My first entry here, so I thought I would keep things short and simple ...
I frequently get asked what reference materials I suggest to learn more about application security. The answer to almost everything is of course, "It depends." In fact, it depends upon the role of the person asking. It depends on whether they want an executive overview or a granular examination of the vulnerabilities, attacks and mitigation. It depends upon whether they hope to use the material as a guide or as a reference. Below are some of the materials that stand out in my collection. (I give references to Amazon where applicable only because of their popularity - not as an official endorsement.)
For the developer wanting to learn about software security:
I know I'm going to get flack for this recommendation, but for an introduction to Web Application Security, I still like the old classic (soon to be updated in a third edition):
For the more experienced security penetration tester to think more creatively, I've recently very much enjoyed:
In terms of application security reference guides, I continue to believe that OWASP provides some of the most comprehensive guides on the market:
Finally, as I work for IBM and participate in various publications for both product and policy, I can not help but suggest some of the freely available recommended Red Guides:
- Improving Your Web Application Software Development Life Cycle's Security Posture with IBM Rational AppScan
- Security in Development: The IBM Secure Engineering Framework
If you are involved in Enterprise Application Security implementation, I strongly suggest hat final reference to the IBM Secure Engineering Framework (SEF). It outlines the best practices that we both internally deploy and externally suggest based on a decades of software design, development and delivery. Rather than making the assumption that all software development is green field work, it recognizes that most of our software and application projects are built from legacy systems that are not easily re-factored.