Infosec 2011: application (development) appetisers Part I

For the average attendee, London’s Infosecurity Europe (Infosec) event this week represents a chance to review the great and the good of the security industry’s latest vendor offerings.

For myself, I will be aiming to uncover some of the trends that come out from this event from a software application developer’s perspective.


Just last night I was communicating with Chris Eng, who is senior director of security research at Veracode on the subject of SQL injections and the application vulnerabilities that arise from it.

But what are the root causes of this issue — and will Infosec help provide answers?

“Either companies are not incorporating security processes such as education, threat modeling and security testing into their software development lifecycle, or their security processes are simply not working,” suggests Eng.

“Data from our recent application security survey shows that over 50 percent of users who took an Application Security Fundamentals exam (a very basic exam) through our service platform received a grade of C or lower, with over 30 percent of them received a failing grade of D or F. If developers lack an understanding of security concepts to this degree, it’s no wonder that they are making the same mistakes over and over resulting in vulnerable code,” said Eng.

So I asked for a list of topics that I might see covered at Infosec this year — and this is what I got:

· Mobile Security
· Web security and hackers
· Two-factor tokenless authentication
· Vulnerability and penetration testing
· Data in transport and encryption
· Firewalls
· Insider threats and Identity Management
· Encryption Key Management
· Security around Unstructured data
· Advanced Persistent Threats
· Social Media
· Cloud Computing
· and more…

But — and it is a BIG BUT! Too much of the information pumped out at this event is surface level.

Like my recent beef over Adobe not explaining how its products work — we need to know more about the “guts” of these new so-called “offerings” right?

Just to pick one example from many exhibitors. Mr Andy Cordial, MD of Origin Storage, will be at the show demonstrating his company’s Data Locker product, a military grade hardware encryption tool, as well as Enigma, a self-encrypting drive.

Great Andy, nice one! Will you be explaining:

Who: from within the application development and systems administration team is best suited to use and be tasked with implementing this product?

What: kind of implementation skills will be needed to make this product work well operationally?

When: this product should be implemented in the total application development lifecycle?

Why: if this product’s USP such an appeal proposition for those working at the command line?

I could go on, you get the point. Will we get gutsy earthiness? Or will we get gut busting marketing puff?

One can only hope.