Friday, January 2, 2009

Give me something useful

Sadly, I agree a lot with what Alex Payne blogged:

Much of the tech world is obsessed with engaging in macho pissing contests, but no part more so than computer security. In the case of yesterday’s announcement, the researchers in question were more concerned with their ability to present their findings at a popular hacker conference than with guaranteeing the safety of the Internet.

While presenting data on new threats and vulnerabilities is useful in the security world, it's just not very useful to me. For the majority of us security folks, we're heads down in our cubicles every day desperately trying to swim upstream of the the new vulnerabilities, the new projects that break the organization's security model, the treadmill of compliance obligations, and educating the unwilling or unmotivated. The last thing I need is to hear more FUD. And yes, most of these big announcements were based on things I always assumed were weak to begin with (reread the title of this blog). Yeah, I blogged about this quite a while ago, but it bears repeating.

What do I want to hear about? Well, since security != operations, we often have to come up with security band aids to slap over the operational heaps-o-junk (75% of my job is doing this), so how about some ideas for tools or techniques that fix this. Specifically:

How about a comprehensive method of determining technical vulnerabilities across all my infrastructure. And the method needs to accommodate an aging, wide-spread Katamari ball of stuff comprised of a variety of Windows (2k,2k3,Xp,Vista), Linux (RH3-5,Ubuntu,Centos), a handful of Macs, and a variety of network devices (Cisco, Netgear, F5).

And maybe patch/versioning in that fluid , heterogeneous environment.

Or, maybe a just repeatable method for detecting and tracking critical information within the Enterprise.

It'd be really cool to be able to enable users to have the data they are authorized to access on any host, any time, from anywhere.

Oh, and if you're going to sell me a tool, I'm not going to pay more than $25 per user per annum per problem solved and 1 hour of work per week per 100 users. I've had lots of solutions pitched to me that solve just one problem like change management, yet cost on the order $1k per user. Get serious. Open source tools, you can convert the money to time spent installing and customizing, cuz my time is money, ya know.