Friday Summary: March 7, 2014

I don’t code much. In fact over the last 10 years or so I have been actively discouraged from coding, with at least one employer threatening to fire me if I was discovered. I have helped firms architect new products, I have done code reviews, I have done some threat modeling, and even a few small Java utilities to weave together a couple other apps. But there has been very, very little development in the last decade. Now I have a small project I want to do so I jumped in with both feet, and it feels like I was dumped into the deep end of the pool. I forgot how much bigger a problem space application development is, compared to simple coding.

In the last couple of days I have learned the basics of Ruby, Node.js, Chef, and even Cucumber. I have figured out how to bounce between environments with RVM. I brushed up on some Python and Java. And honestly, it’s not very difficult. Learning languages and tools are trivial matters. A few hours with a good book or web site, some dev tools, and you’re running. But when you are going to create something more than a utility, everything changes. The real difficulty is all the different layers of questions about the big picture: architecture, deployment, UI, and development methodologies. How do you want to orchestrate activities and functions? How do you want to architect the system? How do you allow for customization? Do I want to do a quick prototype with the intention of rewriting once I have the basic proof of concept, or do I want to stub out the system and then use a test-driven approach? State management? Security? Portability? The list goes on.

I had forgotten a lot of these tasks, and those brain cells have not been exercised in a long time. I forgot how much prep work you need to do before you write a line of code. I forgot how easy it is to get sucked into the programming vortex, and totally lose track of time. I forgot the stacks of coffee-stained notes and hundreds of browser tabs with all the references I am reviewing. I forgot the need to keep libraries of error handling, input validation, and various other methods so I don’t need to recode them over and over. I forgot how much I eat when developing – when my brain is working at capacity I consume twice as much food. And twice as much caffeine. I forgot the awkwardness of an “Aha!” moment when you figure out how to do something, a millisecond before your wife realizes you haven’t heard a word she said for the last ten minutes. It’s all that. And it’s good.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

• Mort quoted in Network World.

• Rich quoted in Building the security bridge to the Millennials.

• Adrian quoted on Database Denial of Service.

• David Mortman and Adrian Lane will be presenting at Secure360.

• Mike and JJ podcast about the Neuro-Hacking talk at RSA.

Favorite Securosis Posts

• Adrian Lane: Research Revisited: The Data Breach Triangle. This magical concept from Rich has aged very very well. I also use this frequently, basically because it’s awesome.

• Mike Rothman: Research Revisited: Off Topic: A Little Perspective. Rich brought me back to the beginning of this strange journey since I largely left the corporate world. 2006 was so long ago, yet it seems like yesterday.

Other Securosis Posts

• Incite 3/5/2014: Reentry.

• Research Revisited: FireStarter: Agile Development and Security.

• Research Revisited: POPE analysis on the new Securosis.

• Research Revisited: Apple, Security, and Trust.

• Research Revisited: Hammers vs. Homomorphic Encryption.

• Research Revisited: Security Snakeoil.

• New Paper: The Future of Security The Trends and Technologies Transforming Security.

• Research Revisited: RSA/NetWitness Deal Analysis.

• Research Revisited: 2006 Incites.

• Research Revisited: The 3 Dirty Little Secrets of Disclosure No One Wants to Talk About.

Favorite Outside Posts

• Adrian Lane: Charlie Munger on Governance. Charlie Munger is a favorite of mine, and about as pragmatic as it gets. Good read from Gunnar’s blog.

• Gal Shpantzer: Bloodletting the Arms Race: Using Attacker’s Techniques for Defense. Ryan Barnett, web app security and WAF expert, writes about banking trojans’ functionality and how to use it against attackers.

• David Mortman: Use of the term “Intelligence” in the RSA 2014 Expo.

• Mike Rothman: How Khan Academy is using design to pave the way for the future of education. I’m fascinated by design, or more often by very bad design. Which we see a lot of in security. This is a good story of how Khan Academy focuses on simplification to teach more effectively.

Research Reports and Presentations

• The Future of Security: The Trends and Technologies Transforming Security.

• Security Analytics with Big Data.

• Security Management 2.5: Replacing Your SIEM Yet?

• Defending Data on iOS 7.

• Eliminate Surprises with Security Assurance and Testing.

• What CISOs Need to Know about Cloud Computing.

• Defending Against Application Denial of Service Attacks.

• Executive Guide to Pragmatic Network Security Management.

• Security Awareness Training Evolution.

• Firewall Management Essentials.

Top News and Posts

• Behind iPhone’s Critical Security Bug, a Single Bad ‘Goto’.

• We Are All Intelligence Officers Now. A week old – we’re catching up on our reading.

• Marcus Ranum at RSA (audio).

• Hacking Team’s Foreign Espionage Infrastructure Located in U.S.

• The Face Behind Bitcoin

• Uroburos Rootkit

• Fix it tool available to block Internet Explorer attacks leveraging CVE-2014-0322

Blog Comment of the Week

This week’s best comment goes to Marco Tietz , in response to Research Revisited: FireStarter: Agile Development and Security, and you’ll have to watch the video to get it.

@Adrian: good video on Agile vs Security. But why did you have the Flying Spaghetti Monster in there and didn’t even give it credit! :) rAmen