Monday, January 19, 2009

Fun Reading on Security and Compliance #11

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #11, dated January 19th, 2009 (read past ones here). I admit that some stuff has been sitting in my “2blog queue” for way too long, but you know what? If it is relevant after a few weeks of “cooling down,” it is even more worth reading :-)

  1. “SOA Security in Real Life” – if you have to read up on SOA security, you really MUST do it at Gunnar ‘s site :-) Fabulous quote: “Infosec is spending waaayyyy too much time and money protecting garages and not enough protecting assets.”
  2. “What are we on the lookout for?” from Verizon Business Services, a fun read.
  3. Enterprise Security 2009 To Do List” from Gunnar Peterson.  No, not “firewall + SSL” :-)  The post contains great tips on application security. While reading that, also check this other piece.
  4. Pete’s brief observation on “Risk Tolerance.” Scary, eh?
  5. LOLCAT CISO wisdom bit. Why is the hakker kitteh so darn fat?
  6. “How to choose a PCI DSS QSA Auditor!!” Yep, I agree with two “!” as well.
  7. A really good post from a new SANS Forensic Blog: “Law Is Not A Science: Admissibility of Computer Evidence and MD5 Hashes.”  It serves as a VERY useful reminder: “Could you get electronic evidence admitted without hashing? Yep.” and “Will hashing help admissibility of my evidence? Certainly, but it is not legally required.
  8. How'd Dilbert know about PCI?” asks Mike. He did somehow :-)
  9. Really, really good read from Jeremiah “History Repeating Itself.”  If you have no time to read it (even though you MUST), just look at the pic.  Also, you need to think about it, not just read it! While you are reading it, check this one too (on webapp security “arriving”)
  10. “MS08-078 and the SDL” from MS explains why we will always have vulnerabilities.
  11. Mike’s report card on 2008 predictions. Here is mine too, BTW.
  12. “When Not to do Forensics” from Verisign Security Blog. A good read, even though I still think they missed “How like is the perpetrator to sue us?” case. While there, read this as well.
  13. How The Cloud Destroys Everything I Love (About Web App Security) “ … and how it may yet be a good thing :-) from Rich. All SaaS/cloud security fans should read it.
  14. On the nature of perimeters and shifting defenses to endpoints and data“ from Burton raises a darn good question: deperimeterization of IT + consumerization of IT = disaster. “The shifting of focus to the desktop security defense runs counter to the “consumerization of IT” trend that includes a strategy of allowing employees to bring their own computer to work.”  Just think about it! Oooh.
  15. Finally, “Is FUD Always With Us?” I bet ‘yes’ for the foreseeable future.


Dr Anton Chuvakin