What’s Occurred in Web Years?

Posted on by

What’s Occurred in Web Years?

I was trying to explain to a colleague some of the sea change that has already taken place on the web (IMHO) – “Web 2.0” if you will?

I was explaining that the typical large enterprise (and really, many small ones, too) have become an intersection of clouds.

We used to use the image of the “good” inside protecting itself from the hostile (“bad”) Internet. The Internet was the cloud, the internal network a known and fixed space, “the network”. And, indeed, when I got started in Information Security, that is pretty much how things were.

But where I work, nobody knows all the networks that are interconnected. Acquisitions, test networks, global points of presence (POPs), all work to make a complex of interconnected networks. It’s too complex to hold in the mind. A mapping exercise some years ago revealed connections that nobody had documented – “discovered lands!”

In fact, the enterprise network seems a mini-internet or cloud that is probably less hostile than the Internet. But it’s certainly not trusted like the little “Class C” (anybody remember classed networks?) that I use to be responsible for where I knew everyone on the network and a lot of what they were using the network for.

But the enterprise cloud is not the only cloud at play.

Within the business eco-system are many similar interconnected network spaces of varying regulation and relationship, from close to pretty distant and untrusted. To be sure, a lot of these connect via the Internet. But certainly not all. Most enterprises have private connections with partners. The partners are literally cross-connected to the “internal” network.

There may be (should be?) network and other restrictions in place between the networks. Still, traffic flows and presumably some portion of that traffic is likely hostile (hopefully a minute portion, well monitored?)

The need to model business relationships via the network has caused an explosion of interconnected clouds.

Basically, the perimeter means much less than it once did – perhaps even “The perimeter is dead. Long live the perimeter!”

Coupled with this change has been the rapid growth of software tools on the network that model human relationship graphs and which allow a much greater degree of participation.

So, while the internal network has been growing in complexity and opening up to interconnections, usage patterns  (and business demand, it turns out) have been driving from inside to out.

These two forces have already occurred. And they happened, to my observation, faster than the growth of Web 1.0. Social networking seems to me to have taken off in months. The blogosphere has well been in place for several years. When is the last time you bought an expensive item about which you were uncertain without first checking online reviews and perhaps the blogosphere? I almost always (always?) do this before uncertain purchases.

What does this all have to do with security architecture?

These changes shift things fundamentally.

Network controls are now a tool – not the basis for one’s information security posture. We are using them around critical assets, but they no longer divide the “good” inside from the “bad” outside.

Meanwhile, data is moving out of the inner cloud and is a “must” for business agility. We can’t control our data by keeping our hot little security controls (“ACLs” – smile) around it.

The old security paradigm is obsolete. We need a new one.

And all this, in my opinion, transpired in web years while many of us were sleeping away building better network castles.

cheers,

/brook

(from the Denver airport)

Web Years

Posted on by

“Web Years”

I’ve been using this term lately to describe ever increasing pace of change. I started using the term as a jest, “dog years” are faster than human years. “web years” are acceleratingly shorter.

I arrogantly imagined that I’d coined the term. Not a chance, 1996.

I blog about this to introduce the term in the context of an accelerating pace of change that is fundamental to thoughts I’ve been having about Web 2.0 changes.

I want to emphasize web years in order for me to explain my thoughts about Web 2.0/Social Computing/Communication Convergence.

If web years are getting faster, then the time we have to react is getting shorter. Worse, how do we get in front of trends?

A lot of folks that I’ve been talking to about security issues of Web 2.0 are discussing the “future”.

But Web 2.0 happened (note the past tense) in web years. The original DARPANET mesh built out over a period of years. Web 1.0 in at most, a few years (I experienced the change happening in just about a year).

Social computing happened in a few months! (of course, some of the underlying tools have been around a lot longer)

Yep, accelerating.

And the change has already happened. It’s done. Organizations are catching up with plans. Some security folks are still worrying about the perfect network perimeter. LOL!

That doesn’t mean that I think organizations have implemented Web 2.0. Please don’t mistake me. I simply believe that the way people use the web has already changed. The tools are there. We’re grappling with how to make use of these changes and how to secure them.

The perimeter is gone, gone, gone. That is not to say that we should throw away our network controls. These are a part of our security toolkit, absolutely. But information security has not equaled network security for years.

I will be blogging about changes with which I think we security folk have to catch up in another edition.

take care,

/brook

Another Synchronistic Coincidence

Posted on by

What’s the difference between influence and collaboration?

I might begin to believe that I’ve come to a conference of salespeople, not enterprise architects. Sheesh.

(I have nothing against influence by salespeople. No commercial organization can be successful without salespeople. Having once done sales, I have a deep appreciation for the profession; I’m not very good at sales)

When we sell, we “influence”. We have an idea which we are trying to get others to agree with, or product to buy.

And certainly, architects must be influential, persuasive. But I do not believe that “influence” is at the heart of architecture. Influence is a byproduct of successful collaboration. We hone the architecture until it meets the requirements. We incorporate stakeholders’ concerns. Selling is not the operative action, in my opinion.

Rather, I believe that what we architects do is synthetic, perhaps highly synthetic?

If we’ve done our job correctly, when our architecture is successful, we will need no pitch. Or, we must bring the bad news that requirements cannot be met, that tough decisions need to be made.

I just posted to this blog about the importance of forming and maintaining relationships based upon understanding, trust, and mutuality.

Since writing that post, I’ve been sitting in presentation after presentation by enterprise architects. And most of them have pointed to “influence” as a key factor of our practice. But none of them has used the word “collaboration”. None have spoken about relationship building, about understanding as a fundamental prerequisite to “influence”

I would fault the presenters at this conference with missing the point. Influence cannot be thought of by itself. It’s a product. Influence comes naturally from acquired trust and earned authority.

Otherwise, our work as architects is a one-way monologue. And I cannot understand how a monologue produces architecture in an enterprise.

I believe that it’s the interaction, both our influence and the understanding of the needs and influence of our stakeholders that drives the relationships that are fundamental to the acceptance of system architecture in the enterprise.

I can’t believe that I had just written about this subject?!? Synchronicity in action.

cheers

/brook from Bangalore, India

System Architecture: Fascinating People Forming Relationships

Posted on by

Fascinating People, Forming Relationships

I’m in Bangalore for a week or so. I’m here for a couple of purposes: I’m spreading the word about our new Application Vulnerability Assessment programs. And, I’m here to talk about Security Architecture as a practice, as a career. Our security department’s team here in Bangalore are wonderful engineers, young, full of energy, enthusiastic. But there aren’t any Security Architects here. So, our global security architecture practice is hampered by the lack of presence in this theater.

Hence, I’ve been here explaining, demonstrating, yes, stumping a bit.

I’ve been staying with a friend from work who’s here managing this team. He’s been hosting me in his home – I much prefer getting to know his family rather than staying in a hotel, no matter how plush the accommodations. A bed and a shower are about all I require. There’s no accounting for personal tastes, eh?

And, here’s where my story takes an interesting turn.

Traffic is tough in Bangalore. You’ll be crossing a congested bridge, and cars and especially motorcycles supposedly on the other side of the road will take one or more lanes out of your side, oncoming, willy, nilly. Driving lanes are not respected; as many vehicles as will fit side by side, with inches to spare, will be filled. Beware of any empty space, as it will be filled by vehicles trying to get a leg up, crowding to the “front” of the line. Though in this traffic, where exactly would be the “front”?

So, I’m happy to be driven by an expert in this traffic. And, our company does not allow staff posted to work here to drive. The company pays for a driver. The risk of accident is just too high. It’s cheaper to let a professional do the driving.

I’ve had a lot of interesting conversations with my host’s driver. And his story is what I want to share. Let’s call the driver Raju (to protect him and his privacy).

Ragu is a wonderfully sweet man, mid-thirties, dedicated to his family, hard working and conscientious. His driving, at least to my eyes in the rather chaotic and dangerous Bangalore traffic is highly professional, careful and as considerate as one can be here where traffic courtesy is taken as a sign of weakness of which to take advantage. The traffic here is scary to my West Coast USA driving habits. I would not get behind the wheel of a vehicle here, glad to let someone else handle it for me.

So, one might assume that Ragu is satisfied with his life, basically, as a chauffeur? Yes, and, here’s where some of the most important principles of Security Architecture comes into play.

  • Never assume what you don’t know: dig deeper, get the whole story
  • People matter; we are not replaceable objects
  • Effectiveness = Relationships
  • Trust is built
  • Authority is earned

I’ve been reminded about the importance of being an advocate for the success of people we meet. Let me tell you about Ragu.

Being a chauffeur is a rather new occupation for Ragu, a couple of months only. He has done many things:

  • A guitarist
  • A real estate finder
  • A builder

He’s faced down a local gangster group who threatened his family. Whew! But that’s not all.

Ragu was supervising the building of a home for someone else. In that area, he payed the women working for him a living wage, comparable to the men on the job. Then, some of the local villagers threatened his life for paying those women enough to survive. The villagers preferred the usual state of affairs where women are beneath men, kept in servitude, unable to make a living.

These villagers literally surrounded Ragu with big sticks, beating on his vehicle, threatening his life. Yikes!

So Ragu has seen some life, been through serious challenges. Perhaps a bit more than facing down a couple of enterprise Directors who don’t like one’s risk assessment, don’t you think?

OK. So why am I sharing this?

Because this is not the whole story.

Ragu is a product of the child labor market in India. His very poor family pulled him out of school at 9 years old. He was sent to a clothing factory to labor for 5 rupees each week, 1 rupee for a whole day’s work, at the tender age of 9 years old.

Still, the human spirit is indomitable.

Ragu is working on his bachelor’s degree. He continues to study the guitar. All this while driving a family around and raising his own children.

And, Ragu and I had a great conversation about getting started on a technical career. Ragu has aspirations. Because, it is impossible on a chauffeur’s salary to purchase a home in India.

I won’t go into my ideas about shifting into a technical career track.

What is important to me is that I’ve helped someone perhaps see his way to achieve his goals. And, what may not be obvious is that I’ve established a firm relationship which time and distance can’t destroy. Who knows? I may never see Ragu again. And that’s fine.

Still, through seeing the whole person, taking the time to understand, not the surface, but the whole story, I’ve established relationship. Rather than taking things at face view, I was curious, concerned, and one Ragu’s side for his aspirations.

I hope that I can say that Ragu and I are friends? And friends help each other.

Now please understand, I don’t think at this point that I need much from Ragu. His job demands that he drive me where I need to go, anyway. That’s not the point of this writing.

I’ve got a friend, a compatriot. I went out of my way to understand, to give what I have, little or great, to look through Ragu’s eyes. And I know in my heart that we can help each other, and that we will, if called upon.

And that value cannot be purchased. It has to be earned.

So it is in the practice of security architecture. My relationships are more than 50% of my practice. Trust is always earned. Relationships are built. I’m here at a conference on Enterprise Architecture put on by The Open Group. I’ve run in to one of my work compatriots, Srikanth Narasimin. We’ve walked together through some very difficult moments on projects. We have rather deep earned trust (I hope he would agree?).

So, we can at a very fast pace, figure out a problem (we just did on this on a troubled huge initiative on the job) There’s a lot of shared reference and resonance.

One achieves this kind effectiveness, I believe, by stressing the human side as much as technical depth and leadership. Srikanth and I can move fast because of our relationship, a relationship built up through projects, efforts, trust, listening to each other, seeing each’s point of view, understanding background information and how that influences that which is under discussion. Srikanth knows that I’m on his side, even if we disagree in this moment about a particular thing. Our larger resonance gives space for conflict resolution.

Again, you can’t purchase a relationship like this. A fancy title conferred by management won’t build this authority. These are built and earned.

I like to say that Security Architecture is at least one half people-centered. If you don’t like people, you won’t be happy as an architect. One has to be able to effectively interact with and influence:

  • Management
  • Other system architects
  • Implementors
  • Project Managers (“PM”) and others driving projects directly
  • Those charged with executing procedural operations and those charged with creating procedures and processes

I interact with these categories every day. If I specify something that cannot be done, it won’t get implemented. If I don’t understand the viewpoint and needs of each stakeholder, there’s no way that I can specify security requirements that will meet business need and which will be acceptable.

Interacting with Ragu reminded me that my effectiveness is directly related to my ability to form and sustain relationships. And relationships are built not by what I know, but what I hear and understand, my interest and concern.

As a practice, if I can, I make a practice of finding out about the personal life and concerns of the people with whom I work, as they choose to share. It’s a beginning place from which to start.

And, circling back to Ragu’s story, he told me, “I will never allow my children to be forced labor. They will get an education.” And so the world changes, yes?

cheers

/brook from Bangalore, India

Nuance’s IBM Via Voice for Macintosh is a Disaster

Posted on by

I hadn’t meant for this forum to be about all things computer related – certainly not my personal struggles with software. But there is really no other forum for lambasting a product for truly terrible behavior. Couple this with a complete lack of customer support and frankly, I’m pretty upset. I’m hoping that by posting here, I can get it out of my system and get on with my work.

I make extensive use of voice recognition speech-to-text capabilities. My hands simply cannot type as much on a computer as I need to do in any given week. Getting speech transcription working has been a huge boon to me to be able to get my work done without having to spend my weekends recovering with ice packs and ibuprofen.

When I used Windows, I was directed to Dragon Naturally Speaking. After a modest amount of training, that product allowed me to cut my keystrokes by more than half. While it’s not perfect, it does work, even to the ability to pick up on my quirky manner of speech which is part Americanisms and part Britishisms and filled with technical jargon. After every transcription session, Dragon can reanalyze what it has learned, the corrections, it mistakes to get a little more accurate.

All well and good, this was clearly a success for me.

Then, I switched to a Macintosh. There are many reasons for me to use a mac for my work, most notably: it’s a UNIX variant that allows me to run that tool set when I need them natively. This is a wonderful addition for me: no dual boot, no libraries on top of the OS (cygwin), just native UNIX (BSD) when I need it, which is fairly often. And, I don’t forget which OS I’m in, mistakenly typing “ls” when I need “dir” – smile.

To be fair, I do run Dragon in my Macintosh hosted XP virtual machine. But, that doesn’t help with native mac editing – most notably, I run native mac email, Thunderbird. Grump. So, I set out to get speech-to-text running on my mac. Oh, boy.

In my research, IBM Via Voice seemed to be the best alternative for mac transcription. To be fair, I haven’t tried MacSpeech. But I may yet, considering.

I run OS X 10.4.10 on a recently purchased Intel dual-core Macbook. IBM Via Voice hasn’t been updated since OS X 10.3! It doesn’t find the USB microphone no matter how one sets the sound preferences. Ugh! Nuance (current the supporter of Via Voice) simply told me to return the software. In other words, unless you’re running a relatively ancient version of the OS, you’re unsupported. Are they really “supporting” this product, or just hoodwinking uninformed consumers such as myself into purchasing something that cannot work?
However, before returning the software (wish that I had!), I trolled online forums and discovered that the software will start if the sound preferences are open as it comes up. OK. That works. Now to use the thing.

Ah, but unlike Dragon, all the nice macros like “correct” and “select” that allow hands free operation only work in the Via Voice Text Pad, not in all entry areas (like, uh, email, Word, you know, all the software that one might actually use to create documents on a mac. Uh, oh.) OK, I can do my own editing if this thing will just transcribe reasonably accurately? Read on, no such luck.

Via Voice ships with a USB headset from Andrea, their NC-7100. It is NOT recommended for speech recognition! They have pricier models for that. Ah, a follow on sale, uh? Using the shipped headset delivers poor recognition. Plus, setting it to the correct volume is very difficult. I used the headset not just for Via Voice, but also, my soft phone. I’ve gotten beaucoups complaints about being muddy, too loud, distorted, inaudible on phone conferences. By the way, I live or die on phone conferences. Ok, crappy headset. No wonder Via Voice doesn’t work, right?

This wouldn’t be so bad unless I had already used Dragon, which ships with a cheapo non-USB (standard 1/8″ stereo plugs) headset that works fine. Comparisons make Via Voice look just awful. I could use almost anything for Dragon and it would work acceptably. Obviously, better headsets make a difference.

So, maybe I should get a better headset?

Oh, did I mention that unlike Dragon, Via Voice will not even start (much less use) a headset that does not deliver audio through USB? I, in my other life as a musician, have access to really good microphones. One of the tests that I ran was to try improving recognition by using studio level microphones. No dice! If it’s not USB, Via Voice cannot make use, no matter how fine the sound.

Why in heck would you design a product to a particular sound input, considering the gazillion ways there are for computers to take in audio? What if I wanted to increase success by using a studio grade A/D converter (I own several!) to deliver audio quality at a level way above speech recognition needs? It’s a silly design to tie oneself to a technology that may be superceded. Let the user choose. Keep your product alive as technology changes. Pretty basic design principle.

One very good reason to use a cheap, light headset is when traveling. I may not want to carry a relatively heavy USB headset when on the road. Or, maybe I have a really nice bluetooth headset that I want to use, allowing me to break the wire tether to my machine. Let me choose, Via Voice. The mac supports all of the above well. I’ve tested them all. Via Voice, however, fails miserably.

Did the new headset improve things? I bought the VXi Parrot Translator. My web research shows this head set as one of the favorites for speech-to-text recognition. This headset, while noticeably better, does not take Via Voice to the realm of Dragon – not even vaguely.

“OK” says I, always up for a challenge, “perhaps I need to do a lot more training with my new headset?”

Bringing up the Via Voice training software is a nightmare (on Elm Street?) The program doesn’t analyze my speech. Instead, as near as I can tell, it’s purpose is to train me to speak like it expects. It has particular trouble with the beginning of phrases and especially the very common words: the, a, in, or, for, if.

I would expect (and this is the way that Dragon works) that after a few iterations, the machine would start to recognize my particular manner of enunciating the articles (and other words being analyzed, right?) Not on your life.

What the analyzer does is complain at you and refuse to move on until it gets something that it can understand. I’ve been on the same “short story, 30 minutes” for 3 days. I’ve repeated “a” and “the” and “if” hundreds of times to no avail. All I get is an error telling me to start at the underlined place. Ugh! This isn’t training, this is torture.

Mind you, my rating as a speaker at the conference mentioned in my last post was 5th out of 24 (from the top). Not bad. And, my audience must have been able to understand most of what I said, yes? While I can mangle the English language pretty badly (even worse in French and worse yet in Spanish!), I do produce pretty well articulated English language articles, I’m guessing?

My speech mannerisms, no matter how quirky, must be widely understandable. And they are, to Dragon. But Via fails most often at these simple, common articles, often entering text so far off as to be laughable. If I wasn’t trying to get something done efficiently, I would laugh. But it’s darn frustrating, I can assure you.

I still haven’t finished the “30 minute” story. It’s stuck on an “it” at 71%. What a lousy piece of software. When writing software, upon encountering the same user error continuously, one must assume that something else is wrong and take corrective action. I’ve written a lot of software. And the first rule is to expect the impossible and deal with it gracefully for the user. Via Voice just gets bogged down and collapses. If I force it, it will refuse to recognize anything except words one-at-a-time. Not sentences, not phrases, words one at a time. I type at 70-80 words per minute. Speaking one word at a time is incredibly laborious.

So, my considered recommendation is: don’t try Via Voice. Maybe MacSpeech is better? I don’t know. I’ll let you all know if I try it.

I will send this link to Nuance for their consideration.

frustrated, with hurting hands after typing this missive.

cheers

/brook

The SANS Application Security Summit

Posted on by

Two days, about 20 speakers, all the major tool makers, pundits, researchers, penetration testers, this summit was almost a who’s who of application security. SANS wanted to kick-off their new GIAC application coding certification. And, along with that, they wanted to take a pulse of the industry. I was privileged to be included on a couple of panels – there were frighteningly smart people speaking – country mouse playing with the city cats, definitely!

A couple of my colleagues sat for the exam. I once held GIAC Intrusion Detection certification (#104?) but I let it lapse. (It’s not really relevant to what I do now) My buddies said it was a reasonable exam. The exam covered implementing security controls from the language APIs (java – JAAS calls) and coding securely.

The larger issue is what can we make out of this certification? How much effect will it have? Will getting coders certified change the landscape significantly?

There was plenty of FUD from the toolmakers. Yes, the entire web is vulnerable, apparently. Ugh! You probably knew that already, huh?

The numbers of applications out there is staggering. Estimates were running in the 100 millions. That’s a lot of vulnerable code. And, considering that my work’s DMZ takes a 6 million attack pounding every 24 hours, it’s not too far a stretch to assume that at least a few of those attacks are getting through. We only know about the incidents that are reported or that cause damage (as pointed out in the Cenzic report released at the Summit)

And, it seems like the financial incentives for exploiting vulnerabilities are maturing? (a google search will reveal dozens of financially motivated hack reports) If so, cash incentives will likely increase the number of incidents for all of us. Another big sigh.

One of the most interesting speakers to me at the conference was Dinis Cruz, CTO of Ounce Labs. A couple of times, he pointed out that while yes, we are being hacked, there’s no blood on the floor. Nobody’s been killed from a web hack (thank goodness!) We (inductries that use the web heavily) are losing money doing damage control, making up losses (especially, the financial industry), and doing remediations. Absolutely true.

But has anyone done an analysis of what the risk picture looks like? Is web exposure worth it? Are we making more than we’re losing? So much more that, like actuaries, the risks are worth it?

I know this question may seem crazy for someone from inside the information security industry to ask? But, anyone who knows me, knows that I like to ask the questions that aren’t being asked, that perhaps might even be taboo? We security folk often focus on reducing risk until we feel comfortable. That “warm and fuzzy”. Risk is “bad”, and must be reduced. Well, yeah. I fall into that trap all too often, myself.

It’s important when assessing a system to bring its risk down to the “usual and acceptable” levels of practice and custom of one’s organization. That’s at least part of my daily job.

But appropriate business risk always includes space for losses. What’s the ratio? Dinis definitely set me to considering the larger picture.

My work organization takes in more than 90% of its revenue through web sites. As long as loss is within tolerable limits, we should be ok, right? The problem with this statement comes with a few special classes of data compromise. These can’t be ignored quite so easily (or, the risk picture needs to be calculated more wholistically)

• Privacy laws are getting tougher. How does one actually inform each of 38 States Attorneys-General first? And, the Japan law makes this problem seem trivial.
• Privacy breaches are really hard on customer goodwill. Ahem
• Internet savvy folks are afraid of identity theft (again, a personally identifying information (PII) issue). The aftermath from identity theft can last for years and go way beyond the $50 credit card loss limit that makes consumer web commerce run.

I’ve got friends working for other companies that are dealing with the fall-out from these sorts of breaches. It ain’t pretty. It’s bad for organizations. The fall-out sometimes dwarfs the asset losses.

And, if I think about it, about all the vulnerabilities out there, are we each just one SQL injection exposure away from the same? Forget the laptop on the car seat. PII is sitting on organization database servers that are being queried by vulnerable web applications.

Considering this possibility brings me back to the importance of application security. Yes, I think we have to keep working on it.

And, our tool set is immature. As I see it, the industry is highly dependent upon people like Dinis Cruz to review our code and to analyze our running applications. I don’t think Dinis is a cheap date!

So, what to do?

I’ll offer what John Chambers, CEO of Cisco Systems, Inc., told me. (no, I don’t know him. I happened be in the same room and happened to have him take my question and answer it. Serendipitous circumstances). “Think architecturally”

That is, I don’t think we’re going to train and hire our way out of the vulnerability debt that we’ve dug for ourselves with 100 million apps on the web being vulnerable. Ahem. That’d take a lot of analysis. And, at the usual cost of $300/hour, who’d have the resources?

I’ll offer that we have to stop talking about and to ourselves about the problem and get it in front of all the stake holders. Who are those?

• The risk holders (i.e., executive management)
• Our developer communities (SANS certification is certainly a start. But I think that security has to be taught as a typical part of proper defensive programming. Just like structuring code or handling exceptions, input must be validated.)
• Security as an aspect of system design and architecture. Not that cute box along the side labeled “security” in the logical architecture diagram. Rather, we need to treat each security control as components of the system, just like the other logical functions.

Which brings me back to the SANS Summit.

My sense of this summit is that we haven’t yet reached the tipping point. I didn’t speak to everyone there. But I spoke to a fair share (I won’t call it a sample. My conversations were hardly statistical in nature!)

Most folks with which I chatted were like me, in the trenches. We had a few formidable notables in the room, and, of course, I think there were a few beginners, as well. My guess is that most branches of the industry were represented: tool makers, consultants, Information security folk, with a sprinkling of governmental folk thrown in. The folks that I spoke to understood the issues.

If I could hazard a guess, the folks who made the time to come are the folks concerned and/or charged with, or making money out of, application security. In other words, the industry. We were talking to ourselves.

That’s not necessarily a bad thing. I’m guessing that most of us have been pretty lonely out there? There’s validation and solidarity (leftists, please forgive me for using that term here – but it does fit!) when we get together. We network. We test our ideas and our programs. That’s important. And, I heard a few really great ideas that were fresh to me.

But I think we need to take this out a good deal further, to a “tipping point” if you will, in order to move the state-of-the-art. And, I don’t think we’re there yet. Consider, if you will, how many programmers are writing web code right now?

What do you think?

cheers

/brook

A Beginning

Posted on by

Sitting on a plane from Washington DC, USA, to my home in Oakland, California, I’m thinking about the SANS Application Security Summit that I just attended. What are the implications of this gathering, at this time? This seems like a propitious time to open a personal blog on information security. Some new winds may be bBrook, in the Netherlandslowing? Perhaps this summit is a the beginning of a sea change?

I’ve repeatedly thought that I’d like to share thoughts on the development of my industry. It’s exciting to me, certainly frustrating, sometimes even frightening.

Perhaps like many of you readers who work in Information Security, I spend my days  helping folks manage their digital risks? And probably, like you, I’m not always successful? Perhaps IT can’t field the technology required? Or, providing security requirements is seen by as an undue burden that cannot be borne at this time?

Still, when I understand that the stake holders feel that due diligence has been served, that an appropriate risk posture has been taken, it’s a good day. Small victories, even though our technologies are often immature or mis-applied, our processes insufficient, and our art, developing. And, of course, very occasionally, I help to identify and eventually close a major gap. Job satisfaction, absolutely.

Does any of this ring any bells or resonate for you?

Occasionally, a flash of incite will come to me. And clear as mud, I suddenly sense a possibility for us to perhaps advance our art just a wee bit. I’ll share those here for your consideration and comment. While I do occasionally publish papers and speak at conferences (as I did these last 2 days), I intend to use this forum for my tentative possibilities, not for my certainties, which are generally few, anyway.

Months will go by in the daily round of meetings, risk assessments, security requirements, system architectures, and design comments. During these periods, I may choose to be quiet, waiting for some inspiration to strike. Please stay tuned.

Perhaps you’ll appreciate knowing that I’m working through the same issues as you? Or, maybe you’ll comment that I’m way off course? I don’t know. I welcome the interchange, in any event. Through dialog, I learn as much, probably more, than I give.

I’ll write more about the SANS Summit in a subsequent entry. But, here’s a beginning…

cheers,

/brook