I attended the OWASP Phoenix chapter meeting earlier this week, talking about database encryption. The crowd was small as the meeting was the Tuesday after Labor day, rather than the normal Thursday slot. Still, I had a good time, especially with the discussion afterwards. We talked about a few things I know very little about. Actually, there are several areas of security that I know very well. There are a few that I know reasonably well, but as I don’t practice them day to day I really don’t consider myself an expert. And there are several that I don’t know at all. And I find this odd, as it seemed that 15 years ago a single person could ‘know’ computer security. If you understood netword security, access controls, and crypto, you had a pretty good handle on things. Throw in some protocol design, injection, and pen test concepts and you were a freakin’ guru.
Given the handful of people at the OWASP meeting, there were diverse backgrounds in the audience. After the presentation we were talking about books, tools, and approaches to security. We were talking about setting up labs and CTF training sessions. Somewhere during the discussion it dawned on me just how much things have changed; there are a lot of different subdisciplines in computer security. Earlier this week Marcus Carey (@marcusjcarey) tweeted “There is no such thing as a Security Expert”, which I have to grudgingly admit is probably true. Looking across the spectrum we have everything from reverse engineering malware to disk drive forensics. It’s reached a point where it’s impossible to be a ‘security’ expert, rather you are an application security expert, or a forensic auditor, or a cryptanalyst, or some other form of specialist. We’ve undergone several evolutionary steps in understanding how to compromise computer systems, and there are a handful of signs we are getting better at addressing bad security. The depth of research and knowledge in the field of computer security has progressed at a staggering rate, which keeps things interesting and means there is always something new to learn.
With Rich in Babyland, the Labor Day holiday, and me travelling this week, you’ll have to forgive us for the brevity of this week’s summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Seven Features To Look For In Database Assessment Tools. Adrian’s Dark Reading post.
Favorite Securosis Posts
- Adrian Lane: Market For Lemons.
- Mike Rothman: This week’s Incite: Iconoclastic Idealism. Yes, voting for myself is lame, but it’s a good piece. Will be hanging on my wall as a reminder of my ideals.
Other Securosis Posts
- New Release: Data Encryption 101 for PCI.
- Understanding and Selecting an Enterprise Firewall: Technical Architecture, Part 1.
- Understanding and Selecting an Enterprise Firewall: Application Awareness, Part 2.
Favorite Outside Posts
- Adrian Lane: Interview Questions. I know it’s a week old, but I just saw it, and some of it’s really funny.
- Mike Rothman: Marketing to the Bottom of the Pyramid. We live a cloistered, ridiculously fortunate existence. Godin provides interesting perspective on how other parts of the world buy (or don’t buy) innovation.
Project Quant Posts
- NSO Quant: Take the Survey and Win an iPad.
- NSO Quant: Manage IDS/IPS Process Revisited.
- NSO Quant: Manage IDS/IPS – Monitor Issues/Tune.
Research Reports and Presentations
- Data Encryption 101: A Pragmatic Approach to PCI.
- White Paper: Understanding and Selecting SIEM/Log Management.
- White Paper: Endpoint Security Fundamentals.
Top News and Posts
- IE 8 Bug. Vuln popped up late last Friday.
- Adobe Patches via Brian Krebs.
- Apple OS X Security Patch.
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to ds, in response to FireStarter: Market for Lemons.
I guess this could be read both ways… more insight as would be gained from researchers could help shift the ballance of information to the consumer, but it could also confirm the conclusion that a product was low quality.
I don’t know of any related research that shows that consumer information helps improve consumer outcomes, though that would be interesting to see. Does anyone know if the “security seal” programs actually improve user’s perceptions? And do those perceptions materialize in greater adoption? Also may be interesting.
I don’t think we need something like lemon laws for two reasons:
1) The provable cost of buying a bad product for the consumer is nominal; not likely to get any attention. The cost of the security product failing are too hard to quantify into actual numbers so I am not considering these.
2) Corporations that buy the really expensive security products have far more leverage to conduct pre-purchase evaluations, to put non-performance clauses into their contracts and to readily evaulate ongoing product suitability. The fact that many don’t is a seperate issue that won’t in any case be fixed by the law.
Comments