Friday, May 04, 2007

More application security cliches from Schneier

Sometimes back in CIAG, lowly Grade 10 Engineers had to fill in for executives at the various security forums that seemed to breed like rabbits after 9/11 as the private sector (in particular the IT vendor community) tried to prove taking it was taking security seriously--to stave off government regulation. (Not that there should have been any concern, since the private sector owns the Bush administration or is the Bush administration). Often, other worker-bee types, who also were filling in for their boss's boss's boss's boss (perhaps one too many?) from thinktank-type, overhead organizations that really didn't do much and weren't accountable for anything, were there. We would exchange knowing glances or eye-rolls.

I remember one at the Intel campus in Santa Clara where a bunch of CTO-types sat around trying to solve "BGP Security" or "DNS Security" in one fell swoop. Then there was a memorable workshop at Rand in Santa Monica. Everyone's favorite CSO from Oracle was there. And Michael Vatis (after he left government circles) was somehow involved in directing the sessions. I remember arguing with him about something unimportant, possibly Common Criteria. Everyone was hyperventilating about "source code scanners" the way I heard various senior managers (who were trying hard to be directors) talk about the importance of "teaching secure coding" in the undergraduate curriculum.

All of these are not bad ideas. And 95% of these folks were far smarter than I was. My point is that the level of discourse at these forums was shallow and simplistic, because they were too far removed from the problem space -- kind of like Schneier's latest observation on the state of software security. (On the plus side, they usually had decent catered food at these meetings and you got to stay in nice hotels and vist places where the weather was usually better than Texas.)

If you've made it this far, I have nothing constructive (or substantive) to say on whether or not a "security industry is needed" (it exists and isn't going anywhere) but check GNUCITIZEN or Taosecurity, especially the latter for some worthwhile commentary.

No comments: