David Lacey's IT Security Blog

Google are sponsoring their participation in oCERT, a new form of computer emergency response team style service for the open source community. The service aims to “help both large infrastructures, like major distributions, and smaller projects that can't afford a full-blown security team and/or security resources”.

It’s an interesting development, though only time will tell as to how it develops and what value it adds. In practice many of these circles end up doing quite different things from what they originally expected to do.

FIRST, for example, has branched out into running corporate executive programmes, a far cry from its original techie focus. eema dropped its original title of “European Electronic Messaging Association” because it was too restrictive and now aims to address anything to do with identity and e-security. The Open Group has transformed itself many times since its predecessor, X/Open, was set up the early 1980s to agree a non-proprietary operating system standard for minicomputer vendors.

I wish them well. In the security world you live on your contacts. We can’t have enough of these circles, especially open, free ones.

I was interested last week to read in The Register about TippingPoint’s success in reverse engineering the executable behind the Kraken botnet, enabling to build a fake server that identified 25,000 infected machines. That left them with a dilemma: Should they fix the infected machines or not? They decided not to.

That was the right decision. Two wrongs don’t make a right. No matter how helpful it might have seemed to intervene, it would have been unethical, illegal and a potential liability. Untested changes always present a degree of risk. You can never be sure what might result. And it’s the thin end of the wedge. Where might such a precedent lead?

My last blog posting attracted an interesting comment from Lee Sutterfield, suggesting that voice firewalls are going to be the next major product investment. We should take note of that. Lee is a smart guy who operates years ahead of the field.

For those that don’t know Lee, I should point out that he’s the guy who sold the concept of Information Warfare to the US Air Force. He’s also the father of intrusion detection. He developed the first commercial product, NetRanger, which Cisco immediately acquired.

For several years Lee has been working on voice firewalls, initially to help control and manage PABXs but increasingly as a solution to converged data/voice architectures. His company SecureLogix has a unique perspective on this solution space.

And the security risks presented by voice and data convergence should not be underestimated. Over the next few years we’re going to see increasing pressure for more effective architecture solutions.

In recent years I’ve taken the opposite view from the analysts and vendors who have been continually predicting the death of standalone security products. I believe the future will be even more security solutions. And that’s a good thing. We should encourage more innovation, variety and competition.

I can understand why big vendors prefer to imagine a future free from single point solutions. But I find it sad and strange to hear customers complain about the number of security products available for them to buy. Bruce Schneier drew attention to that in his report of this year’s RSA Conference. His observations were correct, though I disagree with his forecast of the death of end user attendance at large exhibitions. In my view these events will go from strength to strength, as products proliferate and security becomes even more fashionable. 12,500 visitors are reported to have attended Infosecurity Europe. Next year’s event will be even bigger.

There are several reasons for the frustration of users. The market is immature and inefficient. Products are improving but marketing is still weak. I know that because I advise many start-up companies and venture capitalists. But inefficient markets present business opportunities. And networks are a powerful tool for improving searches and communications. That will all get fixed over time.

It’s also becoming much easier for customers to deploy new products when offered as Software as a Service. That at least overcomes the complaints of operations staff about the number of different boxes they have to install in their equipment racks.

I’ve pointed out before that acquisition of smaller products by bigger vendors will not reduce the number of standalone security products. The problem space is huge and growing. The solution space is tiny by comparison. What we’re really lacking is imagination. There is plenty of existing academic research to underpin dozens of new security product concepts that would deliver value to customers. I can think of several that are easy to build and that customers would buy. But we keep seeing variations of the same solution. A lack of creative product development is the real Achilles’ heel of the security market.

Just publishing on the Computer Weekly Web site are a couple of interviews I conducted last week at Infosecurity with Bruce Scheier and Ray Stanton, BT's Global Head of BT's Business Continuity, Security and Governance Practice.

There's one or two interesting perspectives on current issues and trends. Both of them emphasise the importance of getting back to basics. Ray wonders whether public authorities are ready for another year of floods. Probably not. And Bruce is surprisingly optimistic about the future.

One of the more pleasant highlights from last week’s Infosecurity was having an excellent dinner with the IOActive team, an interesting Seattle based security services company.

I was particularly impressed to find that Apple founder Steve Wozniak is on their advisory board. It just goes to show that at least some mainstream IT hackers (in the true sense of the word) have stayed close to their roots.

Steve Wozniak is famously connected with Blue Boxes, perhaps the earliest dedicated hacking tool. He probably understands security better than many CISOs. I wish them well.

Demand for software as a service (SaaS) has been steadily growing in recent years, ever since Salesforce.com seduced large organisations into taking it seriously.

Security SaaS has also become a widespread option for security services. IDS services such as Counterpane and email-scanning services from MessageLabs were first on the scene, followed by Qualys’s pioneering vulnerability scanning services. Over the past year we’ve also seen the emergence of further filtering services from Scansafe and Webroot, and application testing services from Veracode.

Security in the cloud was a common buzz phrase at Infosecurity last week. There’s a clear trend here and it’s a very useful one as it enables organisations to escape the restriction of having to operate exclusively through their corporate networks. Security SaaS is a major step on the road towards de-perimeterised business operations.

After suffering five failures of brand new electrical goods this year, after very few in previous decades, I’m beginning to get the impression that there are serious flaws in the design and manufacturing processes of contemporary products.

Faster product cycles and growing complexity are obvious contributing factors. A further one might be the introduction of lead-free solder. But there is no excuse for not applying quality, durability and usability tests at the design and production stages.

And the same holds for software testing, but with the added need to eliminate security weaknesses in both the design and code. There’s no excuse other than ignorance because it’s not expensive to conduct tests at each stage. And it’s certainly a lot cheaper than applying post production changes.

One security testing product that caught my eye at Infosecurity last week was Veracode’s binary testing service which is fast, affordable and rapidly pinpoints security flaws. If it does half of what it says it does, it would seem to be a mandatory tool for application developers and their customers.

And of course if it was claims tested by the CESG CCTM scheme, then we’d know that it does what they claim. In fact all prudent organisations should mandate both security and claims testing. There’s no excuse not to.

It’s always a problem organising an information security conference, as there are so many competing events that might clash with yours. I had a similar problem last week with invitations to events in both Manchester and London on the same day.

But now you can see what’s planned across the Globe, as far ahead as you wish to look. The answer is to be found at INFOSECDIARY, a free online diary of forthcoming security events.

I’m just getting back to normal after 3 days and nights of intensive networking at Infosecurity Europe. I was a great event, with excellent people, many new stands and slightly edgier presentations. The main value for me is in the networking. I always run into dozens of old friends I haven’t seen for years, especially at the excellent Portcullis Arms.

Amongst all the noise and bustle I managed to conduct filmed interviews for Computer Weekly with Ray Stanton, BT’s Global Security Director and Bruce Schneier. You’ll be able to see the results in a few days on the CW Web site.

As usual there was little that was truly innovative but many new products and a few interesting trends such as more focus on security “in the cloud” and data leak prevention, and better management tools to help tackle the increasing complexity of security solutions. I’ll be covering further highlights in later postings, so watch this space.