views:

465

answers:

15

I recently bought and read a box set of books on security (Building Secure Software: How to Avoid Security Problems the Right Way, Exploiting Software: How to Break Code, and Software Security: Building Security In). Although I think that the contents of these books will be useful for years to come, the authors do acknowledge that the world of computer and software security changes very quickly. What are some ways that I could stay on top of the latest happenings in these areas?

+6  A: 

I follow Schneier on Security in my RSS reader.

Sklivvz
As long as Bruce Schneier keeps blogging and writing books, I think the security world will be better off. The day he stops will be a sad day indeed.
Thomas Owens
Love it indeed - read it at the top of my list - but he doesnt really deal with technical issues so much anymore. Except when he doghouses someones new snake oil...
AviD
+3  A: 

Listen to the security now podcast, on twit. After then depending on the OSes you are using you should subscribe their security mailing lists, or rss feed.

+3  A: 

The Register's Security section. RSS available. (I am a big fan of El Reg.)

Also, and it might be a little lightweight for a coder, but the Security Now! podcast with Steve Gibson and Leo Laporte is decent.

Stu Thompson
Top tip about The Register. I'm a bit of a security wonk, but I didn't have that in my RSS reader. I do now. Thanks! - AJ :)
AJ
+2  A: 

If you can afford it (or convince your employer to pay), go to at least one conference a year. As a last resort, there's always Defcon, which takes place on a weekend and is only $100. It's not as professional as, say, Black Hat, but it's better than nothing.

raldi
+1  A: 

RISKS is not security-specific, but some interesting security-related topics are discussed there.

BUGTRAQ is a full-disclosure security mailing list that is worth skimming. (Every time a vulnerability is disclosed in a piece of software that ships with most Linux distributions, there is a barrage of disclosures from all of the various distributions. This negatively affects the signal-to-noise ratio unless you're using one of those distributions.)

Some security-related blogs that may be interesting (in addition to Schneier on Security which has already been linked): …And You Will Know me by the Trail of Bits, DoxPara Research (Dan Kaminsky), Matasano Chargen, Microsoft's Security Development Lifecycle, ZDNet's "Zero Day".

bk1e
+2  A: 

OWASP (http://www.owasp.org) provides a very nice RSS feed, mostly aggregated from many different sources.

AviD
A: 

Security Now! is not bad (I listen each week).
It often contains good explanations of underlying technologies (e.g. how does a router know where to send an IP packet?), although I do think it does go on a bit.

If you want a more hardcore podcast, then try Paul "dot com"'s Security Weekly.
It's really for penetration testers, but I can't help thinking that if a penetration tester knows about it then so should I.

AJ
A: 

Then there is the ACM's SIGSAC and the ACM's Transactions on Information and System Security. Being a member of the ACM is generally recommended by the authors of the Practical Programmer.

xmjx
+1  A: 

Oh, don't forget the incredibly interesting hackers' conferences by the CCC. The conferences' names have a fixed pattern. The last one was 24c3, the next one will be 25c3. They are held in Berlin, Germany, and are one of the biggest convergence points in hacker and security culture on this planet.

You will find videos and mp3 transcripts of the last conferences at Chaos Radio.

Just in case you can't make the trip, the talks are usually broadcasted via live streams. Recordings get published weeks after the event.

xmjx
+1  A: 
RaySir
A: 

A blog I enjoy (apart from Schneier on Security) is Light Blue Touchpaper - a collective blog by the computer security research department at Cambridge University (led by the wonderful Ross Anderson.

Hamish Downer
A: 

IEEE has "Security and Privacy" as a magazine - it is pretty good.

Jonathan Leffler
A: 

I use many of the other mentions mentioned above (Schneier as mentioned), however I've found Slashdot honestly gives me the best "heads up" as to the new attack vectors coming in. It's not always timely, and mostly just a general overview, but it's good at posting vectors I never thought of.

tekiegreg
A: 

Consider attending a local OWASP chapter meeting.

jm04469
A: 

For software security and especially web application security OWASP Moderated AppSec News is a great RSS feed. Good signal / noise ratio. It should be enough to be up to date.

dr. evil