[cap-talk] Any hope in RSA 2008?

Jed Donnelley jed at nersc.gov
Wed Apr 2 17:19:05 EDT 2008 

cap-talk,

Some SPAM got through our filters today encouraging me to
"Meet the Rock Stars of Security at RSA 2008" (mostly Gene
Kim from Tripwire) and attend talks like:

Tuesday

1:15 pm  Controlling Risk in Virtual Environments
          - Dwayne Melancon and Gene Kim
2:45 pm  Governance Risk and Compliance in the Real World
          -Gene Kim and Scott Crawford
4:00 pm  Practical Steps for Integrating Security into Daily Operations
          Follow up with book signing Gene Kim / Paul Love / George Spafford

Wednesday

1:15 pm  Insights from the Field: Ensuring a Successful PCI Audit
          - Gene Kim and Barak Engel
2:45 pm  Tripwire Enterprise and DataPipe: A Complete PCI Solution
          - Joel Friedman
4:00 pm  Practical Steps for Integrating Security into Daily Operations
          Follow up with book signing Gene Kim / Paul Love / George Spafford

I spent some time looking through the brochure for the conference:

http://www.rsaconference.com/2008/US/pdf/RSA_Conference_2008_Catalog_Brochure.pdf

I must say that the experience was quite discouraging.  I'd be quite
interested to hear from anybody with a more optimistic view of
the current state of the Computer Security field - e.g. as represented
at RSA 2008.

 From my scan I'll just pick out a few presentations that seem to
me to stand out, positively or negatively:

This first for me set the tone,
"It’s deja vu all over again. As an industry, we’re rolling out
widgets to solve the same old problems — and it’s not working."

What more can I say:

Avoiding the Security “Groundhog Day”
MODERATOR: Mike Rothman | President, Security Incite
PANELISTS: Perry Carpenter | Information Security Manager, Alltel Communications, Inc.
Richard Mogull | Research Vice President, Information Security, Gartner
David Mortman | CSO-in-Residence, Echelon One
Ronald Woerner | Security Engineering Consultant, Information Security, TD Ameritrade
ThinkTech
It’s deja vu all over again. As an industry, we’re rolling out
widgets to solve the same old problems — and it’s not working.
In this session, a panel of experts debates the history of
security for clues on building tomorrow’s defenses. Together,
we’ll learn from the past how to build a safer tomorrow. Given
the stakes, no security practitioner can afford to make the
same mistakes again.


At least this one seems to provide some perspective from areas
where mistakes were made and where improvements genuinely solved
problems (rare among the presentations, unique?):

Sins of Our Fathers
MODERATOR: Daniel Houser | Sr. Security Identity Architect, Cardinal Health
PANELISTS: Ben Jun | Vice President of Technology, Cryptography Research
Hugh Thompson | Chief Security Strategist, People Security
Three gurus from different areas of cryptography and security
present case studies to apologize for sins in prior art, as those
who fail to learn from security history are doomed to repeat
it. This will be a frank and entertaining discussion of what
went wrong with SSL v.1, WEP, CSS, AACS/DRM and failed
software, network and physical security implementations.
Mea culpa.


Our friend David Wagner will be there:

Electronic Voting:
The Politics of Broken Systems
MODERATOR: Gary McGraw | CTO, Cigital
PANELISTS: Ed Felten | Professor, Princeton University
Douglas Jones | Professor, University of Iowa
Avi Rubin | President, Independent Security Evaluators
David Wagner | Professor, U.C. Berkeley
Most electronic voting systems suffer from well-documented
and publicly-demonstrated security failures. This IEEE
Security & Privacy panel will demonstrate and discuss major
problems (some discovered by panelists), describe research
results for better future systems and explain what happens
when politics and technology collide on a subject critical
to democracy.


At least here is an area where there is some new technical
development happening.  Perhaps with little hope to help
with computer security, but at least with some prospect for
change:

Virtualization and Security:
A Technical Forecast
MODERATOR: Michael Mimoso | Editor, Information Security Magazine
PANELISTS: Simon Crosby | CTO, XenSource
Stephen Herrod | Vice President of Technology Development, VMware
This will be a moderated panel on where security and
virtualization are headed. Specifically, the panel will discuss
three aspects of virtualization in the next one to three years.
First, what virtualization support to security operations (e.g.,
anti-malware, forensics, IDS) will be available? Second, what
security capabilities within virtual machine environments
(VMEs) will be available? Third, what attacks against VMEs
can we expect?


Disclose vulnerabilities to their heart's content?  Not very
hopeful I think.

Will Your Web Research Land You in Jail?
Sara Peters | Editor, Computer Security Institute
Software security researchers can disclose vulnerabilities
almost to their hearts’ content. Web security researchers,
though, could go to jail for merely looking for a vulnerability,
much less disclosing one publicly. CSI’s Working Group on
Web Security Research and the Law’s second report examines
whether or not we can secure the Net, respect site owners’
rights and keep researchers out of jail.


Interesting issue - at least orthogonal to the serious
technical failings in this area:

Data Retention: Policy Pros and Cons
Bruce Heiman | Partner, K&L Gates
In Europe, it used to be illegal. But after the Madrid bombings
the EU now requires companies to retain data for three years.
In the U.S., even the Patriot Act did not require data retention.
But the Justice Department is eager to follow the EU. Should
the U.S. do so? This session will look at the arguments — for
and against — from the perspectives of government, businesses
and individuals.


This one caught my attention mostly because of AlanK's work
in this area.  "Policy-based" security layer outside an SOA?

Securing Your SOA: Entitlement Management
in a Service-Oriented Application
Sekhar Sarukkai | CTO, Securent, Inc.
Securing an SOA is different than securing other applications.
Decoupling security logic from application logic is a necessity
in order to preserve the principles of SOA. This session will
explore entitlement management and demonstrate how
implementing a policy-based security layer outside an SOA
is the only effective way of managing access.
_______________

Whew.  I remember conferences in the 1970s where there seemed
genuine hope and progress in the field of operating systems.
I remember conferences from the late 1970s through the middle
1990s where there seemed to be hope and progress in hardware
architectures and networking, with significant advances in
cryptography.

Since the field of computer security began to get serious with
the growth of the Internet (middle 1990s), however, this has
seemed to me a field with little progress or hope for the future.

Of course I still have hope for our POLA/capability approach
to result in genuinely effectively small protection domains,
but I don't see anything like that represented anywhere in
a conference like RSA 2008.

I'd be quite interested to hear a more positive assessment.
Perhaps there are some gems that I'm just missing in the
noise because I don't know where to look?

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list