Friday, February 29, 2008
Forming a security community...
It was surprising to me at some level that our turnout was actually larger than the Boston and New York chapters in that I would expect a demographic that is closer together to unify around such an important topic. I guess though in my vision that I didn't think that reality says that most IT folks in large enterprises still aren't paying as much attention to software security as they should.
I can say that 0.0 folks from either an ECM or BPM background were in attendance. Maybe it is because they still haven't grasped that security isn't about features but about figuring out ways to break things.
The event featured me attempting to give an opening that I made up on the fly in that I ran out of time to do a proper Powerpoint in advance. Of course, the presentation by Chenxi Wang of Forrester on Web 2.0 more than made up for my deficiencies. The analysts at Forrester have a really great perspective on security and web 2.0 and I encourage folks if they are subscribers to their service to have a dialog with them on this.
I asked Chenxi two questions of which I was happy to learn that she is not one of those bullshit analysts found at their competitors and gave straight answers. One of the questions I asked was when did she think outsourcing firms would simply start producing secure code without clients having to ask for it. My analogy was that clients should have to ask for secure code in the same way they should have to ask that code produced in India actually compiles.
For the record, I have seen lots of code produced in India that didn't compile but that is a topic for another blog. Anyway, she commented that pretty much across the board, all the outsourcing firms suck at producing code that is secure and that she hasn't observed any of them taking meaningful steps towards this goal. I suspect that many of them have some sort of ceremonial process in the works that is littered with best practices bullshit phraseology, but to real professionals that understand was security is all about, will realize that the emperor is wearing no clothes.
One of the more politically incorrect questions I had in the back of my mind that I decided to avoid asking in a large audience was how many large enterprises are doing static analysis also have strong technical leadership. I guess my general observation of the market is that for enterprises where the IT executives came from a strong technical background tend to be better positioned than those who have IT executives who are either process weenies or even worse pretend business customers.
The second speaker was Gary McGraw, CTO of Cigital who talked about exploiting online games. Most folks in large enterprises who are full of themselves wouldn't take the time to understand how game security relates to them. Do they really think that their silly little architectures that support 500 users concurrently is somehow more challenging than implementing an architecture that supports 2 million concurrent?
Enterprisey types get giddy whenever the performance of screen to screen transitions takes more than 3 seconds where in the online gaming world, a person would go ape shit if there was latency of more than 1/4 of a second. At some level, for security to improve in large enterprises, someone has to un-enterprise the enterprise architects.
Gary speaks at lots of conferences and it is well worth your effort in attending one that he will be at. Likewise, if you are in need of consulting services, his firm Cigital has a value proposition that is worth listening to.
The sponsor of the meeting was Ounce Labs which will help large enterprises remediate their source code and make it more secure. Their licensing model is incredibly attractive and in many ways better than their competition. A smart consulting firm would be well served by also forming a relationship with Ounce Labs as I predict the notion of code review as a service will get hot later in the year. After all, ask yourself how much money you can make by telling enterprises how horrific their code is...