The Daily Incite - June 12, 2007
June 12, 2007 - Volume 2, #91
Good Morning:
I want to send out a big Happy Birthday to my Dad. You are an inspiration to everyone who knows you.
Another birthday for the big guy does bring up the topic of aging. I recently reconnected with an old META Group colleague and his first thought was how gray my hair must be after 10 years or so. And he's right! I passed the tipping point between salt and pepper (now heavily weighed towards the salt end - blood pressure be damned) a few years ago. But it's all good, I have a lot of friends who don't have too much hair left. I'll take gray hair every day of the week.
My point is that every day is a gift. The fact that I still have my hair is a gift. Every birthday is a gift. It means we've survived the battle for another year, and we should rejoice. Unfortunately our lives are so complicated now that we don't take the time to do that. With all the activities, pressures, and frenetic motion, this time last year I was pretty much just happy to make it through the day.
Now I know that's not good enough. I've made a distinct and conscious decision to have more fun. It's been a long process, and there certainly are days when poking myself in the eye seems like a less painful option - but overall worrying about things wasn't doing much but making me grumpy and taking the fun out of stuff that should have been a blast. I work every day at worrying less.
I'm not working with clients anymore that aren't fun. Life is too short and the money isn't that important to me. Even personally, the Boss and I are trying to spend time with positive folks that are fun to hang with. Those downers make you want to drink hemlock. It's just not worth it. They can go grumble and be pissed amongst themselves. I don't need any part of it.
I guess it's self-improvement week here at the Incite. We all have choices. We choose what we do every day, and we choose who we spend time with. As Steve Jobs said in his Stanford speech (which I linked to yesterday), if you look in the mirror in the morning and you'd rather be doing something else for too many days, something has to change. You can make that change.
Kind of like Richard Bejtlich, who decided to take a job with GE. We'll certainly miss his commentary and thought leadership, but I'm sure his family will appreciate having him around and he won't have to worry about the crap that makes being a one-man band challenging. Hat's off to Richard for walking away on his terms to do something that he knows he'll love.
A friend back from Virginia puts "Carpe Diem. Make it a great day." at the end of every email he sends. At first I thought it was annoying and stupid. I figured he must have gotten lost in the self-help aisle at Borders and never escaped. But I've come to appreciate his sentiment. He's a guy that does seize every day with that unbridled optimism that makes some folks cringe. But there is something to be said about the power of positive thinking. Maybe I should right a book about that. It's a pretty catchy title, don't cha think?
So with that, Carpe Deim. Make it a great day.
Technorati: Information Security, CSO
 | The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
Top Security News
Ethics for IT Workers
So what? - Most of you know that I read a LOT of stuff every day. Hundreds and hundreds of things. Most of the time InformationWeek editor John Soat's stuff is silly. He tries to be funny for funny's sake, or maybe it just for his own sanity's sake - but he shouldn't give up his day job to hit the comedy club circuit, that's for sure. But this piece on develop a code of ethical conduct for IT workers is actually pretty insightful because we as IT folks do have access to a lot of things we shouldn't. I'm a big fan of saying no one is above the law, but I'm usually talking about the executive suite and the importance of monitoring what they do. But this also needs to apply to us IT folks. Who is watching the watchers? You need to know the answer to that question. Checks and balances work. Remember, the difference between the good guys and the bad guys tends to be the ethical compass that guides their behavior. Make sure yours points in the right direction.
Link to this
Rollin rollin rollin on the SPI
So what? - Have I told you lately that I'm not a big fan of Network Computing's Rolling Reviews? If I haven't lately, then here goes. I hate it. It makes me wait and I'm not a very patient guy. You see, I read this review of SPI Dynamics WebInspect (h/t to Jeremiah) and I want to see what he has to say about Watchfire, and then some of the source code analyzers etc. Why should I wait? And what if I needed to make a decision RIGHT NOW. OK, off soap box. Looks like SPI has some work to do on AJAX and JavaScript, and given that is the preferred method of writing web apps today - it's a pretty big problem. Does Watchfire have the same problem? If all I had was this review to rely on, I wouldn't know. See, rolling reviews are problematic. They like SPI's new interface and there is a value for testers to find configuration errors and automate the way to find other holes in the application. But it just goes to show that we are still far off a tool that can duplicate what is in the heads (and hands) of application security folks.
Link to this
Showdown at the Big UTM corral
So what? - I feel for my friends Stiennon and Hoff. I've been where they are and it makes you old and tired. A one on one showdown for leadership of a pretty important market is hard. I was there when I was in the anti-spam business and it takes its toll. Now I have more salt than pepper on top of my head. Having to watch the news wires every day and respond when the competition announces anything. And the fact that even if you do come up with something novel, the other guy says the same thing within a week. The good news is that customers do start to get that it's a two horse race (for the moment anyway) for big UTM boxes, so you get short listed a lot and then it comes down to sales execution. Boy, I don't miss those days. Yesterday's announcements were a case in point. Crossbeam announces the new "next generation" X-series "platform," which cures cancer. Actually, it's bigger and badder and harps on their differentiation - best of breed. Of course, not to be outdone, Fortinet also announces a bigger set of boxes and they also use the term "next generation." See, I told you - everything sounds the same. If you are a customer and you can afford these big boxes, then do a bake-off. That's the only way you are going to figure out what will work in your environment.
Link to this
The Laundry List
- Tips for Mac security. Yes, the Mac is vulnerable too (sorry fanboys) and these tips are good practice for pretty much everyone. - InformationWeek article
- Citrix getting the NAC? Well they bought some assets and hired some people from the late Caymas, which is now officially dead. And if you have a Caymas box, sorry. Did I tell you about the importance of Plan B? - NetworkWorld coverage
- Klockwork puts lipstick on for the "IBM buy me" contest. Buddying up to IBM Rational is a good idea because they'll need a source code analyzer at some point. - Klockwork release
- At least I'm not an elephant vasectomist. Popular Science says being a Microsoft security researcher is worse than a whale-feces researcher. Seriously. I always thought Stepto had a thing for elephant balls. - USAToday coverage
Top Blog Postings
Integration is coming
Mitchell takes Bejtlich's lead in talking about integration of capabilities. There are lots of names for it. Unification. Aggregation. Whatever, it all means the same thing to me. Disparate functions, which used to require disparate devices, are increasingly being integrated. And for good reason, it's a pain in the ass to manage hundreds of different devices and expect to have any consistency in policy and enforcement. But UTM isn't new, so what? Basically, Bejtlich's point, which Mitchell jumped on to pimp his Cobia is that unification isn't just restricted to security stuff. But the network is ripe for unification as well. Actually unification originated on the desktop. Anyone remember a little product called Microsoft Office? Yeah, that put a beating on "best of breed" stuff like WordPerfect and Lotus 1-2-3. So draw your own conclusions, but I think this is clearly history repeating itself.
http://mitchellashley.typepad.com/the_converging_network/2007/06/aggregation_is_.html
Link to this
Figs? Is that the WAF of a fig?
Mark Curphrey is spinning some cycles to help out application security folks and we are all benefiting as he describes what he's learning by driving the OWASP evaluation criteria. He brings up the category of web application firewalls, which as a market really hasn't taken off by any stretch. The folks that were mostly in it are looking at other segments of application security to pay the bills. The reality is that a stand-alone WAF doesn't add enough value by itself to stand alone over time. That means they are a supplement to other defenses and need to be integrated into a perimeter platform. It'll be interesting to see if/what IBM does with the WatchFire app firewall, since Citrix hasn't seemed to do much with Teros. Curphrey's point is that web applications are too complicated now to think that any one category of technology is going to provide full protection, and he's absolutely right.
http://securitybuddha.com/2007/06/11/web-application-firewalls-lets-call-a-fig-a-fig/
Link to this
Call girls, ho's and expectations - Must be time for Black Hat in Vegas
Looks like Farnum and Shimmy are at it again. Farnum started it with this rather innocent post about managing expectations. Since that is probably my favorite topic, Michael has some good words for the vendors out there about over-selling capabilities. Then Shimmy has to weigh in and point out that VARs don't always have clean shorts and there are lots of folks that oversell at all ends of the spectrum. Both of these guys are right and wrong. The reality is that vendors tend to do a lot more overselling than VARs. The vendors can do a cut and run and leave someone else (usually the VAR) holding the bag. By then, they hope Cisco or Symantec have come callng. Since the VAR only gets paid the margin on deals they sell, they need to think more relationship. That doesn't mean that the VARs don't learn what works and what doesn't the hard way, and then have to clean up the mess (because it's always a customer that pays for that lesson). Unfortunately, the right thing to do, which is to tell the truth and hope the customer can tell the difference, is hard, especially when you competition doesn't seem to be constrained by the truth.
Farnum - http://infosecplace.com/blog/2007/06/09/managing-expectations-a-valuable-skill-and-worth-the-time/
Shimmy - http://www.stillsecureafteralltheseyears.com/ashimmy/2007/06/class_warfare_a.html
Link to this
Recently on the Security Incite Rants Blog
Check out the latest on the Security Incite blog
http://blog.securityincite.com/
Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite
We had some pretty healthy internal debates over the Rolling Review structure. In the end, there's certainly some disadvantages (you highlighted one -- making readers wait like a bad To Be Continued soap opera for the next set of results), but there are a few advantages too. Among them:
More closely align with vendor releases -- spacing out the reviews allows us to slip in vendors who are just about to release new code right after the start of the review (invariably happens in a big enough comparison and you're left publishing a review that's out of date for at least one vendor before the ink is dry). For this review, that meant getting Watchfire's latest version or not.
Easier on the writer -- ok, selfish, I know, but I'm only a contrib. editor part-time and a full-time security engineer at the University of Florida. For myself and the other freelancers on staff, Rolling Reviews are the only practical way we can manage a 9 product review without taking a few weeks of leave from our full-time jobs.
First reviews quicker -- for the few products at the beginning of the RR, you're getting access to the review more quickly than if all the testing and writing had been lumped together.
In the end, I'm not sure if I like it better or not. I think I've argued both for and against at various points. We'll see when it finally wraps up how I feel about it.