Keeping up with security [closed]

Someone else mentioned SecurityFocus, but for more general security related issues (not specific to IT), I recommend Schneier on Security. His blog touches on IT security, but also on other security topics as well. I find that some of the more general issues he discusses helps me to be more aware of security in general, which carries over into IT operations.

Honestly, the main thing I do is keep current on patches, including being on the announce/security mailing list for any software I install that's not from the main OS vendor.

Anything else starts falling onto the "more effort than it's worth" side of the cost vs. benefit analysis. I could do my own custom patch, but I'm more likely to break something than if I wait for the vendor to release a tested update.

There's always new threats. Do you really have the time to keep up with every one of them? Do you even care if you're not running the program in question in the affected configuration?

Concentrate on providing the smallest attack surface you can, along with the smallest reasonable attack window. In other words: only run what you need to, firewall everything you can, and keep current on patches.

Securityfocus is my favorite. I am subscribed to this feed with my rss reader. Its volume is manageable to follow. The famous Bugtraq mailing list is also hosted there.

It is also advisable to subscribe your vendor's (security) announce list if they have any.

• Debian has its own
• OpenBSD too

SecurityFocus has one big vulnerability database classified by vendor and product. You can also purchase Symantec DeepSight Alert Services where you can select whcich software do you have and several methods for vulnerabilities notifications.

There is a complementary service by Symantec (Threat Alert) which notifies about global security threats.

In the same sort of line, you can use (and contribute to) OSVDB (Open Source Vulnerability Database).

If you want to know about security tools I find darknet very useful.