Places to go, People to see

*image courtesy of Roadsidepictures

Quick schedule update: Looking forward to both of these events. Let me know if you’ll be at either and want to chat. Looking to fill my schedule up for these events.

Black Hat – Las Vegas: Invited to participate on a panel to discuss the Laws of Vulnerability Research 2.0. Here’s a link to the summary. Register here.

Metricon 4.0: This should be a really good event. The full agenda is published here. I will be discussing the use of the Security Content Automation Protocol (SCAP) and the metrics being produced from this new view into the data. You can request participation via email here.

Hope to see you there!

Streaming Announcements

Well March has been a BUSY month but I just wanted to post a bit of info out here about what’s been going on and what’s coming up.

First off thanks to David Campbell, Kathy Thaxton and Eric Duprey for inviting me out to SnowFROC in Denver! I had a great time and just like last year, there was a lot of interesting talks on Web Application Security. Also thanks, to Bill Brenner and Lafe Low at CxO Media, for getting me involved in their CSO Data Loss Prevention seminar in Chicago. You can find the lineup of presentations with video for SnowFROC posted here and the CSO Seminar presentations posted here. Bill Brenner wrote a good piece on my presentation here.

Today I had the pleasure of participating in a lunch time podcast for the Society of Payment Security Professionals (SPSP) with Michael Dahn and Anton Chuvakin. We talked about the current and possible future state of payment security, how or if risk management plays into this as well as the “security first” vs. “compliance first” mindset. Thanks to Michael Dahn for having me on. I will update this post with a link to the podcast once it’s up.

For those of you not aware, I also serve on the Board of Advisors to the SPSP and work with Trey Ford and others on their Application Security Working Group. You should check out more about them here and reach out to me if you’re interested in participating in the AppSec Working Group. The Working Group is currently working on a DRAFT Playbook for PCI 6.6 Requirements. Get involved.

Bill Brenner over at CSO online has also been so kind as to let me participate on the CSO Online blogs section of the site. That should give me more motivation to post more often. Warning – I may end up double posting at times here or linking directly to the new CSO blog.

Thanks to the guys over at Matasano Security for putting on a great TechTalk at Orbitz. Thomas Ptacek and Mike Tracey came on site to give their 7 Deadly Features of Web Applications to a good crowd. A good presentation covered by a couple of very smart guys. If I am able to get both internal and Matasano approval, I may post the video of the presentation here later.

I’m a little late on the news here but both the BSIMM (Building Security In Maturity Model) as well as OpenSAMM (Open Software Assurance Maturity Model) have been released. The latter is now an OWASP project. I am just now getting around to reading through these and hope to have some thoughts put around this topic soon.

Finally, I am scheduled to speak at the next OWASP Chicago chapter meeting, pulling out my SnowFROC presentation for those who were not able to come out. The Chicago OWASP meeting is tentatively scheduled for April 29th. You can subscribe to the OWASP Chicago mailing list here if you don’t already do so.

March Events

Just a quick post to let you know of two events I’ll be participating in next month.

On March 5th, OWASP SnowFROC is holding it’s second annual application security conference in Denver, Colorado. This promises to be a great event with a ton of good content and speakers. I’m honored to participate in this again and I’d like to thank David, Kathy and all the organizers for including me. The conference itself is free thanks to the sponsors, so no excuse for you not to attend. SecTwits, break out the RV and come on out!

I hope to shed some light on some of the vulnerability management automation I’ve been working on. Good things to come. Check out the lineup here.

Three weeks later on March 26th, I’ll be giving a presentation at CSO Online’s DLP event at the Palmer House Hilton here in Chicago. My talk is first up (Note to Self: Extra Coffee!) on the use of penetration testing in a large web based environment. Should be pretty fun given all the “pen testing is dead” meme’s going around the net in the past couple months.

Thanks to Bill Brenner and Lafe Low for the invite and coordination of the event.

The lineup for the CSO event can be found here. You can register for it here.

Hope to see you next month!

Front Range OWASP Conference

Quick reminder that registration is now open for the Front Range OWASP conference in Denver and it’s free. Conference page here. Register here.

Two Places You Need To Be

Register for both now. Hope to see you soon.

1. The Front Range OWASP Conference
2. The Workshop on the Economics of Information Security – 2008

Rocky Mountain High

I have signed up with the OWASP Denver and Boulder chapters to give the opening keynote at the Front Range Web Application Security Summit in June. This is turning into a great event. A lot of excellent speakers are going to be there including Robert Hansen (RSnake) and Mike Zusman.

I am honored to be included in such company and am very much looking forward to it. Watch the site for more updates as I hear rumblings of participation from some additional great web app sec speakers. If you find yourself in Denver on June 10th, definitely try and attend this one.

UPDATE: Jeremiah Grossman from Whitehat Security will be presenting on business logic flaws.

Panel: Security Best Practices

I wanted to thank the Technology Executives Club for having me participate in their panel on Information Security Best Practices last month. It was a pretty diverse group each with a unique set of issues to deal with.

They just posted a webcast of the event on their site here. As usual, met a lot of interesting people and enjoyed myself thoroughly.

The Security Evangelism Tour Continues

Fresh off the heels of speaking at the Security Trends event in Milwaukee, I will be participating in a keynote panel at the Technology Executives Club Risk Management event in Chicago.  

It was a pleasure meeting everyone in Milwaukee and wanted to thank my fellow speakers and moderator for putting on a good event. As I said before, these events tend to bring a wide array of backgrounds and I am always impressed by the “wisdom of the crowd”.  

The Risk Management event in Chicago will take place on November 15th. You can get more information on the event here and register here. If you find yourself in Chicago during this time, I’d love to meet you there and looking forward to some lively discussions and note comparison of the issues we’re facing.

UPDATE: The tour went through a bit of a shuffle this week. Due to some last minute commitments I was not able to make it to the Risk Management event this week, however; I have agreed to serve on a panel at the IT Security Best Practices event on January  24th. Hope to see you there. 

 

Talking Security in Brew City

I just signed up to speak at the next Technology Executives Club security event up in beautiful Milwaukee, Wisconsin. We’re still busy figuring what the exact topic will be but the overall theme of the event is Corporate Security Trends. You can get more info here and register for the event here. There’s usually a great mix of people at the TEC with a varied degree of expertise.

Looking forward to meeting some new folks and lively conversation about our favorite topic. Hope to see you there!

Speaking of Risk Management

I had the opportunity yesterday to participate on a panel discussing risk management at the Technology Executives Club in Chicago. I met a lot of interesting people and wanted to thank the TEC for the invite.

One of the recurring subjects at the event was the prioritization of risks. Of the 100 things you currently have on your plate, how do you decide what is the next issue to work on or address? Without trying to downplay or simplify the issue, this seems to me to be a basic risk management question. While managing information security risks can be as much art as science, in its simplest form, a risk is its potential impact multiplied by its likelihood. Given that result, you can make decisions to accept, mitigate or eliminate the risk based on cost (of all kinds). Of course this is a simplified view of things, and each risk certainly contains tough to quantify gray areas.

I think the real issue here is bad data. In industries such as insurance, actuaries have the ability to rely on good data from the past in order to predict the likelihood of certain events in the future. This ‘good data’ doesn’t really exist in information security today. The one report that is continually brought up on this subject is the CSI / FBI Survey. I think Bruce Schneier summed up this report best. Security professionals do not have large amounts of accurate data to rely on, making the likelihood portion of the risk management equation difficult at best.

Updated 2/26: Updated to add link to webcast of panel I participated in.