I recently bought and read a box set of books on security (Building Secure Software: How to Avoid Security Problems the Right Way, Exploiting Software: How to Break Code, and Software Security: Building Security In). Although I think that the contents of these books will be useful for years to come, the authors do acknowledge that the world of computer and software security changes very quickly. What are some ways that I could stay on top of the latest happenings in these areas?
问题:
回答1:
I follow Schneier on Security in my RSS reader.
回答2:
Listen to the security now podcast, on twit. After then depending on the OSes you are using you should subscribe their security mailing lists, or rss feed.
回答3:
The Register's Security section. RSS available. (I am a big fan of El Reg.)
Also, and it might be a little lightweight for a coder, but the Security Now! podcast with Steve Gibson and Leo Laporte is decent.
回答4:
If you can afford it (or convince your employer to pay), go to at least one conference a year. As a last resort, there's always Defcon, which takes place on a weekend and is only $100. It's not as professional as, say, Black Hat, but it's better than nothing.
回答5:
RISKS is not security-specific, but some interesting security-related topics are discussed there.
BUGTRAQ is a full-disclosure security mailing list that is worth skimming. (Every time a vulnerability is disclosed in a piece of software that ships with most Linux distributions, there is a barrage of disclosures from all of the various distributions. This negatively affects the signal-to-noise ratio unless you're using one of those distributions.)
Some security-related blogs that may be interesting (in addition to Schneier on Security which has already been linked): …And You Will Know me by the Trail of Bits, DoxPara Research (Dan Kaminsky), Matasano Chargen, Microsoft's Security Development Lifecycle, ZDNet's "Zero Day".
回答6:
OWASP (http://www.owasp.org) provides a very nice RSS feed, mostly aggregated from many different sources.
回答7:
Oh, don't forget the incredibly interesting hackers' conferences by the CCC. The conferences' names have a fixed pattern. The last one was 24c3, the next one will be 25c3. They are held in Berlin, Germany, and are one of the biggest convergence points in hacker and security culture on this planet.
You will find videos and mp3 transcripts of the last conferences at Chaos Radio.
Just in case you can't make the trip, the talks are usually broadcasted via live streams. Recordings get published weeks after the event.
回答8:
For web security I subscribe the the following Feeds: Some are updated regularly, some aren't.
DanchoDanchevOnSecurity
Internet Storm Center
The Register (enterprise security)
US-CERT Cyber Security Bulletins
Zero Day
ha.ckers.org
and one of my newest adds
Stack Overflow: tagged Security
or you can just add all to your iGoogle hope page: My iGoogle Security Page
I'm sure there are more interesting feeds out there if you're more application centric.
Regardless, feeds or visiting sites is the only way to really stay completely on top of things. Conferences are great, and fun to go to, but you'll get the same information an hour later via the web; usually with the added bonus of having several points of view to help you understand the topics.
回答9:
Then there is the ACM's SIGSAC and the ACM's Transactions on Information and System Security. Being a member of the ACM is generally recommended by the authors of the Practical Programmer.
回答10:
Security Now! is not bad (I listen each week).
It often contains good explanations of underlying technologies (e.g. how does a router know where to send an IP packet?), although I do think it does go on a bit.
If you want a more hardcore podcast, then try Paul "dot com"'s Security Weekly.
It's really for penetration testers, but I can't help thinking that if a penetration tester knows about it then so should I.
回答11:
A blog I enjoy (apart from Schneier on Security) is Light Blue Touchpaper - a collective blog by the computer security research department at Cambridge University (led by the wonderful Ross Anderson.
回答12:
IEEE has "Security and Privacy" as a magazine - it is pretty good.
回答13:
I use many of the other mentions mentioned above (Schneier as mentioned), however I've found Slashdot honestly gives me the best "heads up" as to the new attack vectors coming in. It's not always timely, and mostly just a general overview, but it's good at posting vectors I never thought of.
回答14:
Consider attending a local OWASP chapter meeting.
回答15:
For software security and especially web application security OWASP Moderated AppSec News is a great RSS feed. Good signal / noise ratio. It should be enough to be up to date.