Friday, February 09, 2007

RSA, Did you see anything cool?

I must have been asked that question a dozen times during the show, for which I had no good answer. Seems the attendees REALLY wanted to find the new hotness, but couldn't seem to find anything compelling. It got me thinking about security in general and that maybe our expectations are improperly set. I mean, isn't security products/solutions about making sure "nothing happens" (if we do our jobs well)? Of course that’s boring. It’s only when we demo live hacks and something does happen on screen that people begin to perk up.

Another thing occurred to me is “how can anyone make sense of all this stuff”!? There I was in a literal sea of hundreds of infosec company’s, most of which I’d never heard of, doing my best to understand they’re value proposition, while being peddled free software and toys by booth babes. There was tons of NAC, Identity Management, lots of webappsec, and gawd the anti-Malware/Spyware of every kind for every device. Whew! When speaking with a few vendors they did they're job well describing how they differentiate from their competitors. “We go faster, more indepth, find more of the (un)-known, and we focus on the data“. It all sounded somewhat interesting, but in the back of my mind I thinking, “why do I need this?”

There is a lesson to be learned here by those in the web application security field, myself included, because outsiders probably feel the same way about our field. Everything we talk about including XSS, CSRF, SQL Injection, Technical, Logical, and the other confusing terms is all cool, but have we really described why this stuff is important to eliminate? I mean, really really. This might be what Syvlan has been driving at and asking how to prove our worth or value in some type of quantifiable terms. Answering the fundamental question, “why?”.

2 comments:

Anonymous said...

Hi Jeremiah, nice write-up. I think I can agree mostly, but I like to think that the knowledge we aquire helps other people . Think about that there is something out there, we all do not know about but only 1 person in the world. (think of UXSS in PDF). Security for me is to know all possible angles on a subject. My focus lies more on solving stuff then to break it. Breaking the stuff is easy, but to fix it or actually build it is far much harder. Security still drives us to the point of; What if?

-Jungsonn

Andy Steingruebl said...

Jeremiah. Been thinking of this subject for a bit and for me so much of the newness is just a waste of time.

Wrote a quick little item on it...

http://securityretentive.blogspot.com/2007/02/most-web-security-is-like-finding-new.html

Not sure how useful it is, I welcome comments.