Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to astirusty
Re: No hope for John/Jane, since security pros are confused too.
One of our members posted this today in his new blog..and I think he will permit me to post some of it here since i think it ties into that which you thought was important to highlight..
Blake
Link Logger
»www2.dslreports.com/profile/356416
Blogging from Microsoft MVP Summit Conference 2008
April 16, 2008 18:04
»www.spearpoint.ca/blog/post/MVP-···Two.aspx
"The rest of the afternoon was spent discussing the current state of the art and future of security coding tools and practices. Certainly this discussion has got me doing some thinking as I'm not really sure I agreed with what was said by some of the other people, but we obviously have different objectives and requirements which in itself highlights a problem within this area. Not everyone wants the same thing,nor has the same expectations, budget etc. I get the Threat Modeling, the use of techniques to detect potential SQL Injection issues, Fuzzing etc, but my objective is to secure the applications built by smaller companies who don't have the Threat Modeling experts,Tools and such that large ISVs and Enterprises might be able to afford. In some ways I'm the guy who is looking for the 80% solution for the 20% cost that pretty well any company can implement no matter how big or small. I'm not asking a company to get perfect security as I know that isn't possible or feasible, but really when it comes to security you just don't want to be the low hanging fruit. One person I was talking to agreed with me and described it as being chased by a bear, you don't need to be the fastest man on earth, just faster then the other guy. I must admit I'm a little wary of automated testing tools as a silver bullet, I've seen them come and go, and while they might have been able to offer some direction or suggest areas to investigate, they were never silver bullets. I guess I'm looking to just start by educating developers about the dangers and the simple techniques and tools to help get them going in the right direction. The journey of a thousand miles starts with a single step sort of thing and some of the solutions discussed in my opinion are more then a single step and more like having a rocket pack which is great if you got the dough to buy one, otherwise your hooped. Now to be fair Microsoft wasn't suggesting these big ticket complex systems, but other people in the room were and again for their clients these might be great, but one size defiantly doesn't fit all here."
"We had diner tonight with Michael O'Neill, liked the guy right off as he has two L's in his last name. We talked about the challenges facing the Developer Security group and while I'm thrilled to be in this group, I'm wondering if perhaps I should have thought about it a little more before coming over. When I was in the Windows Security group we pounded on the Microsoft Windows guys and they did something as Microsoft didn't give them much choice but to make it so, Microsoft accepted they had a problem and they had to do something to fix it as it wasn't going to go away on its own. In the Developer Security group we are dealing with third party developers working on third party applications so Microsoft just can't hammer them into action, so we will need to provide them with the guidance, tools, education, and provide them with the information required to motivate themselves. This will be a challenge to start with as frankly there are all sorts of reasons (none of them good) for resisting change. Security isn't free and it requires change, and given that most dev shops are already underfunded and overworked this change isn't going to come easily (frankly I think that most development shops have serious personal problems as frankly I don't think developers are enjoying their jobs anymore as far too many shops have become little more then sweat shops, because of increasing expectations, falling employment numbers, etc). I sometimes wonder if third parties will need to experience the intense pain that Microsoft felt in the past to motivate them to make security a priority worthy of investment of enough resources and budget to elevate their game to an acceptable level. Michael is putting a lot of thought into how Microsoft can help external developers and I think he has a pretty good group of very diverse people in his MVP group to help him achieve this goal and plus I love a really good challenge to test my belief that this is really is the 'next' big issue in security.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net
|
|
SUMware
Premium
join:2002-05-21
| said by Name Game  :Security isn't free It is with Linux.  |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
 ·Optimum Online
 ·Vonage
| ahhh, shaddup.  |
|
SUMware
Premium
join:2002-05-21 | Heh. How's things with your 'Linux Mint' install? |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to SUMware
You can take that to the bank
»techrepublic.com.com/5208-6230-0···&start=0
»forums.fedoraforum.org/archive/i···211.html
»www.google.com/search?hl=en&q=li···e+Search
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net
|
|
SUMware
Premium
join:2002-05-21
edit:
April 17th, @06:31PM
| Yes. In an MS dominated world, support by businesses for consumers choosing to use Linux is not necessarily encouraged. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
edit:
April 17th, @06:47PM
| said by SUMware :Yes. In an MS dominated world, support by businesses for consumers choosing to use Linux is not necessarily encouraged. I don't either..too many friends got their accounts cleaned out that I know..even 4 years ago friends who live in Brasil got their Desktop PC in Sao Paulo compromised and their entire savings account whacked by thieves working out of an internet cafe in Rio with just one floppy disk of trojans. At first the bank accused my friends that it was their fault..and even possible one of their kids did it..in the end I helped them track it all down and prove how it really happened..we even uncovered in the gang they had inside help at some of the branches to cover their tacks. 
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net
|
|
Steve
Security is inefficient
Consultant
join:2001-03-10
Tustin, CA
edit:
April 17th, @08:25PM
| reply to SUMware
said by SUMware :It is with Linux. Having BIND and sendmail *cough* sorry nwrickert  *cough* on my systems makes me feel so warm and safe... |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| reply to SUMware
said by SUMware :Heh. How's things with your 'Linux Mint' install? Ok. Still a learning curve.  |
|
SUMware
Premium
join:2002-05-21
edit:
April 17th, @07:23PM
| said by La Luna :said by SUMware :Heh. How's things with your 'Linux Mint' install? Ok. Still a learning curve. Yep, understand.
Went through it myself, as with anything new. Still am, and enjoying the process.
Congrats on giving it a try! |
|
