Introducing The Cybersecurity Canon: Books You Should Have Read

4,336 people reacted 0 3 min. read
Rick Howard


Category: Cybersecurity

Tags: , ,

cybersec canon red

can·on –  /kanən/ – noun

1. A group of literary works that are generally accepted as representing a field: “the durable canon of American short fiction” (William Styron).

2. A list of writings officially recognized as genuine.

3. The list of works considered to be permanently established as being of the highest quality: “Hopkins was firmly established in the canon of English poetry.”

For the past decade, I have had this notion that there must be a cybersecurity canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. In my new role as Chief Security Officer of Palo Alto Networks, I have to stay visible and well-informed, and make sure I’m an evangelist for the company. To me, these are books no one in our field can do without.

To me, the Canon isn’t purely technical literature and includes both nonfiction and fiction. Books that are how-to-manuals for the inner workings of security protocols, coding practices, standard operating procedures and the like are important, but there are plenty of books in those categories that are covered by the various technical and security certification programs. And unless the book describes some timeless aspect of the community, it doesn’t really meet the definition.

What I am looking for in this list are books that make us human; books that not only tell us how something works but why. The Cybersecurity Canon should include books that explain how we got here and describe the people that drove the community down this path. These books can be novels if they capture the culture correctly and can illustrate and educate the general public about the true nature of cybersecurity. They need to illuminate our timeless thinking on different adversary motivations like crime, hacktivism, espionage and war. They also need to describe realistic hacking techniques and cyber operations.

I’ll be presenting on this topic at RSA 2014 in February, and at that time I’ll discuss my first candidates for inclusion into the Canon. Between now until then, Palo Alto Networks will post my discussions of each of these candidate books so that interested people can preview them before the presentation if they are so inclined and can decide for themselves if they belong in the Canon or not.

Check back later today for the first entry in my series. Perhaps you might like to take exception with my list and offer other books for consideration. I welcome the debate. This should be fun.

4 Reader Comments

  1. I am looking forward to seein

    your list of recommended reading. I really, really hope you included “At Large: The Strange Case of the World’s Biggest Internet Invasion” (

    It’s the ONLY book I’ve ever read that can be understood by average folks who “don’t understand computers.” It’s the story of a lad with considerable disabilities who was able to stumble into some highly sensitive networks with practically no skills. He was dedicated, though, and he persevered … and succeeded with his hacks. That he was ever found is an even better story.

    This book should be used to show that the average user is still the biggest threat, and is the weakest link, in everything Internet.

  2. Rick Howard

    I will put it in my reading queue.


  3. If you are willing to take suggestions for the Canon, here are a few:
    Cyber Warfare:
    Behold a Pale Farce by Bill Blunden
    Black Code: Inside the Battle for Cyberspace by Ron Diebert

    DarkMarket: Cyberthieves, Cybercops and You by Misha Glenny

    Security Engineering by Ross Anderson
    Data Driven Security by Jay Jacobs and Bob Rudis
    Silence on the Wire by Michael Zalewski
    The Tangled Web by Michael Zalewski
    Hacking: The Art of Exploitation, by Jon Erickson
    A Bug Hunter’s Diary, by Tobias Klein
    Practical Malware Analysis by Michael Sikorski and Andrew Honig
    The Art of Software Security Assessment by Mark Dowd, John MacDonald and Justin Schuh
    The Art of Computer Virus Research and Defense by Peter Szor

    I can think of more, but maybe that’s enough for now

  4. If you had to pick one from the books I have mentioned, Security Engineering is definitely the one which should be read by everyone, although Behold a Pale Farce is the most thought provoking.

Got something to say?