logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - May 27, 2008

By Mike Rothman
Created 2008-05-27 09:28
Today's Daily Incite

May 27, 2008 - Volume 3, #51

Good Morning:
Memorial Day weekend marks the beginning of summer for us. Lest we forget, we are also remembering all of the brave military folks that paid the ultimate price for freedom. I'd say just the US troops, since that's where I hang my hat - but in today's global world - it's not just the US military that contributes to keep the world a safer place. I hope you all had a few kind thoughts for the soldiers that have fought against tyranny and anarchy since the beginning of time.

Noodles by the poolThe pool in our neighborhood opens up on Memorial Day weekend. So my family and it seems everyone else in our neighborhood decides to spend some time at the pool. The kids just love it, although the idea of jumping into 70 degree water is up there with a root canal without novacaine for me. So I smile a lot, lather up my ample nose with sunscreen, and roam the side of the pool with my ever-present yellow noodle. Yes, those are noodles shown in the picture to your left.

Aren't there lifeguards at our pool? Why do I never let my kids (at least the little ones) out of my sight when they are in the water? Wouldn't it be easier and more relaxing to just sit on a lounge chair, sip a cold brew, and kibbutz with my neighborhood friends?

Of course it would, but it would also be the wrong thing to do. The Boss grew up as a lifeguard at her local pool, and she would tell me stories. Bad stories about what can happen when you don't pay attention. So I pay attention. I'm not willing to take a risk with the lives of my children or any of the other children at the pool. 

It's really about the lifeguards. These are 16 or 17 year old kids that are working on their tan. I'm sure they are good swimmers, and most are even diligent kids. But with 100 kids in the pool at any given time, would they see mine if there was a problem? They haven't in the past, so I'm not willing to take the chance that they will in the future. By the second time you pull your flailing kid over to the side of the pool, you get it. The lifeguards are for the other kids, not yours.

I'm sure most of the neighborhood thinks I'm a bit wacky. I'm pretty anti-social on a good day, so I guess I'm staying in character when I just roam around with my noodle, laser focused on my kids. I'm OK with that. Leaving the safety of my kids to a lifeguard that is more worried about that emerging zit or the latest version of Rock Band? Not so much.

In a year or two, I'll be able to chill out. By then, all of the kids will be great in the water. They are pretty much there right now, but I'm sure you all know how hard it is to turn off the paranoia that drives us during the week. As if it was only during the week, right? So I'm constantly doing risk analysis. I'm constantly monitoring the pool. And I'm ready to REACT FASTER if something were to happen. 

And that can mean the difference between life and death - especially around the pool. Have a great, safe day.

Photo: "/crayola/" originally uploaded by m_e_l_o_d_y [1]

Technorati: Information Security [2], CSO [3],Security Mike [4], Internet Security [5]

The Pragmatic CSO [6]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [7]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com
 [8]
Security Mike's Guide to Internet Security [9]

Top Security News

Six free security tools you shouldn't live without [10]. I'd probably add at least Nessus to that list (for non-commercial use anyway) and a couple of others, but that's me. It does bring up the idea of whether you get what you pay for and whether "free" security tools make sense for you. Basically, it depends on your level of sophistication. Something like Metasploit isn't going to be appropriate for an unsophisticated mid-market IT professional that has to also has to wear the security hat. Nor is it appropriate for someone that needs commercial-grade exploits to test a large, enterprise network. They are better off looking at a commercial tool. But if you are a DIY (do it yourself) type of guy/gal, then I think free tools are awesome. It's like when I was talking to my friend the other day and he told me about his cool new riding mower. I asked him why he didn't just have someone mow his lawn, given what his time is worth? It's because he likes it. He likes to mow his lawn. So if you like to tool around and build things yourself, then by all means check out the scads of free stuff out there. But if you would rather spend time with the kids or maybe tune that email server, then don't feel bad about searching out some lower cost commercial tools or services that will let you focus on the stuff you want to do. There is no award for doing everything yourself, unless you want to.
Link to this [11]

this article on BSM [12] (business service management) and how the InformationWeek author kind of dismantles the hype, I just have to chuckle. Gosh, it sure sounds like GRC or even the bigger security market as a whole. Check out this quote: "...with accompanying marketing hype aimed at your CIO and business unit leaders." Or this one: "The truth is, you can't buy your way to BSM, and companies that persist in thinking a single product, no matter how big, complex, and expensive, will deliver are doomed to disappointment." Oh yeah, that sounds familiar. So what should the senior IT managers that are now probably beleaguered by all sorts of vendors positioning their BSM solutions do? Take a page out of the Pragmatic security playbook. Ignore it and manage upward to the CIO and other senior managers to ensure they understand that you are focusing on the stuff that is most relevant to the business. Maybe some automation will help. Maybe. But don't get caught up in any of the hype. Focus on what needs to be done, and get it done. That's the best way to build credibility and then you can really ignore all this other crap.
Link to this [13]

a private company deal [14], right? Well, not so much. I think this deal is interesting because it's very indicative of the trend for application security vendors to start expanding towards more general purpose development tools. It's all about clearly understanding who the customer is and building out a broader product portfolio to make that customer's life easier. That's why the app scanning folks being subsumed by the biggest dev tools vendors (HP and IBM) made sense. That's why when I pointed to Parasoft starting to offering application security capabilities, it was newsworthy. And now to see this kind of deal just confirms the trend we've been seeing for the past 18 months. Application security is a feature of a larger application development tools suite, but it will take some time to get there. So there will continue to be application security specialists within large enterprises and a continued opportunity for niche vendors to do OK. But that window will not be open forever, so the sooner these guys either start gobbling other stuff (like Coverity) or find a strategic partner, the more likely they'll have a good outcome.
Link to this [15]


The Laundry List

  1. No (data at) rest till Brooklyn. The US Feds have encrypted 800K devices, with another 1.2 MILLION on tap. It's a good time to be in the device encryption business, no? - NetworkWorld coverage [16]
  2. Here is a poor man's guide to web security gateways from the fine folks at IDG. There is a bit of information here, but not enough to help you really understand the market. Which is too bad because securing the web traffic is a key priority for lots of companies this year. - PCWorld buyer's guide [17]
  3. Blue Coat misses their fiscal 4Q. Stock gets hammered as they claim a very week April. This could be the beginning of the slowdown. Don't say I haven't been warning you... - Blue Coat earnings release [18]
  4. Barracuda launches a big email gateway for $90K. Seems like a distribution mis-match, since customers dropping that kind of coin actually expect to get service. - Barracuda release [19]

Top Blog Postings

http://layer8.itsecuritygeek.com/layer8/securitys-greatest-hits [20]
Link to this [21]

http://www.terminal23.net/2008/05/grossman_and_rsnake_lay_eggs.html [22]
Link to this [23]

http://andyitguy.blogspot.com/2008/05/you-can-use-any-vendor-you-want-as-long.html [24]
Link to this [25]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-27-2008

Links:
[1] http://www.flickr.com/photos/m_e_l_o_d_y/520954401/
[2] http://technorati.com/tag/information%20security
[3] http://technorati.com/tag/CSO
[4] http://www.tecnorati.com/tag/Security%20Mike
[5] http://www.technorati.com/tag/Internet%20Security
[6] http://www.pragmaticcso.com
[7] http://www.pragmaticcso.com/
[8] http://tdi.securitymike.com
[9] http://tdi.securitymike.com
[10] http://www.networkworld.com/community/node/27945
[11] http://securityincite.com/TDI-2008-05-27#TSN1
[12] http://www.informationweek.com/news/software/systems_management/showArticle.jhtml?articleID=207600912
[13] http://securityincite.com/TDI-2008-05-27#TSN2
[14] http://www.eweek.com/c/a/Application-Development/Coverity-to-Buy-Codefast/
[15] http://securityincite.com/TDI-2008-05-27#TSN3
[16] http://www.networkworld.com/news/2008/052008fedlaptops.html
[17] http://www.pcworld.com/businesscenter/article/144637/guide_to_secure_web_gateways.html
[18] http://biz.yahoo.com/bw/080522/20080522005308.html?.v=1
[19] http://biz.yahoo.com/bw/080521/20080521005037.html?.v=1
[20] http://layer8.itsecuritygeek.com/layer8/securitys-greatest-hits
[21] http://securityincite.com/TDI-2008-05-27#TBP1
[22] http://www.terminal23.net/2008/05/grossman_and_rsnake_lay_eggs.html
[23] http://securityincite.com/TDI-2008-05-27#TBP2
[24] http://andyitguy.blogspot.com/2008/05/you-can-use-any-vendor-you-want-as-long.html
[25] http://securityincite.com/TDI-2008-05-27#TBP3