What can software application developers expect from InfoSec?

The InfoSecurity Show 2012 is on next week at London’s glittering Earl’s Court.

The collective PR machine driving vendors’ appearances at the show has been just a little wearisome, with very few clients taking the trouble (so far) to drill down into the real “what it means to you” element for practitioners at the coal face of the either the data centre or the front line of the application development lifecycle.

I thought “feature-benefit” explanations were the linchpin to sales success right?

It appears not.

For now we’re mostly just getting “feature-feature-feature”, oh well.

Here’s my rationale…

While security vendors are keen to lay out their wares and slap around terms like “robust end-to-end protection”, there is a deeper and quite crucially important story to be told that asks the following questions:

• At what stage should software application development projects identify and classify their security/encryption/protection quotient and set out a concrete IT asset management “place at the table” for this element?

• As security is “architected in” to a software development project, how does the responsibility for its ownership transition from software architect to developer to IT asset manager and onwards?

• How can open source community contribution model engagement help aggregate malware risk awareness and how can that be engineered into software products in production and postproduction?

• How should software developers be “tutored” into security awareness at all levels? For example, if developer A is a user experience GUI specialist and developer B is a graphics rendering guru, then neither probably stop and think about security too much — but as all data represents risk and all risk is the concern of security, how should the “security mandate” be proliferated throughout all stakeholders in the software application development lifecycle?

But heck — it’s only Friday and next week is next week away. I can see companyies listed such as Alien Vault who work directly with developers and are open source in methodology terms at heart.

InfoSec 0.png

According to show previews, Barmak Meftah, CEO of AlienVault, the unified open source SIEM company and Richard Kirk, VP for Europe, have flown into the UK to talk about how they are collaborating with the IT security community through open source to find the source code for malware and emerging threats. AlienVault’s new Open Threat Exchange will give back solutions and inside information to the open source community for free, and for others they publish their research and sell products that detect and amend vulnerabilities.

OMG! Someone is listening!

Other show preview info details Cryptzone’s Director’s Portal, a new feature that has been “requested by the developer community” no less. More details to come, if the story holds water.

Imperva also looks interesting. The company says it will reveal what the “cool automated tools” that the likes of LulzSec and Anonymous are using. The firm has a new ‘Hacker Intelligence Initiative’, which reports on the latest and most popular automated hacking tools.

OMG again I think. OK, well I will aim to drill down into as command-line centric a story as I can when I get to the show. Failing that, I will collect as many T-shirts and branded packets of Gummy Bears as possible.

InfoSec 2.jpg