

RE: Top security papers

From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Tue, 10 Aug 2004 04:38:55 +0100

Matt Setzer wrote...

It's been kind of quiet around here lately - hopefully just because everyone
is off enjoying a well deserved summer (or winter, for those of you in the
opposite hemisphere) break.  In an effort to stir things up a bit, I thought
I'd try to get some opinions about good foundational materials for security
professionals.  (I'm relatively new to the field, and would like to broaden
my background knowledge.)  Specifically, what are the top five or ten
security papers that you'd recommend to anyone wanting to learn more about
security?  What are the papers that you keep printed copies of and reread
every few years just to get a new perspective on them?


Okay, for starters, in no particular order:

  Ken Thompson's Turing Award lecture, _Reflections on Trusting Trust_, URL:
        http://www.acm.org/classics/sep95/

  Saltzer & Schroeder, "The Protection of Information in Computer Systems",
        Proceedings of the IEEE, Sept. 1975, pp. 1278-1308, available at:
        http://web.mit.edu/Saltzer/www/publications/protection/

  David Wheeler, "Secure Programming for Linux and Unix HOWTO", URL:
        http://www.dwheeler.com/secure-programs/

  Aleph One, "Smashing the Stack for Fun and Profit", URL:
        http://www.insecure.org/stf/smashstack.txt

  Bruce Schneier, "Why Cryptography Is Harder Than It Looks", URL:
        http://www.schneier.com/essay-037.html

  Carl Ellison and Bruce Schneier, "Ten Risks of PKI: What You're Not Being
        Told About Public Key Infrastructure", URL:
        http://www.schneier.com/paper-pki.html

Also, I'd probably through in a few RFCs and the Firewall and Snake-Oil
Cryptography FAQs in there as well, but I'm too lazy to look them up
right now.

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
[EMAIL PROTECTED]       Phone: 614.215.4788
"The reason you have people breaking into your software all 
over the place is because your software sucks..."
 -- Former whitehouse cybersecurity advisor, Richard Clarke,
    at eWeek Security Summit

Current thread:

Top security papers Matt Setzer (Aug 08)
- Re: Top security papers Julie JCH Ryan, D.Sc. (Aug 09)
- Re: Top security papers Crispin Cowan (Aug 09)
- Re: Top security papers Nash (Aug 10)
  - OT re Cliff Stoll (was Re: Top security papers) Dave Aronson (Aug 11)
- <Possible follow-ups>
- Re: Top security papers Peter G. Neumann (Aug 09)
- RE: Top security papers Wall, Kevin (Aug 09)
  - Re: Top security papers George Capehart (Aug 10)
- RE: Top security papers Jeremy Epstein (Aug 09)