DOMAIN:SECURITY:READING_LIST¶
OWNER: julian
UPDATED: 2026-03-18
MUST_BUY (highest ROI — purchase and process)¶
BOOK:ALICE_AND_BOB_APPSEC¶
TITLE: Alice and Bob Learn Application Security
AUTHOR: Tanya Janca (2020)
PRICE: ~$35 (O'Reilly)
DOMAIN: application security, SDLC integration, threat modeling
VALUE: Julian's job in book form — security at every dev phase, communicating findings to developers
PRIORITY: 1
BOOK:PRIVACY_IS_HARD¶
TITLE: Privacy is Hard and Seven Other Myths
AUTHOR: Jaap-Henk Hoepman (2021)
PRICE: ~$30 (MIT Press)
DOMAIN: privacy by design, GDPR implementation patterns
VALUE: Dutch researcher, 8 privacy design strategies with concrete technical patterns
PRIORITY: 2
BOOK:SECURE_BY_DESIGN¶
TITLE: Secure by Design
AUTHOR: Dan Bergh Johnsson, Daniel Deogun, Daniel Sawano (2019)
PRICE: ~$40 (Manning)
DOMAIN: domain-driven security, architectural security patterns
VALUE: security as architecture not bolt-on — domain primitives, type safety, validation patterns
PRIORITY_FOR_JULIAN: low — nice-to-have background, not core compliance knowledge
PRIMARY_AUDIENCE: koen, eric (code review), urszula, maxim (backend), marije, judith (testing)
STATUS: PROCESSED 2026-03-19
EXTRACTED_TO: secure-design-patterns.md, secure-failure-handling.md, secure-pipeline-practices.md, legacy-and-microservices-security.md
INDEX: books/secure-by-design.md
NOTE: content is about HOW to write secure code, not HOW to audit compliance — reassigned from Julian to Koen/Eric domain
BOOK:PRACTICAL_WEB_ACCESSIBILITY¶
TITLE: Practical Web Accessibility
AUTHOR: Ashley Firth (2024)
PRICE: ~$35 (Apress)
DOMAIN: WCAG 2.2, React/Vue accessibility, modern tooling
VALUE: accessibility in component-based architectures — exactly what GE builds
PRIORITY: 4
BOOK:SUPPLY_CHAIN_SECURITY¶
TITLE: Software Supply Chain Security
AUTHOR: Cassie Crossley (2024)
PRICE: ~$45 (O'Reilly)
DOMAIN: SBOM, SLSA, CRA compliance, dependency management
VALUE: end-to-end supply chain security, directly relevant to EU CRA (2027)
PRIORITY: 5
TOTAL_COST: ~$185
EXTRACT_FIRST (get from public sources before buying)¶
BOOK: The Web Application Hacker's Handbook — Stuttard & Pinto (2011). Foundational but dated. USE_INSTEAD: OWASP Testing Guide v4.2
BOOK: Bug Bounty Bootcamp — Vickie Li (2021). Modern vuln patterns. EXTRACT_FROM: conference talks, blog posts
BOOK: Real-World Cryptography — David Wong (2021). Practical crypto. EXTRACT_FROM: Manning early access chapters
BOOK: European Data Protection Law — Bygrave (2021). Academic. EXTRACT_FROM: EDPB guidelines directly
BOOK: The EU GDPR: A Commentary — Kuner et al. (2024). ~$300. USE_INSTEAD: GDPRhub.eu case law database (free)
BOOK: Inclusive Design Patterns — Pickering (2016). EXTRACT_FROM: Smashing Magazine articles by same author
BOOK: Container Security — Liz Rice (2020). EXTRACT_FROM: NSA K8s Hardening Guide + CIS benchmarks
BOOK: Hacking Kubernetes — Martin & Hausenblas (2021). EXTRACT_FROM: NSA guide + CNCF security whitepaper
BOOK: ISO 27001:2022 Pocket Guide — Watkins (2023). EXTRACT_FROM: ISO implementation guides online
FREE_RESOURCES (process immediately)¶
STANDARDS¶
SOURCE: OWASP ASVS 4.0.3 — owasp.org/www-project-application-security-verification-standard/
SOURCE: OWASP Testing Guide v4.2 — owasp.org/www-project-web-security-testing-guide/
SOURCE: OWASP Cheat Sheet Series — cheatsheetseries.owasp.org/
SOURCE: CIS Controls v8 — cisecurity.org/controls
SOURCE: NIST CSF 2.0 — nist.gov/cyberframework
SOURCE: NSA/CISA K8s Hardening Guide v1.2
GDPR¶
SOURCE: EDPB Guidelines (all) — edpb.europa.eu
SOURCE: Dutch DPA Guidance — autoriteitpersoonsgegevens.nl/en
SOURCE: GDPRhub.eu — case law database
SOURCE: GDPR Enforcement Tracker — enforcementtracker.com
ACCESSIBILITY¶
SOURCE: W3C WAI Tutorials — w3.org/WAI/tutorials/
SOURCE: WebAIM Resources — webaim.org/resources/
SOURCE: A11y Project — a11yproject.com/
SOURCE: EN 301 549 v3.2.1 — etsi.org
NEWSLETTERS¶
SOURCE: tl;dr sec — weekly AppSec
SOURCE: A11y Weekly — accessibility
SOURCE: Adrian Roselli — deep accessibility analysis
SOURCE: NCSC-NL — Dutch-relevant advisories
PROCESSING_PROTOCOL¶
ON_BOOK_ACQUIRED:
1. read full book via PDF processing
2. extract: principles, patterns, anti-patterns, checklists, decision frameworks
3. write structured wiki pages per topic (agentic format)
4. link from identity files and domain pages
5. tag extraction with source book for attribution