Being better informed on security topics


A friend emailed me yesterday saying he was ‘trying to be better informed on security topics’ and asking for suggestions on blogs etc. Here’s my reply…

For security stuff first read (or at least skim) Ross Anderson’s Security Engineering (UK|US) – it’s basically the bible for infosec. Don’t be scared that it’s now seven years old – nothing has fundamentally changed.

Blogger Gunnar Peterson once said there are only two tools in security – state checking and encryption, so I find it very useful to ask myself each time a look at something which it is doing (or what blend).

Another seminal work is Iain Grigg’s The Market for Silver Bullets, and it’s well worth following his financial cyptography blog.

Everything else I’ve ever found interesting on the topic of security is on my pinboard tag, and you can get an RSS feed to that.

Other stuff worth following:

Light Blue Touch Paper (blog for Ross Anderson’s security group at Cambridge University)
Bruce Schneier
Freedom To Tinker (blog for Ed Felten’s group at Princeton University)
Chris Hoff’s Rational Survivability

Also keep an eye on the papers for WEIS and Usenix security (and try not to get too sucked in by the noise from Blackhat/DefCon).

An important point that emerges here is that even though there’s a constant drumbeat of security related news, there’s not that much changing at a fundamental level, which is why it’s important to ensure that ‘basic block and tackle’ is taken care of, and that you build systems that are ‘rugged software‘.

This post originally appeared on the Cohesive Networks Blog.

Update 17 Nov 2015 – Stephen Bonner pointed out that I should also recommend Krebs on Security.

Update 4 May 2017 – Dick Morrell suggested Cybersecurity Exposed as a more ‘manager level intro’ on the topic.

Update 3 Sep 2019 – I checked in with Gunnar for the original source of ‘two tools’ and he pointed out that the original source was Blaine Burnham at Usenix Security saying ‘in computer security we basically only have two working mechanisms (which aint enough but that’s another story). One is the reference monitor, and the other is crypto.’

Update 15 Dec 2019 – a thread from Goldman Sachs security leader Phil Venables on ‘non-technical’ books for security people. They all look pretty technical to me, but maybe non security.

3 Responses to “Being better informed on security topics”

  1. 1 Joe Maissel

    Thanks Chris! Book arrived yesterday and is now on my nightstand. I own several similar “classics” within IT (Stevens/Unix, Howes/LDAP, etc). This clearly belongs in the toolkit.

  2. 2 Jason

    Hi you link to amazon to get hold of this awesome book but there us a free online version here

    • Thanks. I knew that the first edition had been available free, but I didn’t realise that Ross had done the same with the second edition.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: