Good Reading about Security
Security-related Blogs You Should Read
By Don Kiely
Being interested in security of all types, I read a lot of interesting blogs that keep me close to the bleeding edge. I m not always out in front of the wave there is just too much happening every day but I m usually aware of the breaking topics. My interest is primarily security from a developer s perspective, which keeps me focused but still covers a lot of ground.
Here are a few of the most interesting security-related blogs I read in various categories. All are reasonably active, although a couple are worth reading even though the posts are widely scattered in time or may not have much new lately (but some have multiple posts every day).
Schneier on Security. Bruce Schneier has two talents that make this one of my most eagerly anticipated reads: he is very hip to technology and is a witty writer. His observations about all the security and attempts at security that surrounds us are fascinating, such as insights into what actions Homeland Security takes that are useful, and those that are futile. He is the author of the blowfish encryption algorithm and several books. His Friday Squid Bloggings are, well, weird but I think they provide a bit of insight into what he is all about.
Slight Paranoia. Written by Christopher Soghoian, a student at Indiana University, this blog explores the edges of security. He was recently arrested and interrogated by the FBI for putting up a Web site that showed just how insanely easy it is to create fake airline boarding passes to circumvent the ID requirements at airport security. That ongoing story alone is interesting enough, but he has a lot of interesting observations about security.
SANS Internet Storm Center. If you re interested in breaking news about security events, this is the blog to read. The ISC monitors TCP/IP traffic all the time and gathers reports from the field as attacks develop. They also have a lot to say about other security issues, as the various handlers on duty explore topics that interest them. They always have something to say about Microsoft s Patch Tuesday each month, and the attack analyses are interesting reads even if you re not into the deep technology that makes the Internet work. There is a lot of activity here, but I probably find one out of every five posts very worthwhile to read. If nothing else, a quick scan of the day s posts brings me up to speed quickly on what s going on.
.NET and Windows Security
.Net Security Blog. Microsoft s Shawn Farkas has a deep knowledge of security issues in the .NET Framework. If you are serious about security in your .NET applications, this is one of the must-read blogs. I like that he is not afraid to air dirty laundry, such as to recently announce that there are some serious bugs in the HMACSHA512 and HMACSHA384 classes that provide keyed hashes. That news isn t pretty (I had just finished some work implementing code with those classes, so it was bad timing for me) but I d rather know about it than not.
Aaron Margosis WebLog. Aaron Margosis is with Microsoft Consulting Services and is the minor deity of least privilege. He is a strong advocate of running as a mere User without administrative rights on your every day machine, and has published a ton of material about how to do it both as a user and a developer. He created several tools, two of which I use every day on my Windows XP machines: PrivBar and MakeMeAdmin. Running with least privilege isn t as easy as it should be, even in Vista, but Aaron has good information about how to do it. Unfortunately, he doesn t blog often, but pretty much all the stuff there is well worth the read.
Michael Howard s Web Log. Michael Howard is also with Microsoft and is one of the driving forces behind both Microsoft s push for security in its apps and a spokesman for secure development. He co-wrote Writing Secure Code, 19 Deadly Sins of Software Security, and The Security Development Lifecycle, three of the better secure software development books around. He provides lots of good information on a range of topics, with usually a few new posts each week.
Microsoft Security Response Center Blog. This is the source for current information about what Microsoft is dealing with on the security front. There is lots of news about security advisories and threats, even before anything is published about them. It is written by various people, and is a good source of information about breaking security news.
This list is by no means exhaustive, either of the worthwhile security blogs nor even of the ones I read. There is a lot information available, and these blogs provide great resources for security information.
Let me know of the good security blogs you read! Drop me a note at mailto:[email protected].
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.