Enterprise Security organizations often find themselves caught between the ever-changing needs of the agile business, and the ever-present, ever-evolving threats to that business. At the same time – all too often we security professionals get caught up in “shiny object syndrome” which leads us to spend poorly, allocate resources unwisely, and generally de-couple from the organization we’re chartered to defend. Knowing how to defend begins with knowing what you’ll be defending, why it is worth defending, and who you’ll be defending from… and therein lies the trick. This blog takes the issue of enterprise security head-on, challenging outdated thinking and bringing a pragmatic, business-aligned, beyond the tools perspective … so follow the Wh1t3 Rabbit and remember that tools alone don’t solve problems, strategic thinkers are the key.
Rafal (Principal, Strategic Security Services)
Quebec City in Canada isn't some place that I've ever heard of hosting a fantastic community-centric security conference, but Hackfest.CA did it right. This is one of the conferences that over the past 12 months that I'm glad I made it out to, and spoke at... read why.
It's been another wild Black Hat and Defcon ...and I suspect that while the Black Hat conference may have had a small mishap with the fire alarm going off during the keynote, Defcon probably won't be coming back to the Rio after the mayhem people have caused...
So it's Friday, and the week has once again run away from me ...but as I sit and look at my notes from this past couple days at InterOP Las Vegas I have a few short comments on the trade show, and some of the large shows in general that I've attended or spoken at lately...since I'm seeing trends probably many of you are too.
This is my first RSA Conference, and my first Security BSides San Francisco.
While the big buzz and hoopla is going on just below our feet at Moscone Center at the flashy, expensive conference where all the hype meets the media, the Security BSides folks quietly bring in a different sort of crowd. It's almost as if between the hype, the media, and the extravagant parties, RSA has forgotten its purpose ... or maybe it seems that way because RSA has acquired a new direction. Either way, the behemoth and the BSides event right next to it offer very different views into what security means to a large variety of different people.
Conferences are more than just going to interesting talks, meeting interesting people, and attending after-parties. Sometimes, if the conferences is really a gem (like Shmoocon) you actually learn something. After attending this year's Shmoocon 2011 I sit here waiting to go home ...and think it relevant to share my thoughts.
As a valued reader, I want to personally invite you out to HP Software Universe this year. It's an unreal chance to come see presentations, view upcoming products, and interact with people just like you using our products and services.
Since you're likely reading this blog because you're a part of the software quality lifecycle within your organization this is the chance to come hear how others are using the security | performance | quality testing suites, their successes and discuss challenges. You don't have to go at it alone!
To show you how much I appreciate your readership, and to maybe help alleviate the cost of the conference, I've acquired a coupon code you can use to get an additional $100 off the conference fee. Simply use the coupon code INSIDER when you register and you'll get the benefits of the enormous community gathering; sharing knowledge, ideas, and successes with your peers.
Please join me... and if you're going please let me know (just use the email me feature on this blog) so I can give you some further insider conference information.
Hope to see you at HP Software Universe this summer!
Greetings, I am finally back home after an exhausting trip which had me speaking at 2 conferences back-to-back in separate countries and on opposite side of the coast! I did learn some valuable lessons from speaking at these two wildly different conferences thought, so I thought I would share them with you here for your benefit too.
First off, the Information Security conference I attended on Tuesday in Toronto called "SecTor" was brilliantly run and targeted towards Canadian-based information security professionals and wanna-be security professionals. It's OK to say it, there are plenty of people that attend these conferences who are looking to break into the business and want to learn about information security enough to get a grounding of what the industry is about... so they attend these conferences. My talk "When Web 2.0 Attacks" was well-attended and I even had some big names in my audience (thanks to RSnake, Hoff and a few others that wandered in and out) and I think the overall impression was that the stuff I presented was relevant to people's daily lives in Information Security. That's kind of the problem though...
You see, while I ordinarily wouldn't think twice about educating those in my field ... someone that's been doing this for a while longer than I reminded me a while back that this is what we would call "preaching to the choir". Sure, I tend to agree that even within Information Security not enough people understand Web App Sec well enough to build a program and actually reduce any real risks - but those folks have been hearing this talk for years upon years right? At some point I'm bound to hit the law of diminishing returns; and furthermore, people who didn't agree with me 6 months ago aren't likely to agree with me today. Great conference, great mind-share but it's definitely time to reach a broader audience.
That's where the next conference I spoke at comes in. Wednesday morning, at 4:00am Central time (yea, AM) while some of my colleagues were stumbling into their hotel rooms in downtown Toronto I was hopping into a car and being driven to the airport to head out west. My destination was Anaheim, CA where I would speak at StarWest later that day. I'm still not sure how through the delayed flight, sickness, and almost-missed connection I made it out to the West Coast by 2pm, but I did... and Star West was awesome.
StarWest (run by the SQE folks (www.SQE.com) is nicely put together and serves an entirely new audience of people. Here at StarWest (although I did find it strange that we were in the heart of DisneyLand!) the audience was almost entirely composed of software test engineers, managers and those related to the field. This was a completely different set of ears than what I'm used to ... this was a good thing.
The first thing I heard when I put my welcome slide up was "Hey, isn't security supposed to be done by the security people?" Love it. This is exactly the mentality and walls I was there to break down. I think as we went through the hour-long session on "Detective Work for Testers..." I managed to convince a few people in the audience that their jobs were closely tied to mine in Information Security. Maybe, maybe not. The bottom line is that there were many great folks who came up to me and talked afterwards and through the end of the conference about the absolutely missing component in their SDL that was security. I had one lady in the audience (although she fled before I could get more out of her, and had to track her down myself later on the show floor) tell me that her security team is the developers and that because they tell the bosses that they don't have security issues no one ever tests the code. I wish I could recall where she worked, hopefully no place important like a bank or anything ...
The point is - this was the right audience. If you were there and came to my talk, awesome! If you missed it, slides are posted and we can talk about it whenever you have some time.
Do you believe that Information Security and Software Quality testing is one and the same? Do you believe that a quality defect may as well be a security defect? Can you successfully explain the difference between a security and quality bug?
... I'm fairly sure I have my target audience for the next foreseeable future. Listen up quality testers - I'm coming to a conference near you!
You're delivering the wrong message, to the wrong audience.
Don't believe me? Let's look at the attendance of workshops and conferences - now look at the message that's being delivered. I'm speaking of course specifically on web application security here. A recent article on Jeremiah Grossman's blog made me think, what do we (as security professionals, and industry "experts", do?) I feel like it's our responsibility to educate and bring the correct message to the people who will really benefit. Interestingly enough, I feel like we're failing to do this to any beneficial degree.
It's one thing to want to deliver software security as a message but an entirely different thing to deliver it to the right people who will actually benefit from the message. I honestly feel like I can't stress this enough.
I think it's wonderful that security is being preached at conferences all over the place, from quality to engineering of software to process management - but the real shortcoming is in who is hearing specifically which message. As a speaker I can tell you that if I deliver the same message to every audience it will be lost more often than it is understood. Tailoring the message is so important. "The message" can be what ever you're delivering on - for me it's mostly how to build better web-based applications resilient to subversion (otherwise known as "hacking") but again - this can be whatever you specifically are trying to convey.
In order to understand how better to deliver a talk with some punch the key is to understand the audience... I've taken my notes from the past several months of conference speaking and will deconstruct the audience for your benefit here...
- Management - Of course managers to go conferences, workshops, and talks because every once in a while they feel the need to stay relevant. I can say this without reserve because I was there, and I know for a fact that most managers are so busy trying to make sure their teams are delivering that they often have very little time to do much else - and by the time they look up from their desks technology has passed them by and they are relics. The answer to this is to hit a conference every once in a while and hear what the topics of the day are - a wise choice indeed. The manager as a target audience is very complex but can be simply deconstructed as follows:
- Goals: Understand the high-level message being delivered, the current topic and how it applies to their daily life as a steward of the business
- Challenges: Unfortunately, being that few managers are really current on technical speak it's very easy to lose a mangement audience in the details, while they want to hear your message don't over-complicate it
- Win-Win: Present the topic in a way that can both delivers your point without losing meaning while at the same time making it relevant to the manager's everyday work-life... a tricky thing, I know!
- Developers - Developers are a rare gem at conferences where security professionals are speaking, sadly. Developers are keen on making stuff run faster, better, and making their lives less complicated. Notice that I didn't necessarily mention security in the stuff developers are keen on - it's our job as security folks to get them excited about writing secure code and getting them to come to conferences and workshops is a great start but the issue then becomes the way in which we deliver the message. I'll deconstruct developers here:
- Goals: Learn the hot new "hacks" and cool code ninja skills which make them more marketable and give them greater ability to innovate and build something truly incredible with their code skills. Developers want to be able to write cool code, faster, and with less effort, period.
- Challenges: As I've already pointed out, security doesn't often factor into the mind of a developer. We've been trying for years to change that and to some degree it's working but the percentage of security-conscious developers is still very, very low.
- Win-Win: Developers aren't necessarily purposefully ignorant of security, just call it...agnostic. If we can find a way to make writing secure code less painful, and more... developer-centric they'll adopt our principles and everyone wins.
- Security Professionals - Preaching to the choir, althoughit's often the choir which hasn't heard the message. I can't tell you how many times I've been in front of a security-oriented group presenting and they're looking at me like I'm a talking Polar Bear... seriously. Security professionals have a hard time keeping up with the technologies they support - it goes with the job - and so hearing something that's a niche piece is often intriguing but we have to find a way to make the message stick! Let's deconstruct a security audience...
- Goals: Hear the message, learn the "cool hack" they can take back to their team/manager to feel like they're abreast of security. In security it's all about staying relevant and up-to-date and niche presentations attract security people like flies to honey.
- Challenges: Quite simply put - the challenge with preaching to your own audience is that they see things in black and white. Security peers tend to see web application security in a binary fashion; secure or not. This creates a problem some of the time as if we deliver a strong message, say on a new AJAX vulnerabiltiy, the security staff can miss the forest (in this case the 'big picture' of security) for the trees (the specific new "hack") and actually do some reputational damage to themselves within the realm of corporate IT
- Win-Win: IF we can provide the right amount of guidance with relevant knowledge we can spur security professionals to make better policies and serve their business better. The goal for us as speakers is to blend technology with intelligence to help mold the perfect security professional - one that is business savvy and security smart
- "Engineers" - This is the catch-all category, as far as I'm concerned. These are the other people who don't necessarily fit into the stack above. You've got a mixed bag with this, and it's a challange to make it work, but I'll deconstruct this audience type thus:
- Goals: Learn something, take it back and apply it to work - maybe, if it's relevant and applicable. (The secret is since we're talking security it's always applicable)
- Challenges: Making security a relevant topic. How do you make web application security relevant to a generic group of IT people? Blend the right amount of technology (so as not to go over anyone's head) with the aspects of IT that make it important to just about everyone - make security "real" with examples from all different sources
- Win-Win: The best-case scenario here is to make an impression on someone so that the next time someone says security - they flash back to your talk and recall the message you gave, and as a bonus attempt to apply that (or at least know where to get more information, and point someone there).
There you have it. I hope this has been helpful - so that the next time you're standing there in front of your audience you've got the right mindset and the right goals, challenges, and winning strategy.