I don’t code much. In fact over the last 10 years or so I have been actively discouraged from coding, with at least one employer threatening to fire me if I was discovered. I have helped firms architect new products, I have done code reviews, I have done some threat modeling, and even a few small Java utilities to weave together a couple other apps. But there has been very, very little development in the last decade. Now I have a small project I want to do so I jumped in with both feet, and it feels like I was dumped into the deep end of the pool. I forgot how much bigger a problem space application development is, compared to simple coding.
In the last couple of days I have learned the basics of Ruby, Node.js, Chef, and even Cucumber. I have figured out how to bounce between environments with RVM. I brushed up on some Python and Java. And honestly, it’s not very difficult. Learning languages and tools are trivial matters. A few hours with a good book or web site, some dev tools, and you’re running. But when you are going to create something more than a utility, everything changes. The real difficulty is all the different layers of questions about the big picture: architecture, deployment, UI, and development methodologies. How do you want to orchestrate activities and functions? How do you want to architect the system? How do you allow for customization? Do I want to do a quick prototype with the intention of rewriting once I have the basic proof of concept, or do I want to stub out the system and then use a test-driven approach? State management? Security? Portability? The list goes on.
I had forgotten a lot of these tasks, and those brain cells have not been exercised in a long time. I forgot how much prep work you need to do before you write a line of code. I forgot how easy it is to get sucked into the programming vortex, and totally lose track of time. I forgot the stacks of coffee-stained notes and hundreds of browser tabs with all the references I am reviewing. I forgot the need to keep libraries of error handling, input validation, and various other methods so I don’t need to recode them over and over. I forgot how much I eat when developing – when my brain is working at capacity I consume twice as much food. And twice as much caffeine. I forgot the awkwardness of an “Aha!” moment when you figure out how to do something, a millisecond before your wife realizes you haven’t heard a word she said for the last ten minutes. It’s all that. And it’s good.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Mort quoted in Network World.
- Rich quoted in Building the security bridge to the Millennials.
- Adrian quoted on Database Denial of Service.
- David Mortman and Adrian Lane will be presenting at Secure360.
- Mike and JJ podcast about the Neuro-Hacking talk at RSA.
Favorite Securosis Posts
- Adrian Lane: Research Revisited: The Data Breach Triangle. This magical concept from Rich has aged very very well. I also use this frequently, basically because it’s awesome.
- Mike Rothman: Research Revisited: Off Topic: A Little Perspective. Rich brought me back to the beginning of this strange journey since I largely left the corporate world. 2006 was so long ago, yet it seems like yesterday.
Other Securosis Posts
- Incite 3/5/2014: Reentry.
- Research Revisited: FireStarter: Agile Development and Security.
- Research Revisited: POPE analysis on the new Securosis.
- Research Revisited: Apple, Security, and Trust.
- Research Revisited: Hammers vs. Homomorphic Encryption.
- Research Revisited: Security Snakeoil.
- New Paper: The Future of Security The Trends and Technologies Transforming Security.
- Research Revisited: RSA/NetWitness Deal Analysis.
- Research Revisited: 2006 Incites.
- Research Revisited: The 3 Dirty Little Secrets of Disclosure No One Wants to Talk About.
Favorite Outside Posts
- Adrian Lane: Charlie Munger on Governance. Charlie Munger is a favorite of mine, and about as pragmatic as it gets. Good read from Gunnar’s blog.
- Gal Shpantzer: Bloodletting the Arms Race: Using Attacker’s Techniques for Defense. Ryan Barnett, web app security and WAF expert, writes about banking trojans’ functionality and how to use it against attackers.
- David Mortman: Use of the term “Intelligence” in the RSA 2014 Expo.
- Mike Rothman: How Khan Academy is using design to pave the way for the future of education. I’m fascinated by design, or more often by very bad design. Which we see a lot of in security. This is a good story of how Khan Academy focuses on simplification to teach more effectively.
Research Reports and Presentations
- The Future of Security: The Trends and Technologies Transforming Security.
- Security Analytics with Big Data.
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7.
- Eliminate Surprises with Security Assurance and Testing.
- What CISOs Need to Know about Cloud Computing.
- Defending Against Application Denial of Service Attacks.
- Executive Guide to Pragmatic Network Security Management.
- Security Awareness Training Evolution.
- Firewall Management Essentials.
Top News and Posts
- Behind iPhone’s Critical Security Bug, a Single Bad ‘Goto’.
- We Are All Intelligence Officers Now. A week old – we’re catching up on our reading.
- Marcus Ranum at RSA (audio).
- Hacking Team’s Foreign Espionage Infrastructure Located in U.S.
- The Face Behind Bitcoin
- Uroburos Rootkit
- Fix it tool available to block Internet Explorer attacks leveraging CVE-2014-0322
Blog Comment of the Week
This week’s best comment goes to Marco Tietz, in response to Research Revisited: FireStarter: Agile Development and Security, and you’ll have to watch the video to get it.
@Adrian: good video on Agile vs Security. But why did you have the Flying Spaghetti Monster in there and didn’t even give it credit! 🙂 rAmen
Comments