March 27, 2007 - Volume 2, #51

Good Morning:
Time just flies when you are having fun. Or fun most of the time anyway. Yesterday was the 50th Incite of 2007. Wow! Doesn't seem like that many, but when you get into a daily rhythm you just go and don't really pay attention. Another thing that took me by surprise yesterday was the in-flight entertainment system on the plane. I fly a decent amount, not like I used to before the kids, but maybe once a week or every other week. I usually put on my headphones, crack open the MacBook and tune out.

But yesterday I spent a few minutes checking out the entertainment system on Delta. Live TV, about 100 different CDs, 20 on demand movies. It was pretty cool. I turned off my iPod and just listened to some stuff that I don't own (The Killers and Raconteurs). Made the time just fly, no pun intended. What's amazing to me is how technology has evolved over the past 15 years. I remember arguing with a friend, who happened to be working for a shop called TeleTV in the mid-90's, that was trying to build an entertainment system that would be delivered over the telecom carriers network. I didn't think they could make a big video jukebox in the sky really work.

That was a crazy idea back then. Larry Ellison funded a company that was building multi-million dollar, highly parallel servers to host the video feeds. In the 90s that was way ahead of its time. But now? You can have a server like that on a plane. And I assure you, it didn't cost millions of bucks. It's these times where Moore's Law really amazes.

And technology also becomes just part of your experience. For instance, last night I got to watch my favorite TV show, Prison Break, on the night it actually broadcast. Knowing I wouldn't have time to catch it when I got home, I diligently watched the clock and at 8 PM turned on the TV. I have to say I really missed the DVR experience. Most of the commercials were horrible and it took an extra 20 minutes to get through the show. Not that I was in a rush, but I've gotten spoiled. I was forced to recall a day when TV was done on their schedule, not mine. I didn't like it one bit. And I don't watch TV enough on the road to buy a Slingbox.

That's the thing about some technologies. They become so ingrained in your life that you don't even notice it's there. Until it's not. Then you notice it's NOT there big time.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Are application attacks different?
So what? - If you believe Forrester (which I do, sometimes) a lot of customers can't really distinguish between application attacks and network attacks (here). I'm on board with this, especially unsophisticated users that don't focus on security but more on broader IT issues. Who's to blame? The traditional firewall vendors, of course. These guys roll out fancy terms like "deep packet inspection" and "application intelligence" to convince their installed base that they have all the answers. Is a traditional firewall going to stop a XSS attack or SQL injection? The good news is that at some point they will. So the web application firewall has a limited lifespan like most other product categories in security. At some point, the real functionality (not the vendor data sheet functionality) will be integrated into the base perimeter platform. Then unsophisticated users will be none the wiser, but more protected. Until then, that's why some ridiculous percentage of commerce web sites are vulnerable.
Link to this

Inertia and the immovable object
So what? - Larry Walsh asks an interesting question about whether Symantec is still an AV vendor (here). Of course they are. A big fat cash cow says they are. Are they late with new capabilities? Yes. Have they executed well in the enterprise security business for the past 2 years? Of course not. Their channel is pissed and they should be. But inertia is a very powerful force and the Big Yellow has inertia in the AV business. That being said, Novell had inertia in LAN operating systems and WordPerfect had inertia in word processing. Lotus had inertia in email and collaboration also. Why do I mention those three vendors specifically? Because they were all crushed by Microsoft in their respective spaces. And guess what? Microsoft has targeted the anti-virus business. So inertia is all good and well, but at some point you better push the envelope and change the game. Inertia won't help you when Microsoft finally gets it right. The good news for the Big Yellow is that it takes time for Microsoft to get it right. The clock is ticking.
Link to this

Understanding the personal firewall
So what? - David Strom did a write-up of the personal firewall market for InformationWeek (here). I didn't think there was a market for personal firewalls anymore. Strom talks about two options for deploying personal FWs - either as "a hardware appliance for perimeter protection that works in conjunction with software for each desktop" or one that works with "an enterprise gateway or centralized anti-virus solution." And those are different how? Before you waste a lot of time reading this rubbish, here's what you need to know. Answer two questions: is the Windows (or Mac) firewall good enough? There are definitely use cases where that is the case. If so, move on - you've got other things to do. If not, then you need to look at a broader suite that includes the personal firewall, AV, anti-spyware, and probably some other stuff. Every client security product includes all of these capabilities. So if you need them, you get them. Don't pay a lot. It's not that hard.
Link to this

The Laundry List

I'm OK, you're OK. McAfee introduces OK to "certify" mobile content as secure. And this is a problem? - here
Symantec jumps on the mobile security bandwagon (partnering with Bluefire). Wait, Symantec is early for a security market? - here
IPLocks introduced yet another SOx reporting offering. The auditors aren't going away, even if you bury them in paper. - here
Your ISP will soon tell you what you can navigate to, if Simplicita has it's way. Something feels very wrong about my ISP navigating me where they want. - here
Reconnex gets into the endpoint agent business. - here

Top Blog Postings

Security certifying developers
Richard Bejtlich was kind enough to write up what he saw at the SANS party to introduce their new secure software development curriculum and certification. I think this is a much needed discipline and it's good that SANS is getting involved. You can say a lot of things about the SANS guys, but they are astute businessmen and they see an opportunity in training the millions of developers out there. The size of that market dwarfs the traditional security professionals market. Besides that, it's also a needed skill and developers must figure out how to think about security as they are architecting and building this next generation of applications. I could be all cynical about this, but I don't feel like it. If this helps only a few developers grok security, then it's a good thing.
http://taosecurity.blogspot.com/2007/03/sans-software-security-institute.html
Link to this

Incrementally getting to secure code
While I'm ranting about software security, let me point to a post from Sammy Migues that focused on the need to do something and to do it now. You need to get to secure code incrementally. Most of these new fangled applications are just abstraction layers on pretty old, back-end logic. You can wait to rebuild the application, but if it works - why would you? Or you could start assessing this old code, find the gaping holes, address them, and move on. Sammy's point is a good one. You can't just ditch your installed base of code, but you can't ignore the inevitable security problems either. If you try to eat the elephant in one bite, it doesn't go down smoothly. I learned that the hard way.
http://www.cigital.com/justiceleague/2007/03/21/the-curse-of-the-installed-base/
Link to this

A view into Cisco's M&A strategy
WebEx isn't really security related, so I didn't say anything when Cisco announced the acquisition. But given Cisco's desire to play more prominently in the security space, this post from Don Dodge (who happens to work for Microsoft) underscores a couple of important points. First, it's now clear Cisco acquires two types of companies, very early or mature. They are either buying technology (and they don't pay a lot) or they are buying markets. WebEx was a market buy. So was IronPort. Don's point is that Cisco could have bought WebEx for $750 million a few years ago and now has to pay $3.2 billion. So what? Cisco didn't think collaboration was important enough a few years ago. Like they didn't think anti-spam/email security was important enough. Money is no object. Cisco can write an infinitely sized check. So it's interesting to track their M&A strategy because it indicates which markets are mature.
http://dondodge.typepad.com/the_next_big_thing/2007/03/why_did_cisco_p.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite