November already. Time to clean up the house before seasonal guests arrive. Part of my list of tasks is throwing away magazines. Lots of magazines. For whatever perverse reason, I got free subscriptions to all sorts of security and technology magazines. CIO Insight. Baseline. CSO. Information Week. Dr. Dobbs. Computer XYZ and whatever else was available. They are sitting around unread so it’s time to get rid of them. While I was at it I got rid of all the virtual subscriptions to electronic magazines as well. I still read Information Security Magazine, but I download that, and only because I know most of the people who write for it. For the first time since I entered the profession there will be no science, technology, or security magazines – paper or otherwise – coming to my door.

I’m sure most of you have already reached this conclusion, but the whole magazine format is obsolete for news. I kept them around just in case they covered trends I missed elsewhere. Well, that, and because they were handy bathroom reading – until the iPad. Skimming through a stack of them as I drop them into the recycling bin, I realize that fewer than one article per magazine would get my attention. When I did stop to read one, I had already read about it on-line at multiple sites to get far better coverage. The magazine format does not work for news.

I am giving this more consideration than I normally would, because it’s been the subject of many phone calls lately. Vendors ask, “Where do people go to find out about encryption? Where do people find information on secure software development? Will the media houses help us reach our audience?” Honestly, I don’t have answers to those questions. I know where I go: my feed reader, Google, Twitter, and the people I work with. Between those four outlets I can find pretty much anything I need on security.

Where other people go, I have no idea. Traditional media is dying. Social media seems to change monthly; and the blogs, podcasts, and feeds that remain strong only do so by shaking up their presentations. Rich feels that people go to Twitter for their security information and advice. I can see that – certainly for simple questions, directions on where to look, or A/B product comparisons. And it’s the prefect medium for speed reading your way through social commentary. For more technical stuff I have my doubts. I still hear more about people learning new things from blogs, conferences, training classes, white papers and – dare I say it? – books! The depth of the content remains inversely proportionate to the velocity of the medium.

Oh, and don’t forget to check out the changes to the Securosis site and RSS feeds!

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Project Quant Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Andre Gironda, in response to The Question of Agile’s Success .

“To me, Agile has always been a form of object oriented process, and I mix and match the pieces I need”

I once spoke about Ivar Jacobson’s Essential Unified Process (EssUP) and how software lifecycle processes should be more like aspect-oriented programming. The slide deck is available on under “Why AppSec Tools Suck” from Toorcamp last year.

I hadn’t realized how extremely varied Agile processes could be until I recently came across ICONIX and DDT. Their notion of robustness testing matches up nicely to appsec goals.

Relying on process or people alone isn’t really enough. The standard approach should be identification of data and risk classifications, followed by continuous risk management gap analysis on appsec controls. The whole SDL and related concepts are a bit dated, IMO, even with the Agile SDL updates.

Show me the controls in your code, make it easy to find for future eyes on the code, and match the level of detail in documentation of the data flow and execution flow with the degree of severity in data and risk classifications.

If you don’t have output encoding, you’ve got XSS. If you don’t have parameterized queries or named parameters with variable binding then you’ve got SQLi/XPATHi/LDAPi. Every software weakness has an associated optimal control. Match them up. I don’t care as much about the process of secure development if you can’t speak the language of appsec controls.