Matt Setzer wrote...
> It's been kind of quiet around here lately - hopefully just because everyone
> is off enjoying a well deserved summer (or winter, for those of you in the
> opposite hemisphere) break. In an effort to stir things up a bit, I thought
> I'd try to get some opinions about good foundational materials for security
> professionals. (I'm relatively new to the field, and would like to broaden
> my background knowledge.) Specifically, what are the top five or ten
> security papers that you'd recommend to anyone wanting to learn more about
> security? What are the papers that you keep printed copies of and reread
> every few years just to get a new perspective on them?
Okay, for starters, in no particular order:
Ken Thompson's Turing Award lecture, _Reflections on Trusting Trust_, URL:
http://www.acm.org/classics/sep95/
Saltzer & Schroeder, "The Protection of Information in Computer Systems",
Proceedings of the IEEE, Sept. 1975, pp. 1278-1308, available at:
http://web.mit.edu/Saltzer/www/publications/protection/
David Wheeler, "Secure Programming for Linux and Unix HOWTO", URL:
http://www.dwheeler.com/secure-programs/
Aleph One, "Smashing the Stack for Fun and Profit", URL:
http://www.insecure.org/stf/smashstack.txt
Bruce Schneier, "Why Cryptography Is Harder Than It Looks", URL:
http://www.schneier.com/essay-037.html
Carl Ellison and Bruce Schneier, "Ten Risks of PKI: What You're Not Being
Told About Public Key Infrastructure", URL:
http://www.schneier.com/paper-pki.html
Also, I'd probably through in a few RFCs and the Firewall and Snake-Oil
Cryptography FAQs in there as well, but I'm too lazy to look them up
right now.
-kevin
---
Kevin W. Wall Qwest Information Technology, Inc.
[EMAIL PROTECTED] Phone: 614.215.4788
"The reason you have people breaking into your software all
over the place is because your software sucks..."
-- Former whitehouse cybersecurity advisor, Richard Clarke,
at eWeek Security Summit
