That's fascinating! I'm curious what sort of education and experience you had to land a job like that, do you mind sharing? I'd love to work in a lab like that one day, but I'm not sure what is considered "good enough" to get a career in security rather than just a hobby.
Thank you for doing the crypto challenge by the way. Was a lot of fun, and I'm looking forward to the next set :). Has anyone else finished it in c# yet?
slightly off topic but, like your appsec reading list above, are there any crypto resources you value for someone taking the self learning route into real world crypto?
I've looking into buying Grey Hat Python as more of my job starts to require scripting, but I'm put off by that first review (and overall, the reviews aren't glowing). Interesting that it comes recommended from you, someone whose opinion I respect.
I don't know how long ago your list was made; would you still recommend Grey Hat Python?
I didn't think Grey Hat Python was a great book, but it serves a valuable purpose that I'm not aware of another book supplanting; which is that it shows you that you can use underlying programming to do security-related tasks, instead of being limited to just using tools.
The widest chasm that separates security professionals is the one between those that can only use tools other people provide and those that can write their own tools. And more than just being able to write them, but being able to write them quickly enough to be of use during an engagement (which usually only lasts between 1-3 weeks).
A lot of security testing at the non-entry level is putting together specific tools to accomplish an engagement-specific task. You don't generally spend a lot of time building giant edifices, it's usually lots of small things that you mostly throw away between gigs (minus whatever underlying libraries you favor using as construction components).
In that regard, I think Grey Hat Python is still a good book to introduce you to the idea of using real programming to do hacking, even if you never write a line of Python on an engagement.
I don't think it's an especially great programming book, but it is a great cross-section of the programming tasks you actually do when working in a vulnerability research lab (or software security consultancy, for that matter).
After lightly reading through both books, I think Gray Hat Python is a great book for more advanced security concepts, especially on the reverse engineering and exploit dev side of things, but isn't a very good book for learning Python or programming.
Violent Python on the other hand is a great book for beginners to Python and programming, and it teaches both pretty well, but it only goes into surface level security concepts for the most part.
Gray Hat Python is closer to a Windows API/x86 assembly book than a Python one. Violent Python is a real Python book and mostly covers general information security and network security concepts.
Gray Hat Python is also purely application security. Debugging, reversing, hooking, writing shellcode, exploiting... Violent Python is almost entirely network security, with one chapter on forensics. Exploit dev vs. exploit user.
It depends on your experience level and what you want to actually learn. If someone was brand new to Python, application security, and even programming, I'd recommend reading Violent Python first and then Gray Hat. If someone has more advanced security knowledge and has some decent programming skills already, I'd probably tell them to skip Violent Python.
Or if they wanted to focus on appsec vs. netsec, I'd direct them to one or the other based on that. If you want both, you should definitely read both.
The list author says:
"I had a CISSP book here as a joke, but then realized that someone who clicked "buy whole list" would end up accidentally owning a CISSP book. Far better that they accidentally end up owning David Foster Wallace's most accessible book. The state fair essay in particular, worth the price of admission."
