logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

Report Card: 2007 Incite #7 - The Information Strikes Back

By Mike Rothman
Created 2007-12-26 08:18

It was good to see the topic of data security enter the conversation in 2007, it's the next frontier of security and a really big, nasty, hairy problem. There aren't any good answers to the issue quite yet, but a lot of smart folks are working on it. This is one of the areas to definitely keep your eyes on in 2008.

Incite #7 - The Information Strikes Back

2007 finally brings acknowledgement that data/information security is different than protecting the network and servers. Yet, there is a major skills shortage in folks that understand how to protect applications and databases, resulting in accelerating interest in application and database security product offerings. But history will repeat itself, as a “fool with a tool” is still a fool, which doesn’t help customers solve any problems.


Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-7-the-information-strikes-back [0]
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-12-2007 [0]

Final grade: B+

A funny thing happened on the way to the final grade for this Incite. The industry started to acknowledge the fact that securing data is different, and that applications are the path of least resistance to your data. Given the imminent chaos around virtualization, SOA, and continued focus on private data driven by PCI (more on that later), security professionals no longer have an option in trying to figure out how to secure their information/data.

I think we all acknowledge that the right answer is to build secure applications that aren’t subject to simple XSS and SQL*Injection attacks. Of course, that requires that our developers get religion about secure coding practices and that our executives get comfortable with the fact that applications shouldn’t ship unless they are secure.

Right, it’ll be a cold day in hell when that happens. So what’s Plan B?

Basically we have to continue working around the issue, by doing application scans, pen tests, and maybe even implementing some database and web application defenses to try to work around the fact that our developers don’t care about security.

If there was ever a space that is crying for some disruption, it’s the data security market. The current methods are band-aids at best. Not that I’m talking about 2008 yet, since we haven’t put 2007 to bed – but we need to think differently about data security. Fundamentally differently. That means we’ll need to think about how to secure the fundamental element of data, wherever it is because we can no longer assume that we only need to protect the data within our environment.

I gave myself a B+ on this one because I was largely right, we’ve got a lot of acknowledgement about the depth of the data security issue – but precious few idea on how to really solve it.

Check out the other posts in the Report Card series [0].

Source URL:
http://securityincite.com/blog/mike-rothman/report-card-2007-incite-7-the-information-strikes-back