How long did it take you to complete your chapters for "Maximum Security 4/e" and what was it like?
One week each for the two chapters I did (Internal Security and Intrusion Detection Systems). Plus a couple of days each to review editors comments a few weeks later. But I wouldn't say this was typical.
I got involved in the book through a friend and former co-worker who's been involved with Sams Publishing for several years. They were needing some extra help after the project was underway. I had been wanting to get involved in book writing, had the background, and had the time to take on two chapters. Since this is a 4th edition, I was given the chapters of the 3rd edition as a starting point. From there I checked all the references to outside material and updated them as necessary, added new material, removed obsolete parts, and generally interspersed my own knowledge and experience where it made sense.
The people at Sams were great to work with, and I quite enjoyed the experience. I'm looking forward to my next book project, but there's nothing definite right now.
What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level?
I'm going to sound like I'm harping on this issue, but the biggest challenge is education. Corporations first need to understand their exposure from disgruntled and/or naive employees. Then they need to carefully consider how to address the balance between ease of use and security. One size does not fit all, but that's typically where executives want to go. In the long run, it'll cost corporations in productivity if they keep the development staff under as tight of a rein as call center employees, for example.
Corporations also need to understand that security is a process, not a product, but products are an important part. Firewalls are the obvious example here. They're an invaluable component to the security plan, but don't stop there. Also, it's the wrong idea to create a task force that ends up just producing a 100 page document on what the security policies are and then decree that everyone must read and comply with it. It's good to have the policy for reference, but go the next step to get products in place and teach people how to make them part of their routine. And then also have a plan on how you revisit and decide if/when to replace those products as needed.
Based on your experiences, do you find proprietary software or open source software to be more secure?
I can't really objectively say, but I do tend to trust open source more. I'm not going to pretend that I've personally audited every line of the OSS projects I use, but it's comforting to know that I could. I think it's also in security's benefit that OSS is written by people who genuinely care about the project -- they care enough to donate their time in the vast majority of cases. Plus they're not under market based deadline to deliver before a competitor does. Both of these features reduce the risk that the developers will take shortcuts and be careless with their code.
On the other hand, OSS projects attract plenty of novice programmers who may not have learned how to write secure code yet. Plus there's no guarantee that just because experienced people could have audited the code, that they actually have. So we have to be careful not to just blindly trust the security of OSS.