November already. Time to clean up the house before seasonal guests arrive. Part of my list of tasks is throwing away magazines. Lots of magazines. For whatever perverse reason, I got free subscriptions to all sorts of security and technology magazines. CIO Insight. Baseline. CSO. Information Week. Dr. Dobbs. Computer XYZ and whatever else was available. They are sitting around unread so it’s time to get rid of them. While I was at it I got rid of all the virtual subscriptions to electronic magazines as well. I still read Information Security Magazine, but I download that, and only because I know most of the people who write for it. For the first time since I entered the profession there will be no science, technology, or security magazines – paper or otherwise – coming to my door.
I’m sure most of you have already reached this conclusion, but the whole magazine format is obsolete for news. I kept them around just in case they covered trends I missed elsewhere. Well, that, and because they were handy bathroom reading – until the iPad. Skimming through a stack of them as I drop them into the recycling bin, I realize that fewer than one article per magazine would get my attention. When I did stop to read one, I had already read about it on-line at multiple sites to get far better coverage. The magazine format does not work for news.
I am giving this more consideration than I normally would, because it’s been the subject of many phone calls lately. Vendors ask, “Where do people go to find out about encryption? Where do people find information on secure software development? Will the media houses help us reach our audience?” Honestly, I don’t have answers to those questions. I know where I go: my feed reader, Google, Twitter, and the people I work with. Between those four outlets I can find pretty much anything I need on security.
Where other people go, I have no idea. Traditional media is dying. Social media seems to change monthly; and the blogs, podcasts, and feeds that remain strong only do so by shaking up their presentations. Rich feels that people go to Twitter for their security information and advice. I can see that – certainly for simple questions, directions on where to look, or A/B product comparisons. And it’s the prefect medium for speed reading your way through social commentary. For more technical stuff I have my doubts. I still hear more about people learning new things from blogs, conferences, training classes, white papers and – dare I say it? – books! The depth of the content remains inversely proportionate to the velocity of the medium.
Oh, and don’t forget to check out the changes to the Securosis site and RSS feeds!
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian’s Dark Reading post: Does Compliance Drive Patching?
- Rich, Martin, and Zach on the Network Security Podcast, episode 219.
Favorite Securosis Posts
- Rich: IBM Dances with Fortinet. Maybe. Mike reminds us why all the speculation about mergers and acquisitions only matters to investors, not security practitioners.
- Mike Rothman: React Faster and Better: Response Infrastructure and Preparatory Steps. Rich nails it, describing the stuff and steps you need to be ready for incident response.
- Adrian Lane: The Question of Agile’s Success.
Other Securosis Posts
- Download the Securosis 2010 Data Security Survey Report (and Raw Data!)
- Please Read: Major Change to the Securosis Feeds.
- React Faster and Better: Before the Attack.
- Incite 11/3/2010: 10 Years Gone.
- Cool Sidejacking Security Scorecard (and a MobileMe Update).
- White Paper Release: Monitoring up the Stack.
- SQL Azure and 3 Pieces of Flair.
Favorite Outside Posts
- Rich: PCI vs. Cloud = Standards vs. Innovation. Hoff has a great review of the PCI implications for cloud and virtualization. Guess what, folks – there aren’t any shortcuts, and deploying PCI compliant applications and services on your own virtualization infrastructure will be tough, never mind on public cloud.
- Adrian Lane: HTTP cookies, or how not to design protocols. Historic perspective on cookies and associated security issues. Chris’ favorite too: An illuminating and thoroughly depressing examination of HTTP cookies, why they suck, and why they still suck.
- Mike Rothman: Are You a Pirate? Arrington sums up the entrepreneur’s mindset crisply and cleanly. Yes, I’m a pirate!
- Gunnar Peterson offered: How to Make an American Job Before It’s Too Late.
- David Mortman: Biz of Software 2010, Women in Software & Frat House “Culture”.
- James Arlen: Friend of the Show Alex Hutton contributed to the ISO 27005 <=> FAIR mapping handbook.
Project Quant Posts
- NSO Quant: Index of Posts.
- NSO Quant: Health Metrics – Device Health.
- NSO Quant: Manage Metrics – Monitor Issues/Tune IDS/IPS.
- NSO Quant: Manage Metrics – Deploy and Audit/Validate.
- NSO Quant: Manage Metrics – Process Change Request and Test/Approve.
Research Reports and Presentations
- The Securosis 2010 Data Security Survey.
- Monitoring up the Stack: Adding Value to SIEM.
- Network Security Ops Quant Metrics Model.
- Network Security Operations Quant Report.
- Understanding and Selecting a DLP Solution.
- White Paper: Understanding and Selecting an Enterprise Firewall.
- Understanding and Selecting a Tokenization Solution.
Top News and Posts
- Gaping holes in mobile payments via Threatpost.
- Microsoft warns of 0-day attacks.
- Serious bugs in Android kernel.
- Indiana AG sues WellPoint over data breach.
- Windows phone kill switch.
- CSO Online’s fairly complete List of Security Laws, Regulations and Guidelines.
- SecTor 2010: Adventures in Vulnerability Hunting – Dave Lewis and Zach Lanier.
- SecTor 2010: Stuxnet and SCADA systems: The wow factor – James Arlen.
- RIAA ass-clowns at it again.
- Facebook developers sell IDs.
- Russian-Armenian botnet suspect raked in €100,000 a month.
- FedRAMP Analysis. it sure looks like a desperate attempt to bypass security analysis in a headlong push for cheap cloud services
- Part 2 of JJ’s guide to credit card regulations.
- Dangers of the insider threat and key management. Included as humor, not news.
- Software security courtesy of child labor.
Blog Comment of the Week
“To me, Agile has always been a form of object oriented process, and I mix and match the pieces I need”
I once spoke about Ivar Jacobson’s Essential Unified Process (EssUP) and how software lifecycle processes should be more like aspect-oriented programming. The slide deck is available on tssci-security.com under “Why AppSec Tools Suck” from Toorcamp last year.
I hadn’t realized how extremely varied Agile processes could be until I recently came across ICONIX and DDT. Their notion of robustness testing matches up nicely to appsec goals.
Relying on process or people alone isn’t really enough. The standard approach should be identification of data and risk classifications, followed by continuous risk management gap analysis on appsec controls. The whole SDL and related concepts are a bit dated, IMO, even with the Agile SDL updates.
Show me the controls in your code, make it easy to find for future eyes on the code, and match the level of detail in documentation of the data flow and execution flow with the degree of severity in data and risk classifications.
If you don’t have output encoding, you’ve got XSS. If you don’t have parameterized queries or named parameters with variable binding then you’ve got SQLi/XPATHi/LDAPi. Every software weakness has an associated optimal control. Match them up. I don’t care as much about the process of secure development if you can’t speak the language of appsec controls.