tag:blogger.com,1999:blog-13756280.post2234162875842425892..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Live Online Roundtable (Episode 1)Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-13756280.post-65123303029462507882007-11-09T13:09:00.000-08:002007-11-09T13:09:00.000-08:00Feedback from Chris Conacher....My thoughts are:Fo...Feedback from Chris Conacher....<BR/><BR/><BR/>My thoughts are:<BR/><BR/>Format:<BR/>* I love the chat format because you actually get a sense of the <BR/>problems that the experts' minds are having to wrestle with and what <BR/>they really think about and struggle with<BR/> * It was like turning on the radio on a Sunday to just kick back and<BR/><BR/>listen to people discussing interesting things<BR/> * Not too formal, but controlled to where everyone is getting a say <BR/>and the questions are directed to the right people for main content<BR/>with<BR/>ancillary views from others<BR/> * Not a pissing match (difficult to achieve with a lot of security<BR/>people)<BR/><BR/>Experts:<BR/>* You and are R Snake are always worth listening to.<BR/>* You had a really good mix of ego's as no-one was trying to prove<BR/>their<BR/>ground is best and it did not turn into a pissing match<BR/>* Experts admitting they don't have the answers is always nice,<BR/>especially when they explain why and what the issues are<BR/>* Having experts identify the issues and what the real questions <BR/>are is<BR/>just as important even when the answers are available as it is only <BR/>way<BR/>to understand what the answers mean (i.e. context / scope)<BR/><BR/>Content:<BR/>* The application security stuff was great(of course) in that it<BR/>set the<BR/>problem set<BR/> * Loved the scope, exploits, SDLC, network solutions, WAFs,<BR/>frameworks, education, etc<BR/> * Nice to see the wider Security Lifecycle addressed rather than<BR/>minutiae that is irrelevant in the context of an enterprise<BR/> * The issues raised actually made me think that the SDLC we are<BR/>implementing should be as good as we can get it which was a great<BR/>takeaway / validation<BR/>* The movement onto WAFs as the technical solution du jour was very<BR/>useful (the antithesis to the marketeers)<BR/> * Discussion of limitations in relation to the problem set was great<BR/> * The bandaid concept with regard to using WAFs as a stop gap <BR/>against<BR/>known vulnerabilities in a production code base that is not going <BR/>to be<BR/>remediated for a while is a real world solution I can use rather <BR/>than a<BR/>technology marketing overview - that was a concrete takeaway that I <BR/>can<BR/>investigate and discuss as an approach<BR/> * Excellent doorman / clubfight analogy :)<BR/>* Not sure if PCI was the best use of the available time (maybe <BR/>because<BR/>I have been through it and handling this kind of thing has little <BR/>to do<BR/>with security - a large financial corporation I worked for <BR/>addressed/met<BR/>the whole PCI application security requirements by having application<BR/>firewalls, a sdlc & and an automated test before production)<BR/> * It was interesting to have a front line disucssion of PCI<BR/> * That people like R Snake are being approach and what capacity<BR/> * Good to hear R Snake stating his perceived value in being <BR/>engaged in<BR/>that activity<BR/> * Again marketeer antithesis is always good<BR/>* Nice to see the mix between the network and application security <BR/>views<BR/>in terms of solutions to the problem set<BR/><BR/>Balance:<BR/>* About the right concentration on Application Security<BR/>* Not sure about PCI as one of the topics, but was given about the<BR/>right<BR/>amount of time<BR/>* Nice winding up with the 'What is the coolest thing...'<BR/><BR/>Audience Participation:<BR/>* Thought the level was about right (i.e. trend input, aggregate and <BR/>pose in a way that continues the discussion)<BR/> * I have been in these things where it ends up more like talk radio <BR/>with 'Mr Smith from Brighton asks...' and it is some dumb question.<BR/>All<BR/>that does is make sure that I will not go to another.<BR/>* Not sure if you can make it more interactive without detracting from<BR/>the discussion.<BR/> * I.e. if interaction is limited it can be frustrating as people <BR/>want<BR/>to get their input heard.<BR/> * If there are too many options for input it can just be distracting<BR/>and people just give up.<BR/> * In short if there is a way that I can get my specific questions <BR/>out<BR/>there and answered (rather than having to spend money) then great<BR/>otherwise I would stick to the audience participation lite that you <BR/>have<BR/>here - again trend input, aggregate and pose in a way that <BR/>continues the<BR/>discussion.<BR/><BR/>My 2c.<BR/><BR/>ChrisJeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.com