- Network Security (2nd edition) by Kaufman, Perlman, and Speciner -- required textbook!
- Security Engineering by Anderson
- The Art of Intrusion by Mitnick and Simon
- The Shellcoder's Handbook by Koziol et al.
- Secure Programming for Unix and Linux HOWTO by Wheeler
- Network Security Essentials by Stallings
- Reflections on Trusting Trust by Thompson (Turing Award lecture)
- Why Cryptosystems Fail by Anderson
- The True Cost of Unusable Password Policies: Password Use in the Wild by Inglesant and Sasse
- Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook by Rabkin
- Messin' with Texas: Deriving Mother's Maiden Names Using Public Records by Griffith and Jakobsson
- On User Choice in Graphical Password Schemes by Davis, Monrose, and Reiter
- Impact of Artificial "Gummy" Fingers on Fingerprint Systems by Matsumoto, Matsumoto, Yamada, and Hoshino
- Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures by Emigh
- Social Phishing by Jagatic, Johnson, Jakobsson, and Menczer
- You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings by Egelman, Cranor, and Hong
- Stronger Password Authentication Using Browser Extensions by Ross et al.
- A Usability Study and Critique of Two Password Managers by Chiasson, van Oorschot, and Biddle
- Browser Security Handbook by Zalewski
- Beware of Finer-Grained Origins by Jackson and Barth
- Rootkits for JavaScript Environments by Adida, Barth, and Jackson
- Drive-By Pharming by Stamm, Ramzan, and Jakobsson
- Dos and Don'ts of Client Authentication on the Web by Fu, Sit, Smith, and Feamster
- Busting Frame Busting by Rydstedt, Bursztein, Boneh, and Jackson
- Next Generation Clickjacking by Stone
- Clickjacking: Attacks and Defenses by Huang et al.
- Cross-Site Request Forgery by Barth, Jackson, and Mitchell
- Advanced SQL Injection in SQL Server Applications by Anley
- Cross Site Scripting Explained by Klein
- XSS Filter Evasion Cheat Sheet
- Postcards from the Post-XSS World by Zalewski
- NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications by Bisht et al.
- How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores by Wang, Chen, Wang, and Qadeer
- Third-Party Web Tracking: Policy and Technology by Mayer and Mitchell
- Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting by Nikiforakis et al.
- CSS Tutorial by Kesden
- Security of the WEP algorithm by Borisov, Goldberg, and Wagner
- Dismantling MIFARE Classic by Garcia et al.
- Wirelessly Pickpocketing a Mifare Classic Card by Garcia, van Rossum, Verdult, and Schreur
- Smashing The Stack for Fun and Profit by Aleph One
- Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses by Chien and Szor
- w00w00 on Heap Overflows by Conover and w00w00 security team
- Vudo - An Object Superstitiously Believed to Embody Magical Powers by Kaempf
- Once Upon a free() by anonymous
- Exploiting Format String Vulnerabilities by scut / team teso
- Basic Integer Overflows by blexim
- Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Cowan et al.
- Bypassing Browser Memory Protection by Sotirov and Dowd
- Leveraging the ActionScript Virtual Machine by Dowd
- Heap Feng Shui in JavaScript by Sotirov
- Interpreter Exploitation by Blazakis
- Return-Oriented Programming by Roemer, Buchanan, Shacham, and Savage
- Hunting for Metamorphic by Szor and Ferrie
- Slammed! An Inside View of the Worm That Crashed the Internet in 15 Minutes by Boutin
- Lessons from the Sony CD DRM Episode by Halderman and Felten
- Global Energy Cyberattacks: "Night Dragon" by McAfee
- Search Worms by Provos, McClain, and Wang
- Your Botnet is My Botnet: Analysis of a Botnet Takeover by Stone-Gross et al.
- A Multi-perspective Analysis of the Storm (Peacomm) Worm by Porras, Saidi, and Yegneswaran
- An Analysis of Conficker by Porras, Saidi, and Yegneswaran
- Stuxnet Dossier by Falliere, O Murchu, and Chien
- Understanding the Network-Level Behavior of Spammers by Ramachandran and Feamster
- On the Spam Payment Trail - interview with Savage
- Click Trajectories: End-to-End Analysis of the Spam Value Chain by Levchenko et al.
- Firewall Gateways by Cheswick and Bellovin
- Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Ptacek and Newsham
- Intrusion Detection via Static Analysis by Wagner and Dean
- Outwitting the Witty Worm by Kumar, Paxson, and Weaver
- MD5 Considered Harmful Today: Creating a Rogue CA Certificate by Sotirov et al.
- New Tricks for Defeating SSL in Practice by Moxie
- More Tricks for Defeating SSL in Practice by Moxie