Jacob Kaplan-Moss

A reading list for InfoSec engineers

I wrote this post in 2016, more than 7 years ago. It may be very out of date, partially or totally incorrect. I may even no longer agree with this, or might approach things differently if I wrote this post today. I rarely edit posts after writing them, but if I have there'll be a note at the bottom about what I changed and why. If something in this post is actively harmful or dangerous please get in touch and I'll fix it.

I’ve started a curated reading list for InfoSec engineers.

I was inspired by Mark McGranaghan’s Services Engineering reading list. I really enjoy these kinds of personal, highly-curated reading lists, and for some time I’ve wanted to pull together one of my own.

This is my list, not a definitive one — that is, these are resources I’ve found useful. As such it has some biases:

  • It’s oriented towards providers of Software-, Platform-, and Infrastructure-as-a-Service.
  • It tends to focus on the human factors aspects of security practice (there’s deeply technical stuff too, just not as much).
  • There’s some random stuff that’s not explicitly “about InfoSec”, but that I’ve nonetheless found extremely useful in thinking about InfoSec. Dekker’s Field Guide to Understanding ‘Human Error’ is a good example of this kind of resource.

It’s incomplete — first because I’ve not yet sifted through my 10+ years of bookmarks for everything I should add, and second because I intended for this to be a living resource, something I’ll update as I find new things.

If you’ve got suggestions — for general topics, or specific reading suggestions — let me know!.