Having lurked on this list for a while, I'll chime in. The answer depends on what you're trying to learn. If your goal is latest thinking, concepts, etc., I agree with GEM that IEEE S&P is best. If you want to know about the latest products, what's going on in the market, try Information Security magazine (infosecuritymag.techtarget.com). If you want to know what CSOs are worrying about (not just computer/network security, but also physical security, personnel security, etc.) see CSO Magazine (www.csoonline.com). I'm sure there are other "bests" depending on what your goal is.
So the answer is: it depends. As for books (the second part of the question), again, it depends on what you're interested in. As a selection, I like Ross Anderson's "Security Engineering" as a basic text that covers a bit of everything, and Matt Bishop's text is encyclopedic. Of course GEM's books are excellent choices for understanding software aspects of security. Chris Wysopal's new testing book is excellent. And Ken van Wyk has a great handbook on secure coding practices. [Kudos to GEM, Chris, and Ken for not flogging their own books - since I don't have a book, I'll feel free to flog theirs.] There are many other great books, but you've got to narrow the topic a bit! --Jeremy _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
