Extremely strong recommend on this book. It's one of the books Matasano gave to all applicants before interviewing them.

I've never heard of giving applicants material before the interview. More commonly, I think companies give new hires (especially interns) a book or some material to read before their start date, but usually the investment comes after the decision.

Did the book shape the interview? Like if I didn't read it, I'd have a hard time? Or maybe even if I nailed the book, but didn't know anything else, that'd be bad?

The books did not shape the interviews, and we were careful to tell candidates that they shouldn't treat them as homework, and they could probably do just fine without reading them at all.

What are the other books, if you don't mind me asking?

I think 'tptacek wrote in some other thread about WAAH and Cryptography Engineering being two of the others.

WAHH and The Art Of Software Security Assessment (TAOSSA) were the other two. We didn't grill candidates on crypto or have work-sample tests that involved crypto. Sadly: you'd be discarding 95% of the candidate pool, and particularly and paradoxically the experienced candidate pool, if you screened for crypto ability. The software security field is just awful at crypto.

Thank you, much appreciated.

Today, anyone trying to advise a web site owner on security has to balance elements within the site owner's control — fonts, domain names, sources of content, validation of user input, for example — against extrinsic elements the site owner can't touch. The latter include user operating systems and software, the security of remote sites supplying content and homologue internationalised domain names. Plus, there are all those tricky details of interactions between tags, and everywhere — in all software — bugs.

This looks really great, and has some big names endorsing it. Has anyone here read the book and could provide some additional insight on what the book did for you?

I read a draft version of it through my employer, and I have to say it is the best book on Web security I've ever seen. It is basically an encyclopedia of attack vectors, organized by the technologies that enabled them. The author discusses both inherent problems with the protocol, as well as nuances in different implementations, which makes it extra valuable. Reading the book through was an eye-opener, and there were countless oh-crap-I-didn't-know-it-could-work-that-way moments.

Two warnings about the book: first, it is really an encyclopedia, so the author skims the part on how to prevent the attacks. There's a security cheatsheet at the end of each chapter, which is helpful but a bit too succinct. You have to understand the book fully to really make use of it. If you're more into a cookbook style book, look elsewhere. Second, the browser information is not quite up-to-date and thorough. I can't blame the author, as security is an ever-changing landscape. But just standard warning: Do your experiments. Test the attack vectors in all browsers. I once shipped a vulnerability because I blindly trusted the information in the book (thankfully it was disclosed responsibly)

I have read the book and recommend it to all my Security Awareness students.

I recommend reading it earlier in the day, however, as it can lead to some uncomfortable thoughts that you don't want following you into your sleep.

we're actually reading it collectively in our inaugural engineering book club. I'm about a third the way through, it's full of insights on weaknesses and exploits for web based applications.