Running. I started running when I was 9. I used to tag along to exercise class at the local community college with my mom, and they always finished the evening with a couple laps around the track. High school was track and cross country. College too. When my friends and I started to get really fast, there would be the occasional taunting of rent-a-cops, and much hilarity during the chase, usually ending in the pursuers crashing into a fence we had neatly hopped over. Through my work career, running was a staple, with fantastic benefits for both staying healthy and washing away workday stresses.
Various injuries and illness stopped that over the last few years, but recently I have been back at it. And it was … frigging awful and painful. Unused muscles and tendons screamed at me. But after a few weeks that went away. And then I started to enjoy the runs again. Now I find myself more buoyant during the day – better energy and just moving better. It’s a subtle thing, but being fit just makes you feel better in several ways, all throughout the day.
This has been true for several other activities of late — stuff I love to do, but for various reasons dropped. Target shooting is something I enjoy, but the restart was awful. You forget how critical it is to control your breathing. You forget the benefit of a quality load. You forget how the trigger pull feels and how to time the break. I grew up taking two or three fishing trips a year, but had pretty much stopped fishing for the last 10 years – lack of time, good local places to go, and people you wanted to go with. You forget how much fun you can have sitting around doing basically nothing. And you forget how much skill and patience good fishermen bring to the craft.
In this year of restarts, I think the one activity that surprised me most was coding. Our research has swung more and more into the security aspects of cloud, big data, and DevOps. But I can’t expect to fully understand them without going waist-deep to really use them. Like running, this restart was painful, but this was more like being punched in the mouth. I was terrible. I am good at learning new tools and languages and environments, and I expected a learning curve there. The really bad part is that much of what I used to do is now wrong. My old coding methods – setting up servers to be super-resilient, code re-use, aspects of object-oriented design, and just about everything having to do with old-school relational database design, needs to get chucked out the window. I was not only developing slowly, but I found myself throwing code out and reworking to take advantage of new technologies. It would have been faster to learn Hadoop and Dynamo without my relational database background – I needed to start by unlearning decades of training. But after the painful initial foray, when I got a handle on ways to use these new tools, I began to feel more comfortable. I got productive. I started seeing the potential of the new technologies, and how I should really apply security. Then I got happy!
I’ve always been someone who just feels good when I produce something. But over and above that is something about the process of mastering new stuff and, despite taking some lumps, gaining confidence through understanding. Getting back in was painful but now it feels good, and is benefitting both my psyche and my research.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- In case you missed it, Dave Lewis, JJ, James Arlen, Rich, Mike, and Adrian posted some of our yearly RSA Conference preview on the RSAC Blog. We will post them and the remaining sections on the Securosis blog next week.
- Mike on Endpoint Defense.
Favorite Securosis Posts
- James Arlen: Firestarter: Using RSA. Crushing the rant on a Monday morning.
- Adrian Lane: Securosis Guide: DevOpsX Games. Really funny post by Rich – despite being a sick puppy, he cranked out his best post of the year.
- Mike Rothman: Network-based Threat Detection: Overcoming the Limitations of Prevention.
Other Securosis Posts
Favorite Outside Posts
- Adrian Lane: The PCI Council calls it quits. Very funny. The clarity of the message gave it away!
- James Arlen: Pin-pointing China’s attack against GitHub. Wouldn’t be the first time an American company has been coerced by a foreign government. Itty Bitty Machines could tell a story or two.
- Rich: Pin-pointing China’s attack against GitHub. This is a make it or break it moment for our government. If they don’t take action they will prove that China can blatantly attack US companies with impunity. This is historically unprecedented.
- David Mortman: The ABC of ABC – An Analysis of Attribute-Based Credentials in the Light of Data Protection, Privacy and Identity .
- Dave Lewis: The failure of the security industry.
- Mike Rothman: Are you the most thrilling ride at the theme park? I’m not sure how Thom Langford made a drab theme park experience into our security reality, but he did. You should check it out.
Research Reports and Presentations
- Endpoint Defense: Essential Practices.
- Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications.
- Security and Privacy on the Encrypted Network.
- Monitoring the Hybrid Cloud: Evolving to the CloudSOC.
- Security Best Practices for Amazon Web Services.
- Securing Enterprise Applications.
- Secure Agile Development.
- Trends in Data Centric Security White Paper.
- Leveraging Threat Intelligence in Incident Response/Management.
- Pragmatic WAF Management: Giving Web Apps a Fighting Chance.