Archive for May, 2012

Was in Chicago on Friday and Saturday for ThotCon and BSidesChicago.
If you have never been to a conference, I highly suggest that you go.
Not just for the speakers either. There is a whole other aspect of the conference that @Wh1t3Rabbit (Rafal Los from HP) calls the Hallway Con. He has a fantastic security oriented blog (if you want to follow the WhiteRabbit down the hole) located at http://h30499.www3.hp.com/t5/Following-the-White-Rabbit/bg-p/sws-119.

I had many interesting discussions over the weekend. One of them was with a Java developer who was attending her first conference ever and it was a security/hacking conference. I was mainly there of course for my own personal development and to support the efforts of my great friend Georgia Weidman (check her out… seriously!). During those discussions though, it was made apparent to quite a few of us that difficulties exist in the field of IT with regard to business.

There is a lot of finger-pointed and laying blame with regard to problems and issues especially with regard to security. InfoSec people blame developers for bad code, web-app developers blame improper use of their applications, users complain about viruses and malware and wonder why the products they buy are not more stable, the list goes on and on.

The solutions may not be easy, but they certainly are made more difficult by all this diatribe. Such solutions would be much better facilitated by honest and frank discussions among all the parties.

InfoSec professionals need to reach out to business. Yes, you want to sell your services, yes you want to make money, so do they. Some of them aren’t even aware that they have problems. Firstly, those who seriously want a paradigm shift should endeavor to change the landscape. Help business remove its blinders, talk to developers and help them understand where the weaknesses typically exist in their code and work with them in developing it. Every developer should be good friends, or at least darn good acquaintances with one or two security professionals.

Lastly, there should be more effort to spread the wealth of knowledge regarding InfoSec to the next generation and to those responsible for our future.