I had a nice walk tonight from the docks at the end of King Street in Alexandria, Virginia to my hotel. Or, it was nice for the first three blocks until the heavens opened up. Man, I forgot what thunderstorms in June are like here. I made it to the hotel, drenched, and rested a bit before heading back to Old Town and Bilbo Baggins. Where the food has been adequate and the beer, divine.

All the reviews are spot on regarding the décor here, btw. I’ve been in Michigan State college bars that had more elaborate ambience. But they didn’t have Dominion on tap, or Duchesse de Bourgogne in the bottle. Mmm, Flemish red ales.

links for 2008-06-03

Webroot on SaaS for security

The CTO of WebRoot is talking about applying Software as a Service to email and web security. It’s a good pitch, delivered to a small audience late in the afternoon.

Big thoughts:

  1. Because business-relevant content creation is shifting from “trusted providers” to semi-anonymous collaborations like wikis, blogs, and social networks, the focus is shifting away from blocking and allowing entire sites and toward figuring out how to deal with the possibility of Facebook (e.g.) as a malware vector
  2. Spam messages per business user in 2008: 42,000, based on their internal statistics.
  3. Because of #1, outgoing URL filtering no longer works (at least by itself). You have to combine anti-spyware, anti-virus, anti-phishing, and access control with high performance requirements.

The intersection of ITIL v.3 and application security

I’m at the Gartner IT Security Summit today and tomorrow (alas, I missed Bruce Sterling on the panel yesterday), and have been splitting my time between the show floor and a few of the sessions. I attended a few sessions on application security testing and on ITIL v. 3 this afternoon that sparked a few responses based on my combined security and ITIL experience.

Basically, the challenge to IT organizations who are doing any level of application management — change management of internally managed apps, purchasing COTS apps — is to figure out how to integrate application security into their software development and purchasing lifecycles. The two concrete recommendations that jumped out for me were:

  1. Don’t treat purchased software differently, from a security perspective, than you treat internally developed software. Hold both to the same standards and demand the same security certification from both. While this has traditionally been harder for COTS software, where source code is usually unavailable, binary analysis techniques such as those provided by my firm enable some level of consistency across these two categories.
  2. Bake security into your service management lifecycle. From design to transition to continuous improvement, security should be architected in and designed into the process. One way to consider how security can dovetail with ITIL is considering the role of security audits, whether binary or otherwise, as part of change and release management criteria. While secure development practices and source code tools should certainly be part of the SDLC process, release criteria should include security testing as well as functional testing requirements. Again, automated scanning can greatly assist with this process.

Preparing for the Obama backlash

Though the AP has called the Democratic nomination for Barack Obama based on its own private delegate counts, I think it’s too early–or maybe too late–to celebrate. Cause the weirdness is just beginning.

Aside: An email list I’m on recently sent out an article advising blog authors to focus on one thing only, and I’m about to break that rule in a big way by writing about the Democratic nomination. But it’s because of other things that I do–namely, genealogical research–that I have the perspective I’m about to share.

I have a distant relation who sends information about the family from time to time. We’ve never met, and aside from the family connection six generations or so back we have nothing in common, which is made abundantly clear from the right-wing emails bashing Obama (not HRC) that he regularly sends out. But getting his email is an interesting opportunity to see how the unofficial smear machine will take on Obama’s candidacy, because every one of them that pops up is getting forwarded.

Last night he sent one that consisted of a collection of supposedly inflammatory quotations from Obama’s books closing with this line and editorial:

And FINALLY the Most Damming one of ALL of them!!!

From Audacity of Hope: ‘I will stand with the Muslims should the political winds shift in an ugly direction.’

Now, it’s hard to imagine how this is supposed to be damning. To begin with, it’s incoherent as a standalone quotation, and it’s only damning if you think that standing with “the Muslims” is unequivocally bad. But if you put it into context, it’s even more puzzling. Here’s the quotation from the book, as sourced by “Right Truth”:

Of course, not all my conversations in immigrant communities follow this easy pattern. In the wake of 9/11, my meetings with Arab and Pakistani Americans, for example, have a more urgent quality, for the stories of detentions and FBI questioning and hard stares from neighbors have shaken their sense of security and belonging. They have been reminded that the history of immigration in this country has a dark underbelly; they need specific reassurances that their citizenship really means something, that America has learned the right lessons from the Japanese internments during World War II, and that I will stand with them should the political winds shift in an ugly direction.

Now, I have some basic reading comprehension skills, and I have no problem parsing this: concern that the nation’s xenophobia unfairly penalizes immigrants during national emergencies, remembrance of overreactions of the past, and a recognition that immigrants want national leaders to help them and safeguard their rights. The quotation does not say “I will stand by the Muslims,” but that he sees that the immigrants want their adopted country to stand by them.

I sent an email back to the author pointing this out. He replied,”Thank you so very much for this statement. It does say that he will stand with the Pakiasttani and Arab Americans if the Political winds shift etc.”

Um, WTF? Not at all what it said, or I said. But this is the sort of “logic” that opponents of Barack will use to try to block his campaign for the white house.

We all need to be alert to this and help put out these smears as they come up. The stakes in this election are too high for our reason to be led astray by those who would manipulate our fears.