FW: Good Magazines and Books

[jepstein at webmethods.com (Jeremy Epstein)]

Having lurked on this list for a while, I'll chime in.

The answer depends on what you're trying to learn.  If your goal is latest
thinking, concepts, etc., I agree with GEM that IEEE S&P is best.  If you
want to know about the latest products, what's going on in the market, try
Information Security magazine (infosecuritymag.techtarget.com).  If you want
to know what CSOs are worrying about (not just computer/network security,
but also physical security, personnel security, etc.) see CSO Magazine
(www.csoonline.com).  I'm sure there are other "bests" depending on what
your goal is.

So the answer is: it depends.

As for books (the second part of the question), again, it depends on what
you're interested in.  As a selection, I like Ross Anderson's "Security
Engineering" as a basic text that covers a bit of everything, and Matt
Bishop's text is encyclopedic.  Of course GEM's books are excellent choices
for understanding software aspects of security.  Chris Wysopal's new testing
book is excellent.  And Ken van Wyk has a great handbook on secure coding
practices.  [Kudos to GEM, Chris, and Ken for not flogging their own books -
since I don't have a book, I'll feel free to flog theirs.]  There are many
other great books, but you've got to narrow the topic a bit!

--Jeremy