deepsh.it: March 2009

The New School of Information Security with Adam Shostack

26th episode of The Silver Bullet Security Podcast.

Interview with Adam Shostack

Frank Abagnale's book got me started in Security: Catch Me If You Can

Security Renaissance: the notion that we have so many people with so many diverse backgrounds that it's a great time to be in security

3 big idea:
1. there is this conversation which has moved away from technology
2. if we're going to succeed, we need to actually test our ideas about what it is we should do - to be able to test our processes
3. we need to discuss what's happening, be willing to discuss our successes and our failures, and analyze what we're doing in such a way that can advance the sience and the state of the art

as the system is moved from a desc of an alg to an implementation, does it retains the properties that you think it retains?
does it actually deliver in the real world the properties that customer wants?

Tylenol in the 1980s, someone put cyanide in their capsules, people died.

most computer security incidents actually lead to death.

if Tylenol is able to spring back - should we really be so unwilling to discuss the things that are going wrong for us today?

lenght: 30:12m

Labels: cissp, security

the users are always to blame with Jon Swartz

25th episode of The Silver Bullet Security Podcast.
Interview with Jon Swartz

RFID can be used to trigger bom that specifically trigger in case 50 americans is in the area

He wrote Zero Day Threat

is business doing enough for to manage risk? most part, no
customer is somehow to blame to make silly mistakes.
the onus is always put on the poor customer who's at the end of the food chain rather than on the security that should be there in the first place.

VISA contacted bank - TJX 2 days later
VISA blame the bank, bank hide behind confidentiality
why this strage shopping behavior doest not trigger VISA fraud detection?

until sombody's victimize, just out of sight out of mind - there is not enough education of the public.

people look at me as a cow look at a new gate

lenght: 27:49m

Labels: cissp, security

Unbreakable podcast with Mary Ann Davidson

24th episode of The Silver Bullet Security Podcast.

Interview with Mary Ann Davidson (CSO of Oracle)

CSO does focus on product security, specifically engineering security on the product development cycle.

MBA helps:
In ~2002 NIST study, the costs of bad software is about 60 billion per year - people pays for bad security.
There are a lot of people who are very well-intended and very sharp who come up with laundry lists of 8000 good things that we should do in security and all these things we should be doing and all these metrics - and that’s all great, but then … what is the benefit for the cost of getting that information?
What can I do with the same resources that provide higher pays off?
Measurement!

Disclosure is almost like a religious discussion, it is not about what I have to do to look good in eWeek this week.

we use outside firm from time to time, i'm not against outsource

we hard hard time to ack M$ & sun about Java vulnerability

I'll be very surprise if vendor nowadays does not reach when ppl inform about vulnerability

unbreakable campaign: most ppl who work in security say "hey what you are doing"
It wasnt my idea
It was a very strong statement
we have a prove points... we spent gazillion of dollar on testing... our competitors did nothing...
at the end it was positive

oracle approach on the evolution of security:
there are many things that we have now that we didnt have.
simply common criteria is not enough
we use more automated tools (bc we HAVE automated tools)
we license a few things
even the greatest developers who recheck their code to remove flaws can miss a flaw, what we going to do? yell a them? ask them for perfection? no!
automated tool might have found what we missed...

security development cycle

every single product, whether we develop or acquire has the same consistent process

if you device bugs and flaws, we have 50-50

our first customer was CIA, we build security embedded in our products 30 years ago

top best practice:
every body has to get secure coding practice - bc we dont get this in univ
vendor has to go back to univ to force them to teach secure coding!
Oracle sent letters to top 10-15 Univ where the new hires come, and telling "look it costs us & customer a lot of money to fix Avoidable & Preventable defects the key word are "avoidable" and "preventable".
the reason: ppl we get from Univ dont know these stuff!!!

you cant really test security, but at least you get out of junk from you code

if we have product which can self defended (as marines are marines first, they can defend them selves) - we will be in a better position.

lenght: 28:45m

Labels: cissp, security