Friday, April 18, 2008

Fun Reading on Security - 1

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #1, dated April 18, 2008.

  1. Gunnar Peterson has a "must-read" post on security innovation (and lack thereof), where he attributes said "lack" to lack of accountability. Read it and think! If you are tired of people mentioning "RSA", beware, his post does it too... Fun quote: "What is genuinely strange to me is that every other area in computers improves and yet security stagnates. "
  2. Rich Mogull hits us with "Inconvenient Lack of Truth" post which states that "we'll never be able to fix our security problems until we start truthfully sharing breach information" - do read it.
  3. Andy IT Guy falls in love with GRC here ("I think that it does a pretty good job of summing up what a solid program consists of."). Indeed, he brings GRC up as an example of stepping beyond boxes, ports and hexdumps into the great unknown...
  4. Bruce Schneier makes a prediction here: "RSA Conference Will Shrink Like a Punctured Balloon." He also makes a valid but sad observation: "The problem is that most of the people attending the RSA Conference can't understand what the products do or why they should buy them." He then pontificates how people want "secure stuff" and not "security." Do read it! Also check out these comments about his article.
  5. Rebecca Herold continues her fun series on PCI DSS and logging here. Her third part is about using logs to detect attempts to exploit web application vulnerabilities.
  6. Ken Belva disagrees with Bruce about the mindsect of the security professional. He thinks that "criminal vs a good guy" is too limiting a view for security ("Reducing the security mindset to “an attacker, an adversary or a criminal” is to limit the paradigm of security to one general class of security roles: namely, the auditor.") Read it.
  7. InformationWeek quotes a survey that mobile banking will grow 10x in the next 3 years. To me this sound like: finally, mobile malware!
  8. Finally, Alan Shimmel unveils his "Shimel's theory of security company relativity or why there are so damn many security companies" which is an absolute must-read. I mean it (part 1, part 2) Fun quotes: "The overwhelming majority of companies at RSA are stuck at a revenue level of somewhere between 5 and 20 million dollars. " What will happen to all of them? Read his Part 2.

Dr Anton Chuvakin