Secure Coding mailing list archives
Re: Top security papers
From: Crispin Cowan <crispin () immunix com>
Date: Tue, 10 Aug 2004 04:44:19 +0100
Matt Setzer wrote: It's been kind of quiet around here lately - hopefully just because everyone is off enjoying a well deserved summer (or winter, for those of you in the opposite hemisphere) break. In an effort to stir things up a bit, I thought I'd try to get some opinions about good foundational materials for security professionals. (I'm relatively new to the field, and would like to broaden my background knowledge.) Specifically, what are the top five or ten security papers that you'd recommend to anyone wanting to learn more about security? What are the papers that you keep printed copies of and reread every few years just to get a new perspective on them? Here's my top 5. Things to note: 1. It is more like 1 + 4. The first paper (Saltzer and Schroeder) should be *required* reading for everyone who claims to have the slightest clue about security. Everything of significance in computer security is in this article in some form. The only significant technology missing is public key crypto, and that is because it had not been invented yet. 2. The other 4 are quick & dirty skim through my bibliographic database. I could easily have missed some papers that are more seminal than these, but these 4 are very good, readable, and important. 3. I excluded my own papers from consideration, but if you want to see them ... :) http://immunix.com/~crispin/ Crispin @article ( salt75, author = "Jerome H. Saltzer and Michael D. Schroeder", title = "{The Protection of Information in Computer Systems}", journal = "Proceedings of the IEEE", volume = 63, number = 9, month = "November", year = 1975 ) @article ( one96, author = "``Aleph One''", title = "{Smashing The Stack For Fun And Profit}", journal = "Phrack", volume = 7, number = 49, month = "November", year = 1996 ) @article ( miller90, author = "B.P. Miller and L. Fredrikson and B. So", title = "{An Empirical Study of the Reliability of {\sc Unix} Utilities}", journal = "Communications of the ACM", pages = "33-44", volume = 33, number = 12, month = "December", year = 1990, lcindex = "QA76.A772" ) @inproceedings{ badger95, author = "Lee Badger and Daniel F. Sterne and et al", title = "{Practical Domain and Type Enforcement for UNIX}", booktitle = "Proceedings of the IEEE Symposium on Security and Privacy", address = "Oakland, CA", month = "May", year = 1995 } @article ( land94, author = "Carl E. Landwehr and Alan R. Bull and John P. McDermott and William S. Choi", title = "{A Taxonomy of Computer Program Security Flaws}", journal = "ACM Computing Surveys", volume = 26, number = 3, month = "September", pages = "211-254", year = 1994 )
Current thread:
- Top security papers Matt Setzer (Aug 08)
- Re: Top security papers Julie JCH Ryan, D.Sc. (Aug 09)
- Re: Top security papers Crispin Cowan (Aug 09)
- Re: Top security papers Nash (Aug 10)
- OT re Cliff Stoll (was Re: Top security papers) Dave Aronson (Aug 11)
- <Possible follow-ups>
- Re: Top security papers Peter G. Neumann (Aug 09)
- RE: Top security papers Wall, Kevin (Aug 09)
- Re: Top security papers George Capehart (Aug 10)
- RE: Top security papers Jeremy Epstein (Aug 09)