Friday Summary - November 6, 2009By Adrian Lane
When I was in college, I figured every professor assumed I had only one class: the one they were teaching. They seemed to assume I dedicated days and nights solely to their coursework, and was no less interested in the subject they had dedicated their lives to. And they allocated my time accordingly, giving me enough work to do to consume 40 hours a week. But I was taking 5 classes! WTF! Berkeley was especially bad this way. By noon each Monday I felt like I was a week behind the curve. For the first few weeks I was quite angry about the selfishness of those professors: how could they possibly be so callous as to give us far more work than any two people could perform? Were they encouraging shoddy work? Were they nuts?!?
After a few weeks I grudgingly acknowledged that the profs were not in their positions because they were stupid or ignorant, but because they were smart. Well, maybe one was stupid and ignorant, but most of them were really freakin’ intelligent. And consciously or not, this overburdening forced you to work faster, prioritize, and be more efficient. Handling an overburden of requirements has been a skill that has served me better than the subject matter of any one of those courses.
I am not talking about time management here, like some motivational seminar might teach; I am talking about strategy. When you have 5 times more work work than you can do, tasks become self selecting. You do those things that you must do to survive. If you’re lucky, some of the things that you want to do overlap with what must be done. You learn to select the right opportunities that are most in line with success, and not look back when you walk away from good ideas that don’t support your goals or the requirements on you. Your choices will differ from your peers, but you make choices and you do the best you can. For those of you who have participated in startups, I expect that you have a full appreciation of this viewpoint.
That’s the way I approach my project work here. And my goal is that our research makes it easier for you to do this as well.
With just Rich and me being the only full-time guys here, we go through this process a lot. There are simply not enough hours in the day to do some things that look like great ideas at first. On the bright side it forces us to re-evaluate projects and come up with much more streamlined versions, which improves the quality and the usability of the research. And frankly I want to get away from this computer and, I dunno, have a life, so it’s important on several levels.
A big portion of this blog’s readers are not security professionals, but deal with an aspect of security in their daily jobs. They don’t necessarily want to be experts, but just understand how to find answers to their security questions and get the job done. This is a bit of a tease, but as a result of viewing our research calendar in this light, we are reconsidering what we had planned to create. In the coming weeks we are going to be adding a lot of new stuff to the research library, fitting our new more streamlined approach, as our plans grew too big for us to handle. More importantly, it was too cumbersome for part-time security practitioners to benefit from.
On to the Friday Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich’s presentation on Pragmatic Data Security and Pragmatic Database Security from Information Security Decisions 2009.
- Adrian’s Dark Reading post What DAM Does.
- Rich and Martin on The Network Security Podcast, Episode 172.
Favorite Securosis Posts
- Rich and Adrian: Myths Surrounding Databases in Virtual Environments.
- Meier & Mort: Verizon Has Most of the Web Application Security Pieces… But Do They Know It?
Other Securosis Posts
Favorite Outside Posts
- Rich & Mortman: Gunnar’s Thinking Person’s Guide to the Cloud series. It’s 4 parts, but excellent.
- Adrian: The Thinking Person’s Guide to the Cloud, part 3 B. For the “just too busy” theme…
- Meier: Jailbroken iPhones hacked via UMTS network – This is my favorite simply because the ‘hacker’ publicly apologized after his PayPal account was removed.
- Chris: Windows 7 vulnerable to 8 of 10 Viruses.
Top News and Posts
- Google Dashboard lets you control some of your own data. I’ve already cleaned up mine – will be interesting to see how complete this really is.
- Hypervisor-Based Tool for Blocking Rootkits.
- Browser cookies allow attackers to widen attack space.
- Josh Corman: PCI Security a Devil, ‘Like No Child Left Behind’.
- Ivan Arce on Talk the Walk, an interesting perspective on our use of language in security.
- Elections system is pulled from IBM data center contract in Texas. 88% of the 27 agencies involved with the master contract are dissatisfied with IBM… those be bad numbers.
- Gartner’s magic hydrant.
- Anti-Counterfeiting Trade Agreement and some commentary.
- Money Mule Move Mo’ Money.
- Cracking Password in the Cloud.
- Shimmy … Solo.
- OK, it’s finance, not security, but to echo Gunnar Peterson’s post, here is a ridiculously good interview with Charlie Munger. The video actually got me to change several long held opinions regarding the current financial crisis in an elegant and disarming way.
- Cross-subdomain Cookie Attacks.
- Man Sues Over Leaky Baby Monitor.
- …and obviously: Renegotiating TLS.
Blog Comment of the Week
This week’s best comment comes from Stacy Shelley in response to Verizon Has Most of the Web Application Security Pieces… But Do They Know It?:
Hi Rich - Yes, SecureWorks offers managed WAF and web app scanning services. We also have the capability to leverage the web app scanning data in the management of WAF policies. Our Web App Sec services align pretty well with the components you guys cover in your “Building a Web Application Security Program” paper.
Our Consulting group has been doing web app pen testing and code audits for a few years now. In the spring, we launched the managed WAF service. In October, we launched the web app scanning service (which also scans databases). We’ve also had the capability to monitor application logs for quite some time, although it’s value is largely dependent on the audit logging capabilities of the app.