On that list, TAOSSA is probably the book you want if you're looking to sell exploits to The Gruhhghhgq.

I see the book is from late 2006. An honest question for better understanding the security research field: how and how come is it still relevant? Things like algorithms (a la TAOCP) I can understand, as if you prove for example a lower bound for a class of algos it will stay like that forever, but in security research I would imagine the people involved protecting themselves from what is now 6 years old bad practices.

Two reasons.

First, because TAOSSA is an extremely good book.

Second, because TAOSSA deals with the fundamentals of vulnerabilities (with an intense focus on memory corruption issues).

The mainstream exploitation of memory corruption has evolved rapidly over the last 5 years or so, but the vulnerabilities themselves haven't changed. Use-after-free- style object lifecycle bugs are as old as Phrack.

That will help you find C bugs in open source software. Won't do a thing to advance your exploit-writing skills though.

I didn't bring up the list, nor did I make that list for exploit developers. Someone else posted the list, and I said that of the books on it, only TAOSSA would be particularly relevant.

It's amusing that you think finding memory corruption bugs (or, "C bugs in open source software") is irrelevant to exploit development, but, O.K.

I just felt that your post could create mismatch of expectations for someone asking specifically about exploit development..

You're twisting my reply a bit though, I didn't say it's irrelevant. It does not cover binary auditing other than a casual mention (which is what I mean by open source) and it does not discuss exploit writing other than a brief intro of the theory behind them.

Chapter 4, Page 167:

"Exploit creation and software auditing are two different-but highly complementary-skill sets. ...The coverage is not intended as a definiteive guide to exploiting memory corruption vulnerabilities, but it does provide the background you need to understand and appreciate many of the vulnerabilities covered throughout this book."

It then goes on to recommend that:

"Readers interested in learning more about exploiting memory corruption vulnerabilities should pick up The Shellcoder's Handbook, or Exploiting Software ...". It also suggests Phrack and Uninformed journals.

I've read Shellcoder's Handbook and recommend it, however, it is out of date now. Despite this, I don't think the value has diminished, as current exploits build on all of the basics discussed there. Another I recommend is Hacking: The Art of Exploitation. I have not read Exploiting Software.