Friday Summary: January 31, 2014By Adrian Lane
During my total and complete laptop fail for this week’s Firestarter, I was trying to make the point that large software projects have a considerably higher probability of failure. It is no surprise that many government IT projects are ‘failures’ – they are normally managed as ginormous projects with many competing requirements. It worked or the Apollo missions so governments doggedly cling to that validated model. But in the commercial environment Agile is having a huge and positive impact on software development. Coincidentally, this week Jim Bird discussed the findings of the 2013 Chaos Report. In a nutshell the topline was “More projects are succeeding (39% in 2012, up from 29% in 2004), mostly because projects are getting smaller”. But Jim points out that you cannot conjure up an Agile development program like the Wonder Twins activate their superhero powers – Agile development processes are one aspect, but program management across multiple Agile efforts is another thing entirely. A lot of thought and work has gone into this over the last few years, and things like the Scaled Agile Framework can help. Still, most government projects I have seen employ no Agile techniques. There is a huge body of knowledge out on how to get these things done, and industry leads the public sector by a wide margin.
I used to get a lot of spam with hot stock tips. I was assured a penny stock was about to shoot through the roof because a patent was approved, and got plenty of dire warnings about pharmaceuticals firm failing clinical trials. Of course the info was bogus, but Mr. Market, the psycho he is, actually reacted. Anonymous bloggers could manipulate the market simply by leaving comments on blogs and message boards, offering no evidence but generating huge reactions. If you are a day trader this can pretty much ensure you will make money. This whole RSA deal, where they allegedly took $10M from the NSA to compromise security products, has the same feel – it sounds believable, but we are seeing a huge backlash without any sort of evidence. It feels like market manipulation. Could RSA have been bribed? Absolutely. Would the NSA conduct this business without leaving a paper trail? Probably. But would I buy or sell stocks based on spam, anonymous blogs posts, or my barber’s recommendation? No. That is not an appropriate response. Nor will I grandstand in the media or start a new security conference, trying to hurt RSA, because of what their software division did or did not do years ago. That would also be inappropriate. Pulling the ECC routines in question? Providing a competing solution? Providing my firm some “disaster recovery” options in case of compromised crypto/PRNG routines? Those are all more appropriate responses.
For those of you who asked about my upcoming research calendar, I am excited about some projects that will commence in a couple weeks and complete in Q2. First up will be an update to the Big Data Security paper from mid-2012. SOOOO much has happened in the last 6-9 months that a lot it is obsolete, so I will be updating it. Gunnar and I are working on a project we call “Rebel Federation”, which is how we describe the assembly of an identity management solution based on best of breed components, rather than a single suite / single vendor stack. We will go through motivations, how to assemble, and how to mitigate some of the risks. And given the burst of tokenization inquiries over the past 60 days, I will be writing about that as well. If you have questions, please keep them coming – I have not yet decided on an outline. And finally, before RSA, I promise to launch the Security Analytics with Big Data paper.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian quoted on Database Denial of Service.
- David Mortman and Adrian Lane will be presenting at Secure360.
- Mike and JJ podcast about the Neuro-Hacking talk at RSA.
Favorite Securosis Posts
- Mike Rothman: The Future of Information Security. Rich is our big thinker (when he gets enough sleep, at least) and I am fired up to read this series about how we need to start thinking about information security moving forward. The technology foundation under us is changing dramatically, and that won’t leave much of current security standing in the end. Either get ahead of it now, or clean up the rubble of your security program.
- Adrian Lane: Southern Snowpocalypse. It snowed here in Phoenix last year, but nothing like it did in ATL yesterday. It does not matter where snow hits – if it is at the wrong time and a city is unprepared, it’s crippling.
Other Securosis Posts
- Firestarter: Government Influence.
- Leveraging Threat Intelligence in Security Monitoring: Benefiting from the Misfortune of Others.
- Summary: Mmm. Beer.
Favorite Outside Posts
- Jamie Arlen: James at ShmooCon 2014. Totally self-serving, I know, but awesome none the less.
- Gunnar: NFC and BLE are friends.
- Adrian Lane: Pharmaceutical IT chief melds five cloud security companies to bolt down resource access. This is my first NetworkWorld fave – usually I ridicule their stuff – but this is a good description of a trend we have been seeing as well. And you need some guts to walk this path.
- Mike Rothman: Volunteer at HacKid! If you’re on the west coast and have kids, you should be at HacKid, April 19-20 in San Jose. Plenty of opportunities to volunteer. I’ll be there (with my 10 year old twins), and I think Rich is planning to attend as well. See you there!
Research Reports and Presentations
- Eliminate Surprises with Security Assurance and Testing.
- What CISOs Need to Know about Cloud Computing.
- Defending Against Application Denial of Service Attacks.
- Executive Guide to Pragmatic Network Security Management.
- Security Awareness Training Evolution.
- Firewall Management Essentials.
- A Practical Example of Software Defined Security.
- Continuous Security Monitoring.
- API Gateways: Where Security Enables Innovation.
- Identity and Access Management for Cloud Services.
Top News and Posts
- Software [in]security and scaling automated code review.
- Just Let Me Fling Birds at Pigs Already!
- Google pays out $10,000 in security bug bounties.
- PACK – Password Analysis & Cracking Kit. Handy tool.
- Coder Behind Notorious Bank-Hacking Tool Pleads Guilty
- New Clues in the Target Breach via Krebs.
- Catalog of the Snowden Revelations.
- How I Lost My $50,000 Twitter Username.
- ASSESSMENT: The Lampeduza Republic Organizational Structure – alleged sellers of heisted Target data and apparently Civ5 fans.
- Researcher Warns of Critical Flaws in Oracle Servers.
- Oracle’s database is secure, even NSA can’t hack us, says Larry Ellison.
- Chinese Internet Traffic Redirected to Small Wyoming House. Huh.
Blog Comment of the Week
This week’s best comment goes to Russell Thomas, in response to The Future of Information Security.
Title suggestion: “Creative Destruction in the Information Security Ecosystem”. The term “creative destruction” originates with Schumpeter. Though his general description of entrepreneurial upheaval doesn’t exactly match your analysis, it’s close enough. The advantage of this title and the association with Schumpeter is that it will emphasize that this huge disruption is NOT solely due to technical changes and improvements in InfoSec technologies. Instead, it’s driven by business forces, economic forces, and technical forces in the greater ecosystem.