It’s over. Sunday night, when the confetti fell on the Ravens and we finished cleaning up the residual mess from the Super Bowl party, the reality set in. No NFL for months. Yeah, people will start getting fired up about spring training, but baseball just isn’t my thing. Not as a spectator sport. I can take some comfort that in the NFL being a 12-month enterprise now. In a few weeks the combine will give us a look at the next generation of football stars. Then we’ll start following free agency in early March to see who is going to be in and who is out. It’s like Project Runway, but with much higher stakes (and no Tim Gunn). I guess there are other sports to follow, like NCAA Basketball. The March Madness tournament is always fun. Until I’m blown out of all my brackets – then it’s not so fun anymore. But it’s not football.

There will be flurries of activity throughout the year. Like when the schedule makers publish the 2013 NFL matchups in mid-April. I dutifully spend a morning putting all the games in my calendar. If only to make sure I don’t schedule business travel around those times. Lord knows, I only get 10-12 opportunities a year to see NFL football live, and no business trip is going to impact that. A man must have his priorities. Then the draft happens at the end of April. Between free agency and the draft you can start to envision what your favorite team will look like next season.

Even through the void of no games, there are always shiny football objects to obsess about. If you are a Patriots fan, you can live vicariously through the Gronk throughout the offseason. First he’s making out with some girl, then he’s doing some wacky dance and falling on his $54 million forearm. It’s good to be the Gronk, evidently. Though you figure if he’s making $9MM a year, he could afford a T-shirt, right?

There is also an NFL punditry machine that never sleeps. It’s like the security echo chamber times eleventy billion. Hundreds of bloggers, writers, and ponitificators stirring the pot every day. They tweet incessantly and keep our attention focused on even the most minute details. If they aren’t covering the exploits of the Gronk, they are worrying about this guy’s contract negotiations, that guy’s salary cap number, which sap ended up on the waiver wire, some new dude’s endorsement deal, or that other guy’s rehab. No detail is too small to be tweeted and retweeted 20 times in the offseason.

Then the real void sets in. After the draft analysis and re-analysis finishes up sometime in May, and they do the OTAs and other activities, things go dead until August. But by that point summer has begun, the kids are off at camp, and life is good. I’m trying to live more in the present, so taking a respite and maybe getting some work done won’t be a bad thing.

Before we blink it will be time for training camp in August. At least it’s not hot in Atlanta that time of year. But we persevere anyway and pack up the car, lather on the sunscreen, and watch our modern-day gladiators installing new plays and scheming up ways to keep us on the edge of our seats for another season. We’ll wait in line to get the signature of some 3rd-string linebacker and be ecstatic. Why? Because it means the void will be ending soon. And soon enough Labor Day will usher in another season.


Photo credits: Void originally uploaded by Jyotsna Sonawane

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Understanding Identity Management for Cloud Services

Newly Published Papers

Incite 4 U

  1. Remembering the basics: Peter Wayner offers a great set of code development security tips. The cynic in me immediately asked, “Where do you get the time to implement these tips?” and “When does the time come to build tools, or when is it time to spend money on security testing products?” But when you look closer, he has chosen tips which are simply good development practices that make code most robust and more stable … they lead to higher-quality code. Rigorous input testing, modular (read: insulated) design, avoiding too many trust assumptions, building on certified code libraries, and so on, are all simply good programming methods. This advice is not “bolt security on”, but instead to embrace good design and implementation techniques to improve security. Good stuff! – AL
  2. A new disclosure FAIL: Imagine you are a product vendor who actually cares about security. Someone reports a very serious exploit, says it’s being used in common exploit kits, and it could allow attackers to bypass all your security controls and pwn whoever they want. Not a good day. But you are a proactive type, so you engage your product security incident team and get cracking. Except, as recently discussed by Adobe, all you have is a video of the exploit, no vulnerability details, and eventually the researchers cut off contact. Alrighty then, what next? Rather than forgetting about it, Adobe tried their best to run down potential exploit options and bump up some security fixes that may or may not fix the potential problem, which may or may not be real. I give Adobe a ton of crap for all the security problems in their products, but the security folks definitely deserve some credit for trying their best to manage this mess. – RM
  3. BYOD – it’s not just for mobile: One of the things you saw in our RSA Conference Guide Key Themes was a highlight on BYOD. Most folks continue to equate BYOD with mobile, since those are really the first class of devices which tend to be consumer-centric and owned by employees. This short article at SC Mag by the CISO of HD Supply brings up the good points of setting and communicating policies for mobile devices, and looking to enforce those policies – by both managing the devices and using network security technologies such as NAC to ensure devices are configured properly, and can only get to the right parts of the network. Right – NAC isn’t dead yet. Amazing how that works. Though I think we will need to see the endpoint security management folks start adding capabilities to selectively enforce policies on BYOD computers. Like not blowing away Grandma’s pictures from iPhoto if the device is lost. Yeah, I know the traditional PC seems to be living on borrowed time, but I suspect it will still be around for a while, which means policies established for employee-owned mobile devices will need to cover employee-owned PCs as well. – MR
  4. Your cyber innocence is false: I’m fairly sure that Jody Westby is serious in her concerns about the cybersecurity of the mainstream media in the United States, but Cyber Attacks on Press Reveal Gap in US Diplomacy reads more like a dark comedy than a call to action. The article goes to great lengths to demonize other nation-states as having inadequate concern in investigating and prosecuting cyber attacks, which apparently come from within their borders. Nowhere in the article is there any discussion of what might be needed to stop the United States from perpetrating cyber attacks elsewhere. I guess that makes sense because the United States is not the largest population of botnet servers in the world, and it goes without saying that the United States would never participate in state sponsored cyber attacks. I think Ms. Westby needs to analyze her preconceptions in light of… facts. I also need to buy another pack of sarcasm tags – I’m all out. – JA
  5. Amazon jackpot: Amazon is going to issue its own internal currency: Amazon Coins – greasing the skids for Amazon’s on-line gaming plan. This idea is obviously not new – there have been several similar offerings, including Cybercoin, Millicent, Transactor, and Bitcoin. There are plenty of reasons this idea keeps popping up, but the most compelling is in-application currency exchange, similar to what Zynga did with Farmville back in the day. You know, when Zynga was relevant. For example within video games it makes a lot of sense to let you win ‘credits’ or use virtual currency to buy in-game objects, especially for on-line gaming where you exchange with other players. And it makes things much easier if game developers can avoid traditional currency transaction systems, enabling them to focus on the in-game experience and avoid flashing a Visa logo in your face every time you want to do something. The problem is that sooner or later the virtual currency gets tied to other currencies. Inevitably the providers of those other currencies (governments) want to track usage and tax currency exchange within the game. And of course, once the virtual currency has value, it’s subject to all the same types of fraud and hacking as real currency. I hope they have really thought this through, because if it becomes successful it will breed a whole new set of problems and opportunities. And will give Jeremiah Grossman all sorts of new material for his “Mo’ Money, Mo’ Problems” presentations. – AL
  6. SMB freebies: We are big fans of the SMB folk here at Securosis. We believe the vast majority of people actually doing security today are ‘teams’ of one or two people, full or part time, in SMBs. They are overworked and underappreciated, and many of them don’t even realize they are honest-to-goodness security professionals. Mostly because they wear 5 or 10 other hats during a typical day. That’s why it warms my heart to see Dark Reading highlight 10 free SMB security tools. I may hate the page-view-whore slideshow, but this is a good place to get some ideas to help out on the cheap. – RM
  7. The 30-minute audit? No this isn’t Tim Ferriss’ new book or anything like that. It’s an approach to preparing for audits put forth by Glenn Phillips on his Dark Reading blog. When you dig into the customer story, he points out that the customer preps for an audit in less than 30 minutes. But that’s not really the case – this organization basically runs their operational processes with the audit in mind. They have built software to aggregate the data and prepare reports and the like as an ongoing operational process, not as a one-time audit prep initiative. Of course continuous compliance is an interesting way to think about it, and if your organization is very process-centric it can work. But you know the old saying, “everyone has a plan until they get punched in the face”. How does this hold up when they are being attacked and generating that report is less important than containing the damage? Or when their process totally fails because their customer database is in Chechnya. To be fair, Glen outlines a novel goal, but the reality of the security trenches means 30-minute compliance can’t be the end goal. It works much better as a benefit of having the right controls and protections in place. – MR