There were a lot of good information security book that came out in 2014, and many that were not worth reading.
The following book stand out as the best, followed by a number of other superb titles, listed in no particular order:
Measuring and Managing Information Risk: A FAIR Approach - Authors Dr. Jack Freund and Jack Jones have written a magnificent book that will change the way (for the better) you think about and deal with IT risk. FAIR takes the FUD out of risk management, and provides a formal language to deal with risk. The book takes time to go thorough and even longer to put into place. But for those organizations that will use FAIR, it’s eminently clear that they will have much better security programs as a result.
Runners-up
Threat Modeling: Designing for Security - In the introduction to the book, author Adam Shostack sums up his approach in four questions: What are you building, what can go wrong with it once it’s built, what should you do about those things that can go wrong and did you do a decent job of analysis. The book is an invaluable resource to those who want to design secure networks, systems or applications.
Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions – the breaches at Home Depot, Target and others emphasized how vulnerable PoS systems are. Author Slava Gomzin does a great job of both highlighting their weaknesses (and there are a lot) and how to secure them.
Data-Driven Security: Analysis, Visualization and Dashboards – authors Jay Jacobs and Bob Rudis should be known as the security bad data busters. Rather than using FUD, they use empirical evidence. Check out Jacobs’ recent post Analyzing Ponemon Cost of Data Breach to see how powerful good data is. Read the book for a great way to use good data to drive information security.
Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications – There are many ways to install and configure SSL such that it offers no added security. Ivan Ristic, one of the greatest practical SSL/TLS experts around, has documented his expertise in this book and shows how to properly use and configure SSL.
Thanks to those who wrote in 2014
Kudos to all of the authors who wrote books in 2014. There were a lot of good books on information security, privacy and risk management that came out in 2014, and these 5 titles stand out.