Get with the New School
A recent post on the Tao Security Blog got me thinking about what I feel is probably the most important book on computer security in the market today. Whether overt or by influence, this book is making waves in the computer security industry and hopefully changing things for the better. In the case of the Tao Security Blog it seems that Richard Bejtlich borrows directly from the book. In fact his entire post appears to be a synopsis of Chapter 3. Bejtlich swears he hasn't read the book - which for me is just further evidence of how accurate the book is in reflecting emerging trends and new philosophies evolving in computer security.
The book is The New School of Information Security, by Adam Shostack and Andrew Stewart. Essentially it's a collection of interwoven essays that concern themselves with the approach we use to computer security. Tightly bound with ideas proposed by the New Skeptic movement and the Scientific Process (and empiricism), The New School of Information Security seeks to redefine how practitioners of information and computer security conceptualize their field. Shostack and Stewart's work is poised to kick off a paradigm shift in information security, one which is long overdue in a field that has matured as much as infosec.
I haven't finished the book yet, so I'm remiss in writing an article, but I thought I'd point the work out because it deserves all the praise it is getting. Adam Shostack recently did an interview in the Silver Bullet podcast 026 with Gary McGraw that provides additional insight into the book an his method and I highly recommend it. I'll post a more thorough review as soon as I finish the book - should be soon.