Threat modeling information, links, and a free tool
Unless you know what you are protecting, from whom, and why you are going to have a very tough time protecting it. Just as I was researching threat modeling for a chapter of my book, this thread happened on the web application security mailing list. A lot of useful information and insightful opinions were exchanged over the course of few days. Then Microsoft released a free threat modeling tool announced several months ago. If I've interested you in the subject, here is a list of links to some public papers on threat modeling. Update: A video interview Frank Swiderski (the author of the free tool and the Thread Modeling book) is available at channel9 .
Honeypot Scan of the Month 31 results are in!
In case you've missed it, I'd like to remind you of the Honeypot Scan of the Month 31 I mentioned a couple of weeks ago. The competition is now over, and there's a detailed analysis waiting for you to read it (actually, several analyses of the same thing are available). The whole experience is very interesting, so if you did not have the time or patience to look through raw results at least read the writeups.
I am writing a book - Apache Security
As a matter of fact, I signed the contract in March, two months ago. The fact I am announcing it just now speaks for itself how busy I am. Obviously, the fact that I am writing a book is very exciting. This is something I wanted to do for a long time. I think my wish has to do with the way my brain works. I hate keeping stuff in my head and I adore that magnificient feeling of putting what I have in my head to paper - freeing the mind to deal with new things.
The way I see it, this book is going to be one long checklist with plenty of very interesting information. No, no, do not take that literally. It is only the appendix that will be a checklist. The rest will consist of the information required to maintain a successful and secure Web presence.
Network Security Hack #93: mod_security
O'Reilly have a new book out: Network Security Hacks. It is a really good book (I read it on Safari myself). There are one hundred tips in there, each describing one important point related to security. Not that it affects my judgment, but hack #93 describes how to use mod_security as a Web application intrusion prevention tool. It's no wonder hacks books are such a success. People don't want to read long books any more. Here, on around 300 pages you get the essence, easy-to-swallow, byte-sized knowledge. You can quickly browse through the table of contents and read what you like immediately, remembering where to turn the next time you have a problem. BTW, there are five sample hacks available for download right now.