You are currently browsing the monthly archive for October 2009.
You can find it here: http://www.owasp.org/download/jmanico/owasp_podcast_42.mp3
The topic was “FISMA” in the context of OWASP and, while I don’t really do web app security, I’m still a “managed assurance” guy for risk, and I think that fit in well with everyone else’s perspective. That said, I hate listening to myself talk, so tell me what you think of how it came out – I haven’t listened to it yet!
Also, it’s “National Cyber Security Awareness” month. What does that mean? Are we making everyone aware that we’re all 0wnz0red? I like the idea – and socializing security was one of the recommendations that came out of the Estonia Ddos mess – but I have concerns about how the good intentions here aregoing to pave a specific road to a specific place. The concern has to do with security productization.
You see, I have a suspicion that we’re not going to educate people about the nature of security. Or really that we’re going to get across how “security” is really this thing that everyone does all the name and we should stop treating it like this extra set of things we need to do -in addition- to actual requirements.
Instead, I think it’s going to come out as (from DHS’s website):
- Make sure that you have anti-virus software and firewalls installed, properly configured, and up-to-date. New threats are discovered every day, and keeping your software updated is one of the easier ways to protect yourself from an attack. Set your computer to automatically update for you.
- Update your operating system and critical program software. Software updates offer the latest protection against malicious activities. Turn on automatic updating if that feature is available.
- Back up key files. If you have important files stored on your computer, copy them onto a removable disc and store it in a safe place.
This is all admirable stuff, but it’s dogmatic. Dogma in security leads to blind trust in marketing and products. Blind trust in marketing and products will never lead to secure systems or computers.
Yes, it’ll get us baby steps forward, but then we’ll be left with ye olde “I did what you asked me, isn’t that enough?” faith-based security and we’ll be in a pickle when we realize that, architecturally, we have some serious work to do to get where we want to be and no one is interested in doing more.