May 27, 2008 - Volume 3, #51

Good Morning:
Memorial Day weekend marks the beginning of summer for us. Lest we forget, we are also remembering all of the brave military folks that paid the ultimate price for freedom. I'd say just the US troops, since that's where I hang my hat - but in today's global world - it's not just the US military that contributes to keep the world a safer place. I hope you all had a few kind thoughts for the soldiers that have fought against tyranny and anarchy since the beginning of time.

The pool in our neighborhood opens up on Memorial Day weekend. So my family and it seems everyone else in our neighborhood decides to spend some time at the pool. The kids just love it, although the idea of jumping into 70 degree water is up there with a root canal without novacaine for me. So I smile a lot, lather up my ample nose with sunscreen, and roam the side of the pool with my ever-present yellow noodle. Yes, those are noodles shown in the picture to your left.

Aren't there lifeguards at our pool? Why do I never let my kids (at least the little ones) out of my sight when they are in the water? Wouldn't it be easier and more relaxing to just sit on a lounge chair, sip a cold brew, and kibbutz with my neighborhood friends?

Of course it would, but it would also be the wrong thing to do. The Boss grew up as a lifeguard at her local pool, and she would tell me stories. Bad stories about what can happen when you don't pay attention. So I pay attention. I'm not willing to take a risk with the lives of my children or any of the other children at the pool. 

It's really about the lifeguards. These are 16 or 17 year old kids that are working on their tan. I'm sure they are good swimmers, and most are even diligent kids. But with 100 kids in the pool at any given time, would they see mine if there was a problem? They haven't in the past, so I'm not willing to take the chance that they will in the future. By the second time you pull your flailing kid over to the side of the pool, you get it. The lifeguards are for the other kids, not yours.

I'm sure most of the neighborhood thinks I'm a bit wacky. I'm pretty anti-social on a good day, so I guess I'm staying in character when I just roam around with my noodle, laser focused on my kids. I'm OK with that. Leaving the safety of my kids to a lifeguard that is more worried about that emerging zit or the latest version of Rock Band? Not so much.

In a year or two, I'll be able to chill out. By then, all of the kids will be great in the water. They are pretty much there right now, but I'm sure you all know how hard it is to turn off the paranoia that drives us during the week. As if it was only during the week, right? So I'm constantly doing risk analysis. I'm constantly monitoring the pool. And I'm ready to REACT FASTER if something were to happen. 

And that can mean the difference between life and death - especially around the pool. Have a great, safe day.

Photo: "/crayola/" originally uploaded by m_e_l_o_d_y

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

You get what you pay for, right?
So what? - NetworkWorld has a good community post on Six free security tools you shouldn't live without. I'd probably add at least Nessus to that list (for non-commercial use anyway) and a couple of others, but that's me. It does bring up the idea of whether you get what you pay for and whether "free" security tools make sense for you. Basically, it depends on your level of sophistication. Something like Metasploit isn't going to be appropriate for an unsophisticated mid-market IT professional that has to also has to wear the security hat. Nor is it appropriate for someone that needs commercial-grade exploits to test a large, enterprise network. They are better off looking at a commercial tool. But if you are a DIY (do it yourself) type of guy/gal, then I think free tools are awesome. It's like when I was talking to my friend the other day and he told me about his cool new riding mower. I asked him why he didn't just have someone mow his lawn, given what his time is worth? It's because he likes it. He likes to mow his lawn. So if you like to tool around and build things yourself, then by all means check out the scads of free stuff out there. But if you would rather spend time with the kids or maybe tune that email server, then don't feel bad about searching out some lower cost commercial tools or services that will let you focus on the stuff you want to do. There is no award for doing everything yourself, unless you want to.
Link to this

This story sound familiar?
So what? - One of the reasons that I read such a diverse set of things every day is to spot the patterns. So when I read this article on BSM (business service management) and how the InformationWeek author kind of dismantles the hype, I just have to chuckle. Gosh, it sure sounds like GRC or even the bigger security market as a whole. Check out this quote: "...with accompanying marketing hype aimed at your CIO and business unit leaders." Or this one: "The truth is, you can't buy your way to BSM, and companies that persist in thinking a single product, no matter how big, complex, and expensive, will deliver are doomed to disappointment." Oh yeah, that sounds familiar. So what should the senior IT managers that are now probably beleaguered by all sorts of vendors positioning their BSM solutions do? Take a page out of the Pragmatic security playbook. Ignore it and manage upward to the CIO and other senior managers to ensure they understand that you are focusing on the stuff that is most relevant to the business. Maybe some automation will help. Maybe. But don't get caught up in any of the hype. Focus on what needs to be done, and get it done. That's the best way to build credibility and then you can really ignore all this other crap.
Link to this

Deal: Coverity to buy Codefast
So what? - You are thinking this must be a slow news day for me to mention a private company deal, right? Well, not so much. I think this deal is interesting because it's very indicative of the trend for application security vendors to start expanding towards more general purpose development tools. It's all about clearly understanding who the customer is and building out a broader product portfolio to make that customer's life easier. That's why the app scanning folks being subsumed by the biggest dev tools vendors (HP and IBM) made sense. That's why when I pointed to Parasoft starting to offering application security capabilities, it was newsworthy. And now to see this kind of deal just confirms the trend we've been seeing for the past 18 months. Application security is a feature of a larger application development tools suite, but it will take some time to get there. So there will continue to be application security specialists within large enterprises and a continued opportunity for niche vendors to do OK. But that window will not be open forever, so the sooner these guys either start gobbling other stuff (like Coverity) or find a strategic partner, the more likely they'll have a good outcome.
Link to this


The Laundry List

Top Blog Postings

If they can't see it, they don't appreciate it
Shrdlu reminds us of the importance of "marketing" your security projects. Amazingly enough, the projects that have gotten her the most acclaim have been the one's that end users have gotten to feel and touch. I know this is just totally obvious, but how many of us spend most of our time fixing the plumbing and then wonder why the business users have no idea what the security team does on any given day? So when you are putting your project plans together and your key initiatives, make sure there is a good mix of improving the plumbing, checking out new stuff (that may pay dividends later) and some user visible stuff that can keep you in the face of the end users. One of the most useful tools that I had in the anti-spam business was the quarantine email. Why? Because the users would see a portion of the stuff that was blocked on a daily basis and they would appreciate that the email gateway was keeping that crap out of their inbox. Or a little notification that the security software has been updated on their machine. It doesn't have to be complicated, but it has to be treated like a branding exercise. And if anything, branding needs to be consistent.
http://layer8.itsecuritygeek.com/layer8/securitys-greatest-hits
Link to this

It's not about you, it's about their clients...
Lonervamp takes a shot at the Jeremiah and Rsnake consortium here in being disappointed that these application security big brains actually can't share everything they know. Yes, it is disappointing, since I'd love to learn everything they know as much as everyone else. But being someone that is privy to a lot of stuff that the general market isn't I can understand their quandary. Which makes me appreciate their position. The fact is, Jeremiah and Robert are as generous with their time and knowledge as anyone out there. And I know they would love to talk about the latest thing they have found. BUT THEY CAN'T. Why? Because their clients will know they are talking about them. I made that mistake exactly once. I wrote about a conversation I had and I took great pains to anonymize it, even to the point of changing some of the facts. They still knew it was about them, and they were pissed. It took me a long time to rebuild my credibility and it's just not worth it. It's a fact of life about security. Clients don't want you blabbing your mouth about what they are doing and what they are seeing. Period. Yes, it's disappointing, but it is what it is. Be thankful for what these guys do share. They don't have to do anything.
http://www.terminal23.net/2008/05/grossman_and_rsnake_lay_eggs.html
Link to this

Nobody gets fired for buying Big Vendor X
There is always a "safe" vendor to pick. The one where the bean counters go, "sure" and don't question why you are picking them. They just figure the stuff is good because it's the brand name and that's that. AndyITGuy makes a good point about the danger of that mentality and he's exactly right. It can be dangerous to buy because it comes from a huge, market dominating company. But the reality is that it can be more dangerous to not buy from them, for your career anyway. Thus, my Buying Security Products process (you should have gotten the eBook when you signed up for the newsletter. If not, email me and I'll send it to you) is built to take this into account. You find a SET (meaning more than one) of vendors that can meet the requirement. Then you negotiate. Then you have the flexibility to go with someone else, or to have disqualified the leader for a documented set of reasons. You may still be overruled on the 18th hole by your CIO (who gets to play a lot of cool golf course thanks to Big Vendor X's generosity), but at least you've tried to do the right thing.
http://andyitguy.blogspot.com/2008/05/you-can-use-any-vendor-you-want-as-long.html
Link to this