RSA 2008
Bruce Schneier's post about the recent RSA conference made me realize that my reaction to walking the exhibition hall may have been the norm. I have talked to enough security vendors to know that their basic message is constant: (1) security threats are extremely serious and rapidly growing problems, (2) their innovative solutions will render most of these threats harmless. What struck me was how intensely these two points were being delivered.
Imagine walking a huge exhibition floor housing multiple solutions to just about every security problem, listening to vendors review how serious the threats are, then being told multiple times that a particular solution is the most effective way to neutralize those threats. I can see why some attendees get shellshocked, and as Bruce observed, less likely to buy. I wasn't there as a buyer, but the overall fervor was unusual enough that I relayed it to a few friends shortly after.
Because of schedule conflicts, I walked around on the fourth day of a five day conference and by then some vendors were probably aiming to book sales and identify prospects. Next year I'll try to check out the exhibition hall earlier in the week.
tags: rsa, security
| comments: 3
| Sphere It
submit: 
0 TrackBacks
TrackBack URL for this entry: http://blogs.oreilly.com/cgi-bin/mt/mt-t.cgi/6452
Comments: 3
The vendors were half right, the threats are serious, the solutions are weak. A somewhat different view
http://1raindrop.typepad.com/1_raindrop/2008/04/rsa-debrief-par.html
http://1raindrop.typepad.com/1_raindrop/2008/04/rsa-debrief-11.html
http://1raindrop.typepad.com/1_raindrop/2008/04/rsa-debrief-p-1.html
Gunnar says (in one of the RSA reports, on why he sees stagnation in IT security), "I would attribute to a lack of accountability. In programming your stuff better compile or you don't go live, you don't get your bonus, people get whacked and so on."
Ah, but I think some of the problem stems exactly there: if your program compiles, cool... if it's riddled with buffer overflows vulnerabilities, hey, that's kinda irrelevant to whether or not it compiled, and does the first-order thing it's supposed to do (e.g., make bologna dance on the screen). And bug-fix guys can code a patch for it later... gotta ship the features, today!
If you'd like security people to be accountable, give them authority, and if they had the authority to hold up products until they were reasonably hardened, or could require that things like operating systems shouldn't bloat up to the size of a barn with "neat" features that each drag in a raft of vulnerabilities, well then...
Post A Comment:
STAY CONNECTED
RADAR TOPICS
Ross Stapleton-Gray [04.23.08 09:25 PM]
I can't say as I saw anything that really wowed me at the RSA show; the Cyber Storm session was appallingly shallow... the only real substance was when two audience members asked the important question, "Was this exercise red-teamed?" (i.e., was the simulated adversary given the latitude to be creative, and actually threatening, or merely scripted) The short answer: "No." The longer answer: "No way in hell... that might have resulted in the good guys losing embarrassingly badly."
Stepping back and looking at the big picture, I saw a lot of companies selling a patchwork quilt of prophylactics; the elephant in the room was that the underlying infrastructure (You Know Who's operating systems, and an Internet that's succeeded faster than our willingness to impose minimal requirements for authentication) is rotten.