I went to RSA to speak with Brian Chess on Breaking Web Services. First time for me to RSA, I generally go to more geek-to-geek conferences like OWASP. It is a little weird to be in such a big convention. There were soooo many vendors yet most of the products in the massive trade show floor would have as much an impact on the security in your system as say plumbing fixtures. What is genuinely strange to me is that every other area in computers improves and yet security stagnates. For years the excuse that security people gave for their field's propensity to lameness is that "no one invests a nickel in security." However, that ain't the case any more and yet most of the products teh suck. This doesn't happen in other areas of computing - databases are vastly better than a decade ago, app servers same, OS same, go right down the list. What gives in security? Where is the innovation?
I would attribute to a lack of accountability. In programming your stuff better compile or you don't go live, you don't get your bonus, people get whacked and so on. In security there is no bar to clear generally. People play cops and robbers off in some corner of the enterprise, right draconian policies that are ignored, and life goes on. Anyhow, I hope this is changing, there are some interesting new things out there just have not permeated the mainstream as much as we need not "corporate puffery" as Andre put it.
The other thing that struck me was that everyone was selling their butts off, and I realized I have no budget to buy, so I might as well have something to sell. What about training? So I invested the firms' money in a little training flyer, unfortunately I was also the person to distribute said flyer, and let's say that I see why introverted geeks are not generally selected for marketing activities. I think it took two days before I gave a copy of the flyer to someone who I did not already know.
As whinging as this post is, there was some good stuff that came out of the trip:
1. Dan Geer's book is in print. Buy it and read it. Will have a review soon.
3. Brian and I got to a quick review of our slide deck (first time we presented this) with Mark O'Neill who raised several salient points - the errors are still ours