Archive for the ‘RSA 2009’ Category

Well we’ve been through the agenda and a series of pre-conference briefings and some interesting trends and patterns to watch for are emerging. Below is our list of note for RSA 2009.  The theme is “Poe”, believe it or not, in case you can’t tell from the high-larious picture (at least we thought it was).

We’ll revisit this after the show and update with additional information and commentary.

In addition, we’ll be blogging from the show next week about interesting announcements and curious happenings.

Government and the Law

We all know the Internet started off as the defense network DARPAnet, but other than Al Gore laying claims to inventing it, there hasn’t been a high level of government intervention in cybersecurity at RSA. And just mentioning the word “lawyer” to techies can clear a room in minutes.

No more. Obama’s a heavy user of the Internet and has plans to hire the US’ first CTO. At RSA this year there are keynotes on “Securing our Government Networks” with Lieutenant General Keith Alexander, Director of the NSA, “The Obama Administration’s Cyberspace Policy Review,” Melissa Hathaway, Acting Senior Director for Cyber Security and James Bamford talking about his book, “The Shadow Factory: The Ultra-Secret NSA, from 9/11 to the Eavesdropping on America.”

Want lawyers? Yup, RSA has those too. Compliance is now the driving force behind many security programs, and where there’s compliance, there’s lawyers. CNN analyst Jeff Toobin is heading up a Keynote panel of two lawyers and two judges  titled “Information Governance Goes to Court” and  MITRE’s Michael Aisenberg is hosting a session panel on “Hot Topics in Information Security Law 2009.”

Clouds and Virtualization

If there’s one big BUZZ at the show this year, it will probably be around companies and talks that address innovative security for Cloud Computing (CC). This will play off of the Virtualization security buzz from last year.

CC is an evolution along the path we’ve been taking ever since we moved away from hard wired terminals and PDP-10s and onto the Internet and hosted data centers.  CC introduces security concerns – primarily, what happens when sensitive corporate IP goes off-premise? How can organizations protect data in highly distributed systems, accessed by managed and unmanaged devices and traveling over untrusted networks?

Great points. But we’re most interested in speakers and solutions that understand the risk management history lessons and can apply them as needed to the new paradigm. Anyone who says cloud is a complete re-invention of the wheel is selling something (probably literally).  Why do we say that?  Well, number one we’re sick of the cloud… seriously.  Every time I hear it, it’s like some drifter promising to make it rain if only we good townsfolk provide a show of faith in the form of donation to the cause.   That’s not to say that there’s no usefulness by packaging software and applications in new ways – but just that the “new way” builds directly on what we’ve known and have been dealing with for years.

Software Security

This is a topic near and dear to our hearts here at SecurityCurve. Though code reviews and weaving security throughout the software development lifecycle (SDLC) may not be every security professional’s cup of tea – it is a requirement for management of risk. It’s imperative that we secure the code base and business logic of the applications we’re using to run our companies and our world.

Some interesting talks in the space: “Source Code vs. Binary Code Analysis,” a panel hosted by Mark Egan of StrataFusion and with Jerry Archer, Intuir, Brian Chess, Fortify, Mary Ann Davidson, Oracle, and Chris Wysopal, Veracode.

Gary McGraw (Cigital) and Brian Chess (Fortify) will present a talk explaining their recently released Building Security in Maturity Model (BSIMM) approach. BSIMM is, “is a collection of good ideas and activities that are in use today” in software development and testing. For anyone who’d like to do some early reading, the BSIMM document is available for download here: http://www.bsi-mm.com/

Pre-show vendor announcements in the space are promising. Vendors are moving away from an atomic tool model to support framework models for software risk management. Fortify introduced a more robust governance model and a SaaS offering. Veracode announced their Application Risk Management platform. And IBM continues to integrate AppScan functionality into the Rational portfolio.

Now let’s see if we can get anybody outside of security to care.

European Vendors

It’s no secret that the US economy ain’t what it used to be. Our early analysis of the show floor, and our pre-conference briefing discussions, indicate the rocky US economy may be creating an opportunity for non-US/Canadian companies to gain traction in North America.

Of course not all security vendors are from North America (Sophos, Kaspersky, and Panda to name a few) – but we think there’s a higher percentage of non-US/Canadian entering the market this year. Examples are art of defence, NCP, and Ubitexx from Germany and Zecurion from Russia. We’ll be canvassing the show floor and talking to end-users to see if our hunch is correct or not.

Insanitas

And, of course, there’s no shortage of crazy talk from folks with new products that we don’t need, solutions to problems that we don’t have, and experiments gone awry.  We’ll mock them as time permits from the show floor (ok, not really.)  But we’ll call out the especially innovative/wild/insightful or just plain-old weird stuff that we come across that we haven’t seen before.

See you there!