I started reading Bruce Schneier's Beyond
Fear last night. It looks like it's going to be just great. He's an
excellent writer, and the material is so relevant. More importantly, it says a lot
of totally true stuff that is completely counter to conventional "wisdom".
So far, the biggest theme is "Develop a threat model",
or, if you like, "Know thy enemy." So often, people post questions on the mailing
lists I frequent that go something like, "Should I use encryption?" And the answer
is always, "Who are you trying to protect against?"
Unfortunately, answering the latter question is harder,
probably because it is often out of the programmer's control. If more managers, executives,
and end users would read Schneier's book (as well as the excellent Secrets
and Lies), talking and making intelligent decisions about security would
become much easier. Order a copy for your boss today. ;)