Disclaimer: I am not a security expert. Also, clearly, this is a work in progress. Nevertheless it's worth putting this out there, in whatever rough state, and iterating it.
This guide is geared towards generalist software developers who want to become clueful enough about information security to do their job well. There are probably better resources for people who want to become professional infosec specialists.
Software security is a fast-moving field, and at least some of the concrete technical material in these sources will be dated. As you study this material, look for generalizable concepts more than specific factual nuggets; and when it comes time to build actual systems, research how current your knowledge is before applying it.
Ross Anderson. Security Engineering, 2nd. Ed. 2010.
A good overview. Don't be intimidated by its doorstop heft; it is highly readable and easy to consume in chapterlong chunks. For most software developers, many of the threats will way out on the tail of your practical threat model (for example, you're probably not going to have the bandwidth to do much about electromagnetic emissions). However, overall I think this is an outstanding place to start.
Jonathan Katz. Cryptography (Coursera course) ca. 2014 (?).
A good, principled overview of the most important cryptographic constructs. (I have also been planning to read Katz's book but I can't vouch for it yet.)
Michael Zalewski. The Tangled Web: A Guide to Security Modern Web Applications 2011.
Essential reading for the web (the world's most important software applications platform). This book sorely needs to be updated for the modern web, but it is still very much worth reading cover to cover.
Bruce Sterling. The Hacker Crackdown: Law and Disorder on the Electronic Frontier 1992.
This is not a technical text; it's narrative nonfiction about the early history of hacking. Not strictly required to build systems today, but many of the people you encounter will have heard this lore. Knowing this history also explains some cultural features of infosec, such as its distrust of US law enforcement.
Lastly, Thomas Ptacek has a much more thorough annotated reading list on application security, arguably more oriented towards aspiring infosec professionals.
As noted above, the field moves fast. Here are some random tips for keeping up with security news.
The extent to which the contemporary infosec expert community has taken to Twitter is surprising, but a boon to the rest of us, provided you have the patience to wade through Twitter. Here are some good accounts to follow:
- @tqbf - Thomas Ptacek, CEO of Matasano Security.
- @taviso - Tavis Ormandy, Google security researcher.
- @mattblaze - Matt Blaze, security researcher at U. Penn.
- @matthew_d_green - Matthew Green, security researcher at Johns Hopkins.
- @random_walker - Arvind Narayanan, security researcher at Princeton.
- @EdFelten - Ed Felten, security researcher at Princeton, former US CTO.
- @binitamshah - Binni Shah, Linux developer; high volume of quality links.
- @hashbreaker - DJ Bernstein, author of many cryptographic, networking, and Unix tools, and perhaps "the greatest programmer in the history of the world".
- @lcamtuf - Michael Zalewski, author of The Tangled Web, American Fuzzy Lop, and sundry; Google security researcher.
- @travisgoodspeed - Travis Goodspeed, security researcher.
- @evacide - Eva Galperin, policy analyst at EFF.
- @wseltzer Wendy Seltzer, law professor, privacy & security policy issues etc.
- @astepanovich - Amie Stepanovich, digital privacy & security policy issues etc.
- @__apf__ - Adrienne Porter Felt, "usable security" lead for Chrome.
- @agl__ - Adam Langley, Chrome developer & crypto hacker.
- @sleevi_ - Ryan Sleevi, chromium security.
- @ErrataRob - Rob Graham, author of massscan and other tools, self-described troll.
- @schneierblog - Bruce Schneier, security researcher.
- @sirdarckcat - Eduardo Vela, Google security researcher.
- @BenLaurie - Ben Laurie, security researcher.
- @JZdziarski - Jonathan Zdziarski, author of LittleFlocker; principally useful on iOS and macOS security.
Lastly a lot of people like @SwiftOnSecurity (yes, really) but I personally find the signal-to-noise ratio too low and prefer to see only the content that other people retweet. (On the other hand, this Twitter thread is an interesting set of answers to the question: "Multiple people who are graduating college have asked how they can get into InfoSec. What is your advice for people with degrees?"
Useful blogs:
Additionally many of the people in the Twitter list above also have blogs, many of which are worth following.
Close study of the publications of Stefan Savage's research group alone could fill several semesters of fruitful security education.
I'll also immodestly add a plug for my security bookmarks which often filters material I find particularly interesting from the above sources.
Usenix sponsors a variety of conferences and workshops under the banner of the Usenix Security Symposium; there is also the newer Usenix Enigma. See also other Usenix resources, which often have interesting content.
Black Hat is a family of security conferences held around the world; see this blog post by Tom Lee for a little flavor about BH and its less buttoned-up cousin defcon.
"Rev. Dr. Pastor Manul Laphroiag" edits the International Journal of Proof-of-Concept or Get The Fuck Out (PoC||GTFO). This is often rather, um, esoteric, but good fun, and a more honest window into the hacker mindset than most "real" journals.
Pwnie Awards: recognizing excellence in pwnage; see also @PwnieAwards.